“Practical Threat Intelligence and Data-Driven Threat Hunting” Notes
In Practical Threat Intelligence and Data-Driven Threat Hunting: A hands-on guide to threat hunting with the ATT&CK™ Framework and open source tools
by Valentina Palacín, the word “Practical” in the title is accurate, as there are many sets of step-by-step instructions and many specific tools are mentioned. It seems the book is heavier on threat hunting than on threat intelligence, though there’s plenty about threat intel as well.
I read this after hearing Palacín on the Hacker Valley Blue podcast.
My notes follow.
This page contains one or more affiliate links. As an Amazon Associate, I earn from qualifying purchases.
What Is Cyber Threat Intelligence?
OSINT collection resources
- virustotal.com
- ccssforum.org
- urlhaus.abuse.ch
osintcurio.us: learn OSINT resources and techniques.
Sandboxing solutions
- any.run
- hybrid-analysis.com
- cuckoosandbox.org
Cyber Kill Chain has been criticized for not fitting modern attacks, but has been praised for identifying points to stop an attack.
Mapping the Adversary
ATT&CK Navigator helps visualize a threat actor’s MO, behavior of a specific tool, or generate a security exercise.
To map an attack to ATT&CK, look for keywords in the attack description (persistence, execute, gather, send, etc.) Use ATT&CK search box to look for other keywords (DLL, Windows API, Registry Key, etc.).
Working with Data
OSSEM provides an open source standardized model for security events, documented in data dictionaries.
MITRE CAR was inspired by CybOX and is an organization of objects that may be monitored from a host- or network-based perspective. MITRE CARET is the GUI of the CAR project.
Sigma rules are the YARA rules of log files. Sigma is an open signature format that can be applied to any log file and can be used to describe and share detections.
Emulating the Adversary
Adversary emulation tools
- Atomic Red Team
- Mordor
- CALDERA
- C2 Matrix evaluates C2 frameworks
- OSSEM Power-up
- Sysmon Modular
- DeTT&CT
Creating a Research Environment
Research environment (using ESXi)
- ELK (bonus: add Mordor datasets)
- Winlogbeat
- The HELK
If you don’t have the resources to build a virtual lab with ESXi, set up an ELK or The HELK instance and load the Mordor datasets.
Other research projects
- AutomatedLab
- Adaz
- Detection Lab
- Splunk Attack Range
How to Query the Data
Security Log Encyclopedia has extensive info about different event logs.
Invoke-AtomicRedTeam can carry out atomic tests in bulk.
Importance of Documenting and Automating the Process
http://writethedocs.org/about/learning-resources/ teaches how to write good docs.
Items to document
- State hypothesis
- Clearly state whether hypothesis was confirmed or not
- State scope
- Tell how you carried out the hunt
- Define time frame
- Document hunting results
- Describe aftermath
- Lessons learned
- If new threat actor activity is discovered, include ATT&CK mapping
Open source documentation tools
- readthedocs.org
- pages.github.com
- docusaurus.io
- sphinx-doc.org
Threat Hunter Playbook is an interactive notebook that shares detections following ATT&CK tactics, and allows easy replication and visualization of detection data.
Jupyter Notebook is an open source web app to create and share text, equations, code, visualizations. It can be used to create interactive documentation.
