Incident Response with Threat Intelligence: Practical insights into developing an incident response capability through intelligence-based threat hunting

Length: 468 pages
Edition: 1
Language: English
Publisher: Packt Publishing
Publication Date: 2022-06-24
ISBN-10: 1801072957
ISBN-13: 9781801072953
Sales Rank: #745851 (See Top 100 Books)

Learn everything you need to know to respond to advanced cybersecurity incidents through threat hunting using threat intelligence

Key Features

Understand best practices for detecting, containing, and recovering from modern cyber threats
Get practical experience embracing incident response using intelligence-based threat hunting techniques
Implement and orchestrate different incident response, monitoring, intelligence, and investigation platforms

Book Description

With constantly evolving cyber threats, developing a cybersecurity incident response capability to identify and contain threats is indispensable for any organization regardless of its size. This book covers theoretical concepts and a variety of real-life scenarios that will help you to apply these concepts within your organization.

Starting with the basics of incident response, the book introduces you to professional practices and advanced concepts for integrating threat hunting and threat intelligence procedures in the identification, contention, and eradication stages of the incident response cycle. As you progress through the chapters, you’ll cover the different aspects of developing an incident response program. You’ll learn the implementation and use of platforms such as TheHive and ELK and tools for evidence collection such as Velociraptor and KAPE before getting to grips with the integration of frameworks such as Cyber Kill Chain and MITRE ATT&CK for analysis and investigation. You’ll also explore methodologies and tools for cyber threat hunting with Sigma and YARA rules.

By the end of this book, you’ll have learned everything you need to respond to cybersecurity incidents using threat intelligence.

What you will learn

Explore the fundamentals of incident response and incident management
Find out how to develop incident response capabilities
Understand the development of incident response plans and playbooks
Align incident response procedures with business continuity
Identify incident response requirements and orchestrate people, processes, and technologies
Discover methodologies and tools to integrate cyber threat intelligence and threat hunting into incident response

Who this book is for

If you are an information security professional or anyone who wants to learn the principles of incident management, first response, threat hunting, and threat intelligence using a variety of platforms and tools, this book is for you. Although not necessary, basic knowledge of Linux, Windows internals, and network protocols will be helpful.

Incident Response with Threat Intelligence
Contributors
About the author
About the reviewer
Preface
    Who this book is for
    What this book covers
    To get the most out of this book
    Download the example code files
    Conventions used
    Get in touch
    Share Your Thoughts
Section 1: The Fundamentals of Incident Response
Chapter 1: Threat Landscape and Cybersecurity Incidents
    Knowing the threat landscape
        Is COVID-19 also a cyber-pandemic?
        Supply chain attacks
    Understanding the motivation behind cyber attacks
        The ransomware that was not
        Trick-or-treat
        Nothing is what it seems
    Emerging and future cyber threats
        Cyber attacks targeting IOT devices
        Autonomous vehicles
        Drones 
        Electronic voting machines
        Cyber attacks on robots
        The challenge of new technologies for DFIR professionals
    Summary
    Further reading
Chapter 2: Concepts of Digital Forensics and Incident Response
    Concepts of digital forensics and incident response (DFIR)
        Digital forensics
        What is incident response? 
        Difference between events and incidents 
    Digital evidence and forensics artifacts
        Looking for artifacts and IoCs
        IoCs versus IoAs
    Incident response standards and frameworks
        NIST Computer Security Incident Handling Guide
        SANS incident response process
        NIST Guide to Integrating Forensic Techniques into Incident Response
    Defining an incident response posture
    Summary
    Further reading
Chapter 3: Basics of the Incident Response and Triage Procedures
    Technical requirements
    Principles of first response
        First response guidelines
    Triage – concept and procedures
    First response procedures in different scenarios 
    First response toolkit
        Forensic image acquisition tools
        Artifact collectors
    Summary
    Further reading
Chapter 4: Applying First Response Procedures
    Technical requirements
    Case study – a data breach incident
        Analyzing the cybersecurity incident
        Selecting the best strategy
        Next steps
    Following first-response procedures
        Memory acquisition
        Memory capture and artifacts acquisition using KAPE
        Disk drive acquisition procedures
        Hard drive acquisition using a hardware duplicator
    Summary
    Further reading
Section 2: Getting to Know the Adversaries
Chapter 5: Identifying and Profiling Threat Actors
    Technical requirements
    Exploring the different types of threat actors
        Hacktivists
        Script kiddies
        Insiders
        Cybercriminals
        Ransomware gangs
        Advanced Persistent Threats (APT) groups 
        Cyber-mercenaries
    Researching adversaries and threat actors
        STIX and TAXII standards
        Working with STIX objects
    Creating threat actor and campaign profiles
        Creating threat actors' profiles using Visual Studio Code
    Summary
    Further reading
Chapter 6: Understanding the Cyber Kill Chain and the MITRE ATT&CK Framework
    Technical requirements
    Introducing the Cyber Kill Chain framework
    Understanding the MITRE ATT&CK framework
        Use cases for ATT&CK
        Using the ATT&CK Navigator
    Discovering and containing malicious behaviors
    Summary
    Further reading
Chapter 7: Using Cyber Threat Intelligence in Incident Response
    Technical requirements
        Configuring the lab environment
    The Diamond Model of Intrusion Analysis
    Mapping ATT&CK TTPs from CTI reports
        Case study – a weaponized document
        Responding to the incident
        Using TRAM to map ATT&CK TTPs
        Using Visual Studio Code to research ATT&CK techniques and create reports
    Integrating CTI into IR reports
    Summary
    Further reading
Section 3: Designing and Implementing Incident Response in Organizations
Chapter 8: Building an Incident Response Capability
    Technical requirements
    Taking a proactive approach to incident response
        The incident response hierarchy of needs
        Developing organizational incident response capabilities
        Identifying business requirements to create an incident response program
        Evaluating the incident response maturity level
    Building an incident response program
        Incident response procedures and guidelines
        Integrating people, processes, and technology into the incident response process 
        People
        Process
        Technology
    Aligning the incident response plan, the business continuity plan, and the disaster recovery plan
        Incident response plans
        Business continuity plan 
        Disaster recovery plans 
    Summary
    Further reading
Chapter 9: Creating Incident Response Plans and Playbooks
    Technical requirements
    Creating IRPs
    Creating IR playbooks
        Incident Playbook
        Public Playbooks
        Scenario – An ounce of prevention is worth a pound of cure
    Testing IRPs and playbooks
        Simulation of attacks to measure response programs
    Summary
    Further reading
Chapter 10: Implementing an Incident Management System
    Technical requirements
    Understanding the TheHive architecture
    Setting up TheHive and creating cases
    Creating and managing cases
        Adding and assigning tasks
        Documenting MITRE ATT&CK TTPs in TheHive
    Integrating intelligence with Cortex
        Configuring the analyzers
    Summary
    Further reading 
Chapter 11: Integrating SOAR Capabilities into Incident Response
    Technical requirements
    Understanding the principles and capabilities of SOAR
        Benefits of SOAR-based IR 
        Implementing a SOAR model 
    A SOAR use case – identifying malicious communications
        Preparing for the detection lab
        Security orchestration between TheHive and Velociraptor using n8n 
        Configuring the connection permissions for the client collection tools
        Client collection tools
    Escalating incidents from detection
        Emulating suspicious behavior
        Escalating an alert
    Automating the IR and investigation processes
        Emulating the attack
        Creating a hashes database
        Setting TheHive parameters in Velociraptor 
        Creating workflows using n8n 
    Summary
    Further reading
Section 4: Improving Threat Detection in Incident Response
Chapter 12: Working with Analytics and Detection Engineering in Incident Response
    Technical requirements
    Configuring the detection lab
        Implementing a threat hunting platform
        Installing ELK
    Identifying and containing threats
        Hunting for threats in incident response
    Implementing principles of detection engineering in incident response
    Using MITRE CAR, Invoke-AtomicRedTeam, and testing analytics
        MITRE CAR
        Installing Invoke-AtomicRedTeam
        Testing detections and hunting
    Summary
Chapter 13: Creating and Deploying Detection Rules
    Technical requirements
        Configuring the detection lab
    Introduction to detection rules
    Detecting malicious files using YARA rules
        Structure of a YARA rule
        Creating YARA rules
    Analyzing and identifying patterns in files
        Downloading PeStudio
        Using PeStudio
    Detecting potential threats using YARA rules
        Testing the YARA rule
        Modifying a YARA rule to improve detection
    Detecting malicious behavior using Sigma rules
        Cloning the repository
        Creating Sigma rules
        Creating or analyzing detection engineering
        Converting Sigma rules
        Using additional tools that use rules to scan for threats
    Summary
    Further reading  
Chapter 14:  Hunting and Investigating Security Incidents
    Technical requirements
    Responding to a data breach incident 
        Analyzing the cybersecurity incident 
        Selecting the best strategy
        Preparing for the lab
        Copying and importing evidence files
        Starting the investigation
    Opening a new IR case 
    Investigating the security incident
        Using Sigma rules to find a user creation event
        Searching by the activity of devices involved
    Summary
    Why subscribe?
Other Books You May Enjoy
    Packt is searching for authors like you
    Share Your Thoughts

Donate to keep this site alive

To access the Link, solve the captcha.

How to download source code?

1. Go to: https://github.com/PacktPublishing

2. In the Find a repository… box, search the book title: Incident Response with Threat Intelligence: Practical insights into developing an incident response capability through intelligence-based threat hunting, sometime you may not get the results, please search the main title.