Book Review: Practical Threat Intelligence and Data-Driven Threat Hunting
Review of the book Practical Threat Intelligence and Data-Driven Threat Hunting by Valentina Costa-Gazcón. Book published in October 2020.
A part of my work involves working with Cyber Threat Intelligence (CTI) so I wanted to brush up my CTI knowledge and learn new concepts (maybe!). I picked up Practical Threat Intelligence and Data-Driven Threat Hunting by Valentina Costa-Gazcón (published in October 2020 by Packt Publishing Limited). This book has been on my reading list for some time. It also allowed me to dive into a different topic.
Content Overview
One thing I soon realized after reading few chapters of this book was that it should have been titled, "Data-Driven Threat Hunting and Threat Intelligence". The author has dedicated more than 92% of the content to threat hunting and only one chapter to CTI. There is nothing wrong with this but one would expect more coverage of CTI related topics in a book that is primarily known as "Practical Threat Intelligence".
Book Layout
Cyber Threat Intelligence - This part covers the basics of CTI and threat hunting. It also talks about various data sources that feed a threat hunting exercise. This section also contains a primer on various computer science topics (OS, Networking, Wifi, Windows etc.).
Understanding the Adversary - It is mostly focused on Adversary Emulation and covers MITRE ATT&CK framework in detail along with the MITRE ATT&CK Navigator tool. This section also includes a case study of Formbook malware where the author maps various TTPs related to this malware to the MITRE ATT&CK Framework. It then talks about creating a data model for emulating an adversary, planning and performing an adversary emulation exercise. It takes APT3 as a case study to create an adversary emulation plan.
Working with a Research Environment - Covers creating a lab environment (from scratch!) for threat hunting in later chapters using VMWare ESXi, Ubuntu, ELK stack, HELK and Windows VMs. The author has also covered performing tests from Atomic Red Team library and using the ELK stack to detect events associated with adversarial activity. This section also covers using MTIRE ATT&CK's APT29 emulation to perform threat hunting in the lab environment. The author has provided a walk-through of threat hunts for various TTPs of this APT group. Finally, it discusses the importance of good documentation and automating successful hunts.
Communicating to Succeed - The last part discusses how to measure and refine the quality of data collected for a threat hunt. It also talks about interpreting the results of a threat hunt, defining metrics to measure and improve the performance and effectiveness of the threat hunting team and threat hunt exercises. The last chapter discuses when to get the incident response team involved and how to effectively communicate results of threat hunting exercises to the senior management.
Salient Features
It is a good introduction to threat hunting with a good balance of theory and practical.
This book provides a holistic view of threat hunting.
The lab setup and threat hunting walk-through are well described and easy to follow.
The author has included exercises to map some of the TTPs manually.
I learnt about a lot of tools such as MITRE CALDERA, Qusar RAT, DeTT&CT, The Threat Hunter Playbook, SIGMA rules, OSSEM project etc.
This book is good for security analysts, red teams, blue teams, security managers and beginners in threat hunting.
Not so salient Features
Very less coverage of Cyber Threat Intelligence.
I agree with author's philosophy of creating a lab environment from scratch but providing AWS or Azure templates to automate the lab deployment would have been nice. It would be helpful for people who are short on time.
My rating 4.0 / 5.0
Join our book club on Discord and share your views on this book (or any other security book of your choice).