Threat Hunting with Elastic Stack: Solve complex security challenges with integrated prevention, detection, and response
- Length: 370 pages
- Edition: 1
- Language: English
- Publisher: Packt Publishing
- Publication Date: 2021-08-10
- ISBN-10: 1801073783
- ISBN-13: 9781801073783
- Sales Rank: #1289739 (See Top 100 Books)
Get hands-on with advanced threat analysis techniques by implementing Elastic Stack security features with the help of practical examples
Key Features
- Get started with Elastic Security configuration and features
- Understand how to use Elastic Stack features to provide optimal protection against threats
- Discover tips, tricks, and best practices to enhance the security of your environment
Book Description
Elastic Security is an open solution that equips professionals with the tools to prevent, detect, and respond to threats. Threat Hunting with Elastic Stack will show you how to make the best use of Elastic Security to provide optimal protection against cyber threats. With this book, security practitioners working with Kibana will be able to put their knowledge to work and detect malicious adversary activity within their contested network.
You’ll take a hands-on approach to learning the implementation and methodologies that will have you up and running in no time. Starting with the foundational parts of the Elastic Stack, you’ll explore analytical models and how they support security response and finally leverage Elastic technology to perform defensive cyber operations. You’ll then cover threat intelligence analytical models, threat hunting concepts and methodologies, and how to leverage them in cyber operations. Further, you’ll apply the knowledge you’ve gained to build and configure your own Elastic Stack, upload data, and explore that data directly as well as by using the built-in tools in the Kibana app to hunt for nefarious activities.
By the end of this book, you’ll be able to build an Elastic Stack for self-training or to monitor your own network and/or assets and use Kibana to monitor and hunt for adversaries within your network.
What you will learn
- Explore cyber threat intelligence analytical models and hunting methodologies
- Build and configure Elastic Stack for cyber threat hunting
- Leverage the Elastic endpoint and Beats for data collection
- Perform security data analysis using the Kibana Discover, Visualize, and Dashboard apps
- Execute hunting and response operations using the Kibana Security app
- Use Elastic Common Schema to ensure data uniformity across organizations
Who This Book Is For
Security analysts, cybersecurity enthusiasts, information systems security staff, or anyone who works with the Elastic Stack for security monitoring, incident response, intelligence analysis, or threat hunting will find this book useful. Basic working knowledge of IT security operations and network and endpoint systems is necessary to get started.
Threat Hunting with Elastic Stack Contributors About the author About the reviewers Preface Who this book is for What this book covers To get the most out of this book Download the example code files Code in Action Download the color images Conventions used Get in touch Share Your Thoughts Section 1: Introduction to Threat Hunting, Analytical Models, and Hunting Methodologies Chapter 1: Introduction to Cyber Threat Intelligence, Analytical Models, and Frameworks What is cyber threat intelligence? The Intelligence Pipeline The Lockheed Martin Cyber Kill Chain Reconnaissance Weaponization Delivery Exploitation Installation Command & Control Actions on the Objective MITRE's ATT&CK Matrices The Diamond Model Adversary (a) Infrastructure (i) Victim (v) Capabilities (c) Motivations Directionality Strategic, operational, and tactical intelligence Summary Questions Further reading Chapter 2: Hunting Concepts, Methodologies, and Techniques Introducing threat hunting Measuring success The Six D's The Pyramid of Pain Hash values IP addresses Domain names Network/host artifacts Tools TTPs Profiling data Expected data Detection types Machine learning Missing data Data pattern of life Indicators The depreciation life cycle Indicator decay Shunning The deprecation pipeline The HIPESR model Summary Questions Further reading Section 2: Leveraging the Elastic Stack for Collection and Analysis Chapter 3: Introduction to the Elastic Stack Technical requirements Introducing Logstash Input plugins Filter plugins Output plugins Elasticsearch, the heart of the stack Bringing data into Elasticsearch Beats and Agents Filebeat Packetbeat Winlogbeat Elastic Agent Viewing Elasticsearch data with Kibana Using Kibana to view Elasticsearch data Elastic solutions Enterprise Search Observability Security Summary Questions Further reading Chapter 4: Building Your Hunting Lab – Part 1 Technical requirements Your lab architecture Hypervisor Building an Elastic machine Creating the Elastic VM Installing CentOS Enabling the internal network interface Installing VirtualBox Guest Additions Summary Questions Chapter 5: Building Your Hunting Lab – Part 2 Technical requirements Installing and configuring Elasticsearch Adding the Elastic repository Installing Elasticsearch Securing Elasticsearch Installing Elastic Agent Installing and configuring Kibana Installing Kibana Connecting Kibana to Elasticsearch Connecting to Kibana from a browser Enabling the detection engine and Fleet Detection engine Fleet Enrolling Fleet Server Building a victim machine Collecting the operating systems Creating the virtual machine Installing Windows Filebeat Threat Intel module Summary Questions Further reading Chapter 6: Data Collection with Beats and Elastic Agent Technical requirements Data flow Configuring Winlogbeat and Packetbeat Installing Beats Configuring Sysmon for endpoint collection Configuring Elastic Agent Deploying Elastic Agent Summary Questions Further reading Chapter 7: Using Kibana to Explore and Visualize Data Technical requirements The Discover app The spaces selector The search bar The filter controller The Index Pattern selector The field name search bar The field type search Available fields The Kibana search bar The query language selector The date picker The Action menu Support information The search/refresh button The timebox The Event view Exercise Query languages Lucene KQL EQL The Visualize app Considerations The data table Bar charts Pie charts Line charts Others Lens Exercise The Dashboard app Summary Questions Further reading Chapter 8: The Elastic Security App Technical requirements The Elastic Security app overview The detection engine Managing detection rules Creating a detection rule Trend timeline Hosts Network Timelines Cases Administration Summary Questions Further reading Section 3: Operationalizing Threat Hunting Chapter 9: Using Kibana to Pivot Through Data to Find Adversaries Technical requirements Connecting events with a timeline Using observations to perform targeted hunts Pivoting to find more infections Generating tailored detection logic Summary Questions Further reading Chapter 10: Leveraging Hunting to Inform Operations Technical requirements An overview of incident response Preparation Detection and analysis Containment Eviction Recovery Lessons learned Using threat hunting information to assist IR Prioritizing improvements to the security posture Lockheed Martin Cyber Kill Chain Using external information to drive hunting techniques Summary Questions Further reading Chapter 11: Enriching Data to Make Intelligence Technical requirements Enhancing analysis with open source tools MITRE ATT&CK Navigator Enriching events with third-party tools IPinfo Abuse.ch's ThreatFox VirusTotal Enrichments within Elastic Summary Questions Further reading Chapter 12: Sharing Information and Analysis Technical requirements The Elastic Common Schema Describing data uniformly Collecting non-ECS data Importing and exporting Kibana saved objects Type Tags Export Import Developing and contributing detection logic Summary Questions Further reading Assessments Chapter 1 – Introduction to Cyber Threat Intelligence, Analytical Models, and Frameworks Chapter 2 – Hunting Concepts, Methodologies, and Techniques Chapter 3 – Introduction to the Elastic Stack Chapter 4 – Building Your Hunting Lab – Part 1 Chapter 5 – Building Your Hunting Lab – Part 2 Chapter 6 – Data Collection with Beats and the Elastic Agent Chapter 7 – Using Kibana to Explore and Visualize Data Chapter 8 – The Elastic Security App Chapter 9 – Using Kibana to Pivot through Data to Find Adversaries Chapter 10 – Leveraging Hunting to Inform Operations Chapter 11 – Enriching Data to Make Intelligence Chapter 12 – Sharing Information and Analysis Why subscribe? Other Books You May Enjoy Packt is searching for authors like you Share Your Thoughts
Donate to keep this site alive
How to download source code?
1. Go to: https://github.com/PacktPublishing
2. In the Find a repository… box, search the book title: Threat Hunting with Elastic Stack: Solve complex security challenges with integrated prevention, detection, and response
, sometime you may not get the results, please search the main title.
3. Click the book title in the search results.
3. Click Code to download.
1. Disable the AdBlock plugin. Otherwise, you may not get any links.
2. Solve the CAPTCHA.
3. Click download link.
4. Lead to download server to download.