The book guides readers through setting up a . This stack enables analysts to centralize all data in an ELK server, providing a powerful platform for querying and visualizing security data.
+-----------------------------------+ | Cyber Threat Intelligence (CTI) | --> Provides the "Who", "Why", and "What" +-----------------------------------+ | v (Feeds hypotheses & indicators) +-----------------------------------+ | Data-Driven Threat Hunting | --> Executes the "Where" and "How" +-----------------------------------+ Understanding Cyber Threat Intelligence (CTI)
Ensure Sysmon Event ID 1 (Process Creation) captures this execution.
A robust, open-source utility for sharing utility indicators and threat intelligence.
Outline a roadmap for . Let me know how you would like to narrow down your focus ! The book guides readers through setting up a
Data must be normalized into a standard format, such as the framework, so queries run uniformly across all log sources. Step 3: Investigation and Analytics
Setting up an Elasticsearch, Logstash, and Kibana (ELK) server to centralize security data.
Cyber Threat Intelligence (CTI) is not just a feed of IP addresses or Indicators of Compromise (IoCs). It is evidence-based knowledge about adversaries, including their contexts, mechanisms, indicators, implications, and actionable advice. CTI is generally categorized into three levels:
High-level information designed for executives and non-technical stakeholders. It focuses on broader trends, geopolitical risks, and the business impact of cyber threats. A robust, open-source utility for sharing utility indicators
For those looking to gain hands-on experience, you don't need a multi-million-dollar enterprise budget to start threat hunting. You can build a practical lab environment using open-source tools:
Threat intelligence is the process of gathering, analyzing, and disseminating information about potential or active cyber threats. This information enables organizations to make informed decisions about their security posture and take proactive measures to prevent or mitigate attacks. Threat intelligence can be categorized into three main types:
You receive a report about a new ransomware strain targeting your industry. You extract the specific TTPs (e.g., using a specific WMI command for persistence) and immediately run a hunt across your environment to see if those TTPs are present.
Sharing this intelligence with the relevant security stakeholders and automating blocks where possible. Data-Driven Threat Hunting: The Core Methodology Data must be normalized into a standard format,
+----------------------------+ | Formulate Hypothesis | +-------------+--------------+ | v +----------------------------+ | Gather & Process Data | +-------------+--------------+ | v +----------------------------+ | Execute the Hunt | +-------------+--------------+ | v +----------------------------+ | Respond & Automate | +----------------------------+ The Core Pillars of a Data-Driven Hunt
Practical Threat Intelligence and Data-Driven Threat Hunting
by Valentina Palacín (also known as Valentina Costa-Gazcón) is highly regarded as a definitive hands-on guide for cybersecurity professionals moving from reactive to proactive defense.
This is where the magic happens. Practical Threat Intelligence provides the "lead," and Data-Driven Threat Hunting provides the "search."