Security
Reader small image

You're reading from  Digital Forensics and Incident Response - Second Edition

Product typeBook
Published inJan 2020
Reading LevelBeginner
Publisher
ISBN-139781838649005
Edition2nd Edition
Languages
Python
Tools
PowerShellWireshark
Concepts
Forensics
Right arrow
Author (1)
Gerard Johansen
Gerard Johansen
author image
Gerard Johansen

Gerard Johansen is an information security professional with over a decade of experience in penetration testing, vulnerability management, threat assessment modeling, and incident response. Beginning his career as a cyber crime investigator, he has also worked as a consultant and security analyst for clients and organizations ranging from healthcare to finance. He is a graduate from Norwich University, gaining an MSc in Information Assurance and also a CISSP, and is currently employed with an international information technology services firm that specializes in incident response and threat intelligence.
Read more about Gerard Johansen

Right arrow

Hunting for Threats

The release of Mandiant's APT1 report provided information security professionals with a deep insight into one of the most experienced and prolific threat groups operating. The insight into the Chinese PLA Unit 61398 also provided a context around these sophisticated threat actors. The term Advanced Persistent Threat (APT) became part of the information security lexicon. Information security and incident responders now had insight into threats that conducted their activities without detection, and over a significant period of time.

Continued research has also demonstrated that organizations still lag far behind in their ability to detect a breach that has occurred or that is currently ongoing. The 2018 Cost of a Data Breach Study: Global Overview authored by IBM and Ponemon Institute determined that of the 477 organizations that were surveyed, there was...

The threat hunting maturity model

The cybersecurity expert David Bianco, the developer of the Pyramid of Pain covered in the previous chapter, developed the threat hunting maturity model while working for the cybersecurity company Sqrrl. It is important to understand this maturity model in relation to threat hunting, as it provides threat hunters and their organization a construct in determining the roadmap to maturing the threat hunting process in their organization. The maturity model is made up of five levels, starting at Hunt Maturity 0 (or HM0) to HM4. What follows is a review of the five levels of the model:

  • HM0—Initial: During the initial stage, organizations rely exclusively on automated tools such as network- or host-based intrusion prevention/detection systems, antivirus, or security information and event management (SIEM) to provide alerts to the threat hunt...

Threat hunt cycle

Threat hunting, like incident response, is a process-driven exercise. There is not a clearly defined and accepted process in place, but there is a general sequence that threat hunting takes that provides a process that can be followed. The following screenshot combines the various stages of a threat hunt into a process that guides threat hunters through the various activities to facilitate an accurate and complete hunt:

Let's begin with the first stage.

Initiating event

The threat hunt begins with an initiating event. Organizations that incorporate threat hunting into their operations may have a process or policy that threat hunting be conducted at a specific cadence or time period. For example, an...

MITRE ATT&CK

In Chapter 13, Leveraging Threat Intelligence, there was a brief exploration of the MITRE ATT&CK framework, as it pertains to the incorporation of threat intelligence into incident response. The MITRE ATT&CK framework is also extremely useful in the initial planning and execution of a threat hunt. The MITRE ATT&CK framework is useful in a variety of areas in threat hunting, but for the purposes of this chapter, the focus will be on two specific use cases. First will be the use of the framework to craft a specific hypothesis. Second, the framework can be utilized to determine likely evidence sources that would produce the best indicators.

The first use case, crafting the hypothesis, can be achieved through an examination of the various tactics and techniques of the MITRE ATT&CK framework. An examination of the various enterprise tactics located...

Threat hunt planning

Beginning a threat hunt does not require a good deal of planning, but there should be some structure as to how the threat hunt will be conducted, the sources of data, and the time period on which the threat hunt will focus. A brief written plan will address all of the key points necessary, and place all of the hunt team on the same focus area so that extraneous data that does not pertain to the threat hunt is minimized. The following are seven key elements that should be addressed in any plan:

  • Hypothesis: A one- or two-sentence hypothesis that was discussed earlier. This hypothesis should be clearly understood by all the hunt team members.
  • MITRE ATT&CK tactic(s): In the previous chapter, there was a discussion about the MITRE ATT&CK framework and its application to threat intelligence and incident response. In this case, the threat hunt should include...

Threat hunt reporting

Chapter 11, Writing the Incident Report, provided the details necessary for incident responders to properly report on their activities and their findings. Reporting a threat hunt is just as critical, as it affords managers and policymakers insight into the tools, techniques, and processes utilized by the hunt team, as well as providing potential justification of additional tools or modifying the existing processes. The following are some of the key elements of a threat hunt report:

  • Executive summary: This high-level overview of the actions taken, indicators discovered, and if the hunt proved or disproved the hypothesis provides the decision-makers with a short narrative that can be acted upon.
  • Threat hunt plan: The plan, including the threat hunt hypothesis, should be included as part of the threat hunt report. This provides the reader with the various details...

Summary

Eric O'Neill, former FBI intelligence professional and cybersecurity expert, has said: When you don't hunt the threat, the threat hunts you. This is exactly the sentiment behind threat hunting. As was explored, the average time from compromise to detection leaves adversaries with plenty of time to do significant damage. This can be done by understanding the level of maturity in an organization in terms of proactive threat hunting, applying the threat hunt cycle, adequately planning, and—finally— recording the findings. Taking a proactive stance may reduce the time an adversary has to cause damage, and help to possibly keep ahead of the constantly shifting threat landscape.

Questions

  1. At what level of the threat hunting maturity model would technologies such as machine learning be found?

A) HM0
B) HM1
C) HM2
D) HM3

  1. Which of the following is a top 10 IoC?

A) IP address
B) Malware signature
C) Excessive file request
D) URL

  1. A threat hunt initiating event can be a threat intelligence report.

A) True
B) False

  1. A working hypothesis is a generalized statement regarding the intent of the threat hunt.

A) True
B) False

Further reading

lock icon
The rest of the chapter is locked
Previous Chapter
Chapter 19 of 22
Next Chapter
You have been reading a chapter from
Digital Forensics and Incident Response - Second Edition
Published in: Jan 2020Publisher: ISBN-13: 9781838649005
© 2020 Packt Publishing Limited All Rights Reserved
Register for a free Packt account to unlock a world of extra content!
A free Packt account unlocks extra newsletters, articles, discounted offers, and much more. Start advancing your knowledge today.
Sign up now
undefined
Unlock this book and the full library FREE for 7 days
Get unlimited access to 7000+ expert-authored eBooks and videos courses covering every tech area you can think of
Start free trial
Renews at €14.99/month. Cancel anytime

Author (1)

author image
Gerard Johansen

Gerard Johansen is an information security professional with over a decade of experience in penetration testing, vulnerability management, threat assessment modeling, and incident response. Beginning his career as a cyber crime investigator, he has also worked as a consultant and security analyst for clients and organizations ranging from healthcare to finance. He is a graduate from Norwich University, gaining an MSc in Information Assurance and also a CISSP, and is currently employed with an international information technology services firm that specializes in incident response and threat intelligence.
Read more about Gerard Johansen

Other recommended products

Related to this chapter

Digital Forensics with Kali Linux

Digital Forensics with Kali Linux

Kali Linux is used mainly for penetration testing and digital forensics. This book will help you explore and unleash the tools available in Kali Linux for effective digital forensics investigations. Using practical examples, you will be able to make the most of forensics process such as investigation, evidence acquisition, and analysis.

BookDec 2017274 pages
Digital Forensics with Kali Linux

Digital Forensics with Kali Linux

Kali Linux is considered as a reliable source for penetration testing and digital forensics. This book will give readers hands-on experience in utilizing Kali Linux tools to implement all the pillars of digital forensics such as acquisition, extraction, analysis, and presentation.

BookApr 2020334 pages
Windows Forensics Cookbook

Windows Forensics Cookbook

Digital forensics (sometimes known as digital forensic science) is a branch of forensic science encompassing the recovery and investigation of material found in digital devices, often in relation to computer crime. Whether talking about digital forensics conducted by law enforcement or a corporate security department, the simple fact is that forensics is difficult and there are always challenges to be faced.

BookAug 2017274 pages
Learn Computer Forensics

Learn Computer Forensics

Computer forensics touches on a lot of skills - from answering legal or investigative questions to preparing for an investigation, evidence acquisition, and more. The goal of this book is to acquaint you with some of the forensic tools and techniques to successfully investigate cybercrimes, and become a proficient computer forensics investigator.

BookApr 2020368 pages
Practical Cyber Intelligence

Practical Cyber Intelligence

Cyber intelligence is the missing link between your cyber defense operation teams, threat intelligence, and IT operations to provide your organization with a full spectrum of defensive capabilities. This book kicks off with the need for cyber intelligence and why it is required in terms of a defensive framework.

BookMar 2018322 pages
Cisco Certified CyberOps Associate 200-201 Certification Guide

Cisco Certified CyberOps Associate 200-201 Certification Guide

The Cisco Certified CyberOps Associate 200-201 certification exam helps you gain the skills and knowledge needed to prevent, detect, analyze, and respond to cybersecurity incidents. This book offers complete up-to-date coverage of the 200-201 exam so you can confidently pass first time while getting hands-on cybersecurity experience.

BookJun 2021660 pages
Incident Response in the Age of Cloud

Incident Response in the Age of Cloud

This book is a comprehensive guide for organizations on how to prepare for cyber-attacks and control cyber threats and network security breaches in a way that decreases damage, recovery time, and costs, facilitating the adaptation of existing strategies to cloud-based environments.

BookFeb 2021622 pages
Hands-On Network Forensics

Hands-On Network Forensics

In the era of network attacks and malware threat, it becomes important to have skills to investigate the attack evidence and vulnerabilities prevailing in the network. This book focuses on how to acquire and analyze the evidence, write a report and use the common tools in network forensics.

BookMar 2019358 pages1
Hands-On Network Forensics

Hands-On Network Forensics

In the era of network attacks and malware threat, it becomes important to have skills to investigate the attack evidence and vulnerabilities prevailing in the network. This book focuses on how to acquire and analyze the evidence, write a report and use the common tools in network forensics.

BookMar 2019358 pages3
Malware Analysis Techniques

Malware Analysis Techniques

Comprehensive threat analysis is important for incident responders as it helps them to ensure that a threat has been entirely eliminated. This book shows you how to quickly triage, identify, attribute, and remediate threats with proper analysis techniques, and guides you in implementing your knowledge to prevent further incidents.

BookJun 2021282 pages
Practical Mobile Forensics

Practical Mobile Forensics

Mobile phone forensics is the science of retrieving data from a mobile phone under forensically sound conditions. This book is an update to Practical Mobile Forensics, Second Edition and it delves into the concepts of mobile forensics and its importance in today’s world.

BookJan 2018402 pages
Information Security Handbook

Information Security Handbook

Having an information security mechanism is one of the most crucial factors for any organization. Important assets of organization demand a proper risk management and threat model for security, and so information security concepts are gaining a lot of traction. This book covers the concept of information security, and shows you why it’s important.

BookDec 2017330 pages

Personalised recommendations for you

Based on your interests and search pattern

Attacking and Exploiting Modern Web Applications

Attacking and Exploiting Modern Web Applications

Attacking and Exploiting Modern Web Attacks will help you understand how to identify attack surfaces and detect vulnerabilities. This book takes a hands-on approach to implementation and associated methodologies and equips you with the knowledge and skills needed to effectively combat web attacks.

BookAug 2023338 pages
Automotive Cybersecurity Engineering Handbook

Automotive Cybersecurity Engineering Handbook

This Automotive Cybersecurity Engineering Handbook untangles the complexities of building secure automotive products and helps you to comply with cybersecurity standards. It provides practical tools, tips, and techniques coupled with real-world examples to enable you to create cyber-resilient automotive products with ease.

BookOct 2023392 pages
Official Google Cloud Certified Professional Cloud Security Engineer Exam Guide

Official Google Cloud Certified Professional Cloud Security Engineer Exam Guide

This book will help you to design, develop, and operate security controls on Google Cloud as well as discover best practices for relevant security domains, including identity and access management, network, and data.

BookAug 2023496 pages
Cloud Penetration Testing for Red Teamers

Cloud Penetration Testing for Red Teamers

The advent of cloud networks and the AWS, Azure, and GCP platforms has revolutionized how companies of all sizes in all industries do business online. This book will help you meet the emerging demand for pentesting as it guides you through the tools, techniques, and security measures used by pentesters and red teamers in the 2020s and beyond.

BookNov 2023298 pages
ISACA Certified in Risk and Information Systems Control (CRISC®) Exam Guide

ISACA Certified in Risk and Information Systems Control (CRISC®) Exam Guide

ISACA Certified in Risk and Information Systems Control (CRISC®) Certification Guide is an enterprise IT risk management professional’s dream. With its in-depth approach and various self-assessment exercises, this book arms you with knowledge of every single aspect of the certification, and is a fantastic career companion after you’re certified.

BookSep 2023316 pages5
Burp Suite Cookbook

Burp Suite Cookbook

Burp Suite is an immensely powerful and popular tool for web application security testing. This book provides a collection of recipes that address vulnerabilities in web applications and APIs. It offers guidance on how to configure Burp Suite, make the most of its tools, and explore into its extensions.

BookOct 2023450 pages
Building and Automating Penetration Testing Labs in the Cloud

Building and Automating Penetration Testing Labs in the Cloud

This hands-on guide will help you design and build a variety of penetration testing labs that mimic modern cloud environments running on AWS, Azure, and GCP. In addition to these, you will explore a number of practical strategies on how to manage the complexity, cost, and security risks involved when setting up vulnerable cloud lab environments.

BookOct 2023562 pages
Ethical Hacking Workshop

Ethical Hacking Workshop

As cyber-attacks grow and APT groups advance their skillset, you need to be able to protect your enterprise against cyber-attacks. In order to limit your attack surface, you need to ensure that you leverage the same skills and tools that an adversary may use to hack your environment and discover the security gaps. This book will teach you how to think like a hacker, use state-of-the-art hacking tools, and protect yourself and your organizaiton.

BookOct 2023220 pages
Windows Forensics Analyst Field Guide

Windows Forensics Analyst Field Guide

This book contains step-by-step processes to guide you in any investigation related to Windows OS. You’ll find out how to acquire evidence using multiple tools as well as examine and analyze the collected artifacts, while discovering multiple techniques used in real-world forensic incidents.

BookOct 2023318 pages
Implementing DevSecOps Practices

Implementing DevSecOps Practices

This book is a comprehensive, hands-on guide for individuals new to DevSecOps who want to implement DevSecOps practices successfully and efficiently. With its help, you’ll be able to shift security toward the left, enabling you to merge security into coding in no time.

BookDec 2023258 pages