Cyber Threat Hunting

Cyber Threat Hunting
contents
foreword
preface
acknowledgments
about this book
	Who should read this book
	How this book is organized: A road map
	About the code
	liveBook discussion forum
about the author
about the cover illustration
Part 1
	1 Introduction to threat hunting
		1.1	Cybersecurity threat landscape
		1.2	Why hunt?
		1.3	Structuring threat hunting
			1.3.1	Coming up with a hypothesis
			1.3.2	Testing the hypothesis
			1.3.3	Executing the threat hunt
		1.4	Threat hunting vs. threat detecting
		1.5	The background of a threat hunter
		1.6	The threat-hunting process
		1.7	Overview of technologies and tools
	2 Building the foundation of a threat-hunting practice
		2.1	Establishing a threat-hunting practice
		2.2	Developing a threat-hunting hypothesis
			2.2.1	Threat scenario
			2.2.2	Threat-hunting play
			2.2.3	Formalizing the hunt hypothesis
		2.3	Cyber threat intelligence
			2.3.1	Threat-intelligence types
			2.3.2	The Pyramid of Pain
		2.4	Security situational awareness
		2.5	Cognitive-bias challenges
		2.6	MITRE ATT&CK
		2.7	Frameworks
			2.7.1	Threat-hunting framework
			2.7.2	Existing frameworks and standards
		2.8	Building maturity over time
			2.8.1	Maturity model
			2.8.2	Maturity levels
		2.9	Exercises
Part 2
	3 Your first threat-hunting expedition
		3.1	Hunting for compromised endpoints
			3.1.1	Threat scenario
			3.1.2	Research work
			3.1.3	The hypothesis
			3.1.4	The hunting expedition
		3.2	The threat-hunting process
			3.2.1	Preparation
			3.2.2	Execution
			3.2.3	Communication
		3.3	Microsoft Windows Sysmon events
			3.3.1	Reviewing Sysmon’s capabilities
			3.3.2	Searching Sysmon events
		3.4	Exercises
		3.5	Answers to exercises
	4 Threat intelligence for threat hunting
		4.1	Preparing for the hunt: Hunting for web shells
			4.1.1	Scenario
			4.1.2	Threat-intelligence report
			4.1.3	Research work
		4.2	The hunting expedition
			4.2.1	Searching for malicious uploads
			4.2.2	Digging more into the web requests
			4.2.3	Tracking with firewall logs
			4.2.4	Addressing consequences
		4.3	The threat-hunting process
			4.3.1	Preparation
			4.3.2	Execution
			4.3.3	Communication
		4.4	Exercises
		4.5	Answers to exercises
	5 Hunting in clouds
		5.1	Hunting for a compromised Kubernetes infrastructure
			5.1.1	Threat scenario
			5.1.2	Research work
			5.1.3	The hunting expedition
		5.2	A short introduction to Kubernetes security
			5.2.1	Security frameworks
			5.2.2	Data sources
		5.3	Threat-hunting process
			5.3.1	Preparation
			5.3.2	Execution
			5.3.3	Communication
		5.4	Exercises
		5.5	Answers to exercises
Part 3
	6 Using fundamental statistical constructs
		6.1	Hunt for compromised systems beaconing to command and control
			6.1.1	Scenario: Searching for malicious beaconing
			6.1.2	Data sources
			6.1.3	Running statistical analysis work
			6.1.4	Osquery
			6.1.5	Hunting expedition: Searching for beaconing
		6.2	Exercises
		6.3	Answers to exercises
	7 Tuning statistical logic
		7.1	Beaconing with random jitter
			7.1.1	Relying on standard deviation only
			7.1.2	Enhancing the analytic techniques with interquartile range
			7.1.3	Interrogating the first suspect
			7.1.4	Avoiding confirmation bias
			7.1.5	Analyzing the data further
			7.1.6	Hunting for patterns
			7.1.7	Analyzing fields of interest
			7.1.8	Interrogating the second suspect
		7.2	Exercises
		7.3	Answers to exercises
	8 Unsupervised machine learning with k-means
		8.1	Beaconing with random jitter to a trusted destination
			8.1.1	Getting comfortable with the data
			8.1.2	Loading the data set
			8.1.3	Exploring and processing the data set
			8.1.4	Looking for empty fields
			8.1.5	Looking for fields with a large number of unique values
			8.1.6	Looking for highly correlated fields
			8.1.7	Converting non-numerical fields to numerical
			8.1.8	Calculating correlation
		8.2	K-means clustering
			8.2.1	How does k-means work?
			8.2.2	Feature scaling
			8.2.3	Determining the number of clusters, k
			8.2.4	Applying k-means clustering
		8.3	Analyzing clusters of interest
			8.3.1	Cluster 2
			8.3.2	Cluster 0
		8.4	Silhouette analysis as an alternative to the elbow method
		8.5	K-means with k = 6
			8.5.1	Cluster 2
			8.5.2	Cluster 4
			8.5.3	Cluster 1
		8.6	Exercises
		8.7	Answers to exercises
	9 Supervised machine learning with Random Forest and XGBoost
		9.1	Hunting DNS tunneling
		9.2	Supervised machine learning
			9.2.1	Acquiring the training data set
			9.2.2	Analyzing the data set
			9.2.3	Extracting the features
			9.2.4	Analyzing the features
			9.2.5	Reducing features
		9.3	Random Forest
			9.3.1	Generating the Random Forest model
			9.3.2	Testing the Random Forest model
			9.3.3	Hunting with the Random Forest model
			9.3.4	Downloading DNS events and extracting features
			9.3.5	Engaging the model
			9.3.6	Investigating events
		9.4	XGBoost
			9.4.1	Generating the XGBoost model
			9.4.2	Testing the XGBoost model
			9.4.3	Hunting with the XGBoost model
		9.5	Exercises
		9.6	Answers to exercises
	10 Hunting with deception
		10.1	No data? No problem!
		10.2	Hunting for an adversary on the run
			10.2.1	Scenario
			10.2.2	Creating deception
			10.2.3	Designing the decoys
			10.2.4	Deploying the decoys
			10.2.5	Waiting for the adversary to take the bait
			10.2.6	Getting lucky
		10.3	Deception platforms
		10.4	Exercises
		10.5	Answers to exercises
Part 4
	11 Responding to findings
		11.1	Hunting dangerous external exposures
			11.1.1	Scenario
			11.1.2	Hypothesis
			11.1.3	Searching for unexpected incoming connections
			11.1.4	Searching internet scanner databases
			11.1.5	Listing the local services
			11.1.6	Asking for assistance
			11.1.7	Incident case
			11.1.8	Continuing the hunt
			11.1.9	Understanding the compromise timeline
			11.1.10	Handing the case to the incident-response team
		11.2	Exercises
		11.3	Answers to exercises
	12 Measuring success
		12.1	Why we need to measure and report success or failure
		12.2	The ask
		12.3	Threat-hunting metrics
		12.4	Scenario: Uncovering a threat before an adversary executes it
			12.4.1	Research work
			12.4.2	Hunting for SQL successful injections
			12.4.3	Checking the code
			12.4.4	The threat-hunting team saved the day
			12.4.5	The penetration testing team confirmed the finding
			12.4.6	Threat hunting and executed threats
		12.5	Reporting to stakeholders
			12.5.1	Reporting to the executive team
			12.5.2	Reporting to the CISO
			12.5.3	Reporting to the security operations manager
	13 Enabling the team
		13.1	Resilience and adaptability
			13.1.1	What is resilience?
			13.1.2	What is adaptability?
			13.1.3	Measuring resilience and adaptability
			13.1.4	Developing resilience and adaptability
		13.2	Supporting threat hunters’ well-being
		13.3	Becoming a threat hunter
			13.3.1	From security monitoring to threat hunting
			13.3.2	From red-teaming to threat hunting
			13.3.3	From threat intelligence to threat hunting
		13.4	Keeping threat hunters engaged
		13.5	Continuous learning and development
			13.5.1	Technical enablement
			13.5.2	Mentorship
			13.5.3	Threat-hunting landscapes
		13.6	Threat hunting in the age of artificial intelligence
			13.6.1	Using public LLM services
			13.6.2	Using private LLM services
appendix A: Useful tools
index