Practical Threat Detection Engineering: A hands-on guide to planning, developing, and validating detection capabilities 9781801076715

Table of contents :
Practical Threat Detection Engineering
Contributors
About the authors
About the reviewers
Preface
Who this book is for
What this book covers
To get the most out of this book
Download the example code files
Download the color images
Conventions used
Get in touch
Share Your Thoughts
Download a free PDF copy of this book
Part 1: Introduction to Detection Engineering
1
Fundamentals of Detection Engineering
Foundational concepts
The Unified Kill Chain
The MITRE ATT&CK framework
The Pyramid of Pain
Types of cyberattacks
The motivation for detection engineering
Defining detection engineering
Important distinctions
The value of a detection engineering program
The need for better detection
The qualities of good detection
The benefits of a detection engineering program
A guide to using this book
The book's structure
Practical exercises
Summary
2
The Detection Engineering Life Cycle
Phase 1 – Requirements Discovery
Characteristics of a complete detection requirement
Detection requirement sources
Exercise – understanding your organization’s detection requirement sources
Phase 2 – Triage
Threat severity
Organizational alignment
Detection coverage
Active exploits
Phase 3 – Investigate
Identify the data source
Determine detection indicator types
Research
Establish validation criteria
Phase 4 – Develop
Phase 5 – Test
Types of test data
Phase 6 – Deploy
Summary
3
Building a Detection Engineering Test Lab
Technical requirements
The Elastic Stack
Deploying the Elastic Stack with Docker
Configuring the Elastic Stack
Setting up Fleet Server
Installing and configuring Fleet Server
Additional configurations for Fleet Server
Adding a host to the lab
Elastic Agent policies
Building your first detection
Additional resources
Summary
Part 2: Detection Creation
4
Detection Data Sources
Technical requirements
Understanding data sources and telemetry
Raw telemetry
Security tooling
MITRE ATT&CK data sources
Identifying your data sources
Looking at data source issues and challenges
Completeness
Quality
Timeliness
Coverage
Exercise – understanding your data sources
Adding data sources
Lab – adding a web server data source
Summary
Further reading
5
Investigating Detection Requirements
Revisiting the phases of detection requirements
Discovering detection requirements
Tools and processes
Exercise – requirements discovery for your organization
Triaging detection requirements
Threat severity
Organizational alignment
Detection coverage
Active exploits
Calculating priority
Investigating detection requirements
Summary
6
Developing Detections Using Indicators of Compromise
Technical requirements
Leveraging indicators of compromise for detection
Example scenario – identifying an IcedID campaign using indicators
Scenario 1 lab
Installing and configuring Sysmon as a data source
Detecting hashes
Detecting network-based indicators
Lab summary
Summary
Further reading
7
Developing Detections Using Behavioral Indicators
Technical requirements
Detecting adversary tools
Example scenario – PsExec usage
Detecting tactice, techniques, and procedures (TTPs)
Example scenario – mark of the web bypass technique
Summary
8
Documentation and Detection Pipelines
Documenting a detection
Lab – documenting a detection
Exploring the detection repository
Detection-as-code
Challenges creating a detection pipeline
Lab – Publishing a rule using Elastic’s detection-rules project
Summary
Part 3: Detection Validation
9
Detection Validation
Technical requirements
Understanding the validation process
Understanding purple team exercises
Simulating adversary activity
Atomic Red Team
CALDERA
Exercise – validating detections for a single technique using Atomic Red Team
Exercise – validating detections for multiple techniques via CALDERA
Using validation results
Measuring detection coverage
Summary
Further reading
10
Leveraging Threat Intelligence
Technical requirements
Threat intelligence overview
Open source intelligence
Internal threat intelligence
Gathering threat intelligence
Threat intelligence in the detection engineering life cycle
Requirements Discovery
Triage
Investigate
Threat intelligence for detection engineering in practice
Example – leveraging threat intel blog posts for detection engineering
Example – leveraging VirusTotal for detection engineering
Threat assessments
Example – leveraging threat assessments for detection engineering
Resources and further reading
Threat intelligence sources and concepts
Online scanners and sandboxes
MITRE ATT&CK
Summary
Part 4: Metrics and Management
11
Performance Management
Introduction to performance management
Assessing the maturity of your detection program
Measuring the efficiency of a detection engineering program
Measuring the effectiveness of a detection engineering program
Prioritizing detection efforts
Precision, noisiness, and recall
Calculating a detection’s efficacy
Low-fidelity coverage metrics
Automated validation
High-fidelity coverage metrics
Summary
Further reading
Part 5: Detection Engineering as a Career
12
Career Guidance for Detection Engineers
Getting a job in detection engineering
Job postings
Developing skills
Detection engineering as a job
Detection engineering roles and responsibilities
The future of detection engineering
Attack surfaces
Visibility
Security device capabilities
Machine learning
Sharing of attack methodology
The adversary
The human
Summary
Index
Why subscribe?
Other Books You May Enjoy
Packt is searching for authors like you
Share Your Thoughts
Download a free PDF copy of this book