Search icon CANCEL
Subscription
0
Cart icon
Your Cart (0 item)
Close icon
You have no products in your basket yet
Save more on your purchases now! discount-offer-chevron-icon
Savings automatically calculated. No voucher code required.
Arrow left icon
Explore Products
Best Sellers
New Releases
Books
Videos
Audiobooks
Learning Hub
Conferences
Free Learning
Arrow right icon
Aligning Security Operations with the MITRE ATT&CK Framework
Aligning Security Operations with the MITRE ATT&CK Framework

Aligning Security Operations with the MITRE ATT&CK Framework: Level up your security operations center for better security

eBook
€20.98 €29.99
Paperback
€37.99
Subscription
Free Trial
Renews at €18.99p/m

What do you get with Print?

Product feature icon Instant access to your digital eBook copy whilst your Print order is Shipped
Product feature icon Paperback book shipped to your preferred address
Product feature icon Download this book in EPUB and PDF formats
Product feature icon Access this title in our online reader with advanced features
Product feature icon DRM FREE - Read whenever, wherever and however you want
Product feature icon AI Assistant (beta) to help accelerate your learning
Table of content icon View table of contents Preview book icon Preview Book

Aligning Security Operations with the MITRE ATT&CK Framework

SOC Basics – Structure, Personnel, Coverage, and Tools

In this chapter, we will cover the landscape of what your average security operation center (SOC) looks like. We’ll discuss the structure of the specific roles within the SOC and possible sub-teams that can feed into or be part of the SOC environment. We’ll discuss strategies for alert triage, creating detections, incident response, and other important functions such as “trust but verify,” and how these functions can promote cross-team collaboration and apply to all aspects of the business. Having a strong understanding of the SOC can be critical to applying the various aspects of the ATT&CK framework. This will also allow you to evaluate the SOC environments that you might work in or interact with, and suggest possible changes, improvements, or areas for expansion. This chapter is comprised of the following sections:

  • SOC environments and roles
  • SOC environment responsibilities
  • SOC coverage
  • SOC cross-team collaboration

Technical requirements

For this chapter, there are no installations or specific technologies that are required.

SOC environments and roles

The SOC environment is one of the most critical teams that comprises your organization’s security posture. At the same time, there is no true one-size-fits-all for any SOC environment, which is part of the fun when evaluating yours for improvements. So how do you evaluate how your SOC should be set up? Well, that depends on the purpose of your organization. To test that theory, we will discuss a few hypothetical companies and the make-up of a few different SOC teams that I have seen first-hand. We’ll also talk through important traits for any SOC employee and drill down to specific roles.

SOC environments, as mentioned, all look different, but at the core, they are responsible for alert triage and incident response. In some cases, they can also be responsible for red team activities, security engineering, and network monitoring. That means that your basic roles are SOC analysts, incident responders, and SOC managers, but again that changes depending on scope. Expanded SOC environments might have network operations center (NOC) managers, NOC analysts, security engineers, threat intelligence analysts, or red team operators.

The first hypothetical SOC that we will evaluate is for a company called Blair Consulting. Blair Consulting has a SOC that is responsible for the management of security tools for building detections and for tabletop exercises, and they also have a hybrid environment, which means that there is a combination of on-premises systems and cloud systems. A SOC at that company would be comprised of a SOC manager, incident responder, security engineers, a red team specialist or engineer, and a cloud security engineer. The specific number of people would depend on the size of the organization, but as a rule of thumb, I try to have 1 incident responder for every 200–300 employees. That number primarily takes effect after you have a base set of employees for your team, which is done in the scaling-up period. This also changes if you are a public or private company because if you are public, or depending on the types of data your organization has, you might have reporting requirements for incidents, such as reporting to credit card bureaus in the case of a breach that concerns payment card industry data.

As you can see, any environment will require different teams and personnel, and no one environment looks the same. You should base it on the resources your organization has, the risks that have been identified as high and critical for your organization, and the projected growth/scalability of both the team and the organization.

SOC environment responsibilities

A SOC environment can have varying responsibilities. At the core, you have an incident response and alert triage. To accomplish comprehensive incident response, you want to have a strategy for 24/7 coverage, which can be accomplished by having a larger team and having shift patterns, partnering with a managed service security provider (MSSP), implementing a follow-the-sun model, or using an on-call roster. The option that you choose depends on the resources and infrastructure your team has. For example, if the organization has multiple offices located around the world, you would want to implement a follow-the-sun model, where you have multiple SOC analysts located at each office so that they can work their respective 9–5 type shift, and due to the various time zones and the addition of a few weekend shifts, that will give you the 24x7 coverage envisaged by the follow-the-sun model. The advantages of using an MSSP would give you the advantage of having a smaller in-house team while having support for alert triage and 24x7 coverage, but of course, that comes with a typically high price tag.

If you do everything out of one office and in multiple shifts, you would typically see 4 different shifts of 12 hours, A Day, A Night, B Day, B Night, where in 1 week, members assigned to A Day and A Night work for 4 days with 12-hour shifts, and the ones assigned to B Day and B Night work 3 days with 12-hour shifts, Each week, it would flip for the team that worked weekends.

The following chart will help you envision this:

Figure 1.1 – 2-week 4-shift rotation schedule

Figure 1.1 – 2-week 4-shift rotation schedule

The benefit of that is that in a 14-day time period, you only work 7 days, but again they are 12-hour shifts. You’ll see this type of setup in a lot of government SOC environments. The final option is to just use an on-call roster. In theory, if a high-severity alert is triggered or someone needs to trigger the incident response process, they would use a call roster or a tool such as Ops Genie, which would page whoever is on call. While this is the cheapest option for coverage, it does come with a higher level of risk that alerts will go untriaged, or incidents might take longer to contain or mitigate. In my experience, I’ll typically start a new SOC environment following the on-call method while processes are established, and then as the organization and SOC mature, I’ll either contract with an MSSP or hire enough staff to use the follow-the-sun method.

In addition to incident response, another core responsibility is alert triage. To have alerts, you need to also establish detections that can be completed by SOC analysts or dedicated detection engineers. Alert triaging can sound boring and monotonous, but it is a situation where you are constantly solving a different puzzle. It’s the responsibility of the SOC to create alerts to be able to effectively analyze the logs to find potentially suspicious actions or traffic. The purpose of that is that it is not effective or scalable to be analyzing raw logs all day; the rate at which suspicious actions would be missed is astronomical. Therefore, in theory, it is a key responsibility to have the ability to create complex alerts, which ideally pull in information from various data sources to essentially complete the first few steps of triage for your analysts. You also need to test alerts and review them regularly for efficiency because you do not want your analysts to spend all day triaging false positive alerts. Another aspect that can help with this responsibility is setting up some type of case management system to ensure that analysts do not duplicate efforts by triaging the same alert, and that would allow you to track metrics such as time to ticket, time to triage, and time to mitigation, which can help you drive initiatives for your team.

Threat intelligence analysts can be like security engineers or other types of roles in the SOC, the same way that a SOC analyst might perform some threat intelligence activities such as conducting operational intelligence research, which would provide contextual information for potentially suspicious IPs, domains, URLs, among other types of activities. A threat intelligence analyst conducts research on a larger scale. Some of their responsibilities might include integrating threat feeds such as ones from Abuse.ch, FireEye, and GoPhish (there are literally hundreds of both public and private threat feeds) or creating a deny list of hashes or domains based on triage findings, which can be applied to your organization’s firewall or endpoint detection and response tools. Another responsibility of a threat intelligence analyst is to stay current on all cyber threats, advanced persistent threat groups, and vulnerabilities, which may include writing threat reports on vulnerabilities that apply to the organization or industry.

The NOC is a part of the SOC or can be its own team. The NOC contains team members called NOC analysts, who have similar responsibilities to SOC analysts. They are responsible for monitoring networks; however, they can be less security-focused. A great example of a NOC is where it monitors smaller managed networks and remediates or investigates changes that might not align with a golden image, or reviews whether a change management process was followed properly for any network changes. If a network change might be suspicious, the NOC would work closely with the SOC to triage and assist where needed in the incident response process.

Security engineers can have a multitude of responsibilities. First, they can assist with creating detections and alerts for analysts. Next, they work heavily on the concept of “trust but verify.” This means that you trust employees with the best of intentions, but review configurations to ensure that they are secure. One common example is that when testing in a development environment, it’s very easy to stand up a new Amazon Elastic Cloud Computer (EC2) instance or create a new security group and in the interest of time, leave its firewall rules wide open to the internet. A security engineer would ideally have alerts set up to trigger when a new overly permissive group is stood up and work with that initial person to restrict the group as needed for the project.

Red team operators similarly can be their own team and work closely with security engineers and the SOC or fully be part of the SOC. Red team engineers or operators typically work on offensive operations tasks such as penetration testing, purple team testing, and assisting with trust-but-verify. The penetration testing responsibility and purple teaming go hand in hand. A purple team exercise is where a penetration test is being conducted via a set of pre-specified use cases, and the SOC analysts are notified when the testing is going to begin, its status, and so on. That way, it is a collaborative effort to test out any detections and coverage and provide an opportunity to improve.

Managers of sub-teams or of the SOC, or really any leadership role as part of the overall SOC, needs to be unique. They of course must handle administrative tasks, such as capturing metrics, creating reports, and personnel management, but they also must have a strong technical background to be effective. They must plan out a roadmap that addresses the risk of the organization, allows the team to grow and follow a scalable model, while also supporting the team members. To provide for proper growth and planning, the managers should be able to project the next 6 months of roadmaps. I recommend planning out no more than 60% of your time for projects depending on the role, to account for interrupts such as incidents or unforeseen complications and be flexible in the amount of work or types of projects projected to allow for necessary pivots.

SOC environments clearly have many varying roles and responsibilities, which really depend on the specifics of your organization and environment. You should identify the expected responsibilities of your SOC and ensure that you have enough personnel with the correct skill set or potentially provide training to develop the needed skill sets to fill any role. For scaling purposes, I typically try to add one SOC analyst and one security engineer per 500 employees, 1 NOC analyst per 5,000 network assets, 1–3 total red team engineers, 1 threat intelligence analyst for every 1,000 employees, 1 manager for every 5–10 SOC employees, and a senior manager or director as needed. Of course, this is just a general rule of thumb and can be tweaked to meet your needs.

SOC coverage

Expanding coverage and using your data effectively is critically important to any SOC’s ability to carry out its responsibilities. With a lack of coverage or visibility, the SOC will have nothing to monitor or detect, and your organization will have a significantly higher risk level because of it. That’s why it is an important factor within a SOC to determine the current level of coverage, where the gaps are, how to prioritize the gaps, and how to fill those gaps by increasing coverage.

The first stage is to determine what level of coverage you currently have. Regardless of whether your organization is a newer SOC or a more established one, I make it a point to baseline coverage before making any other roadmap decisions. To do so, I take note of all data sources that are being ingested into whatever security information event management (SIEM) is in use, such as Splunk or ELK, and I write down and organize all alerts by function. In addition to this, I review or create a risk registry that categorizes the highest risks that face the organization and, if time permits, conduct a purple team exercise. As explained in the SOC environment responsibilities section for a red team engineer role, and will be further explained in future chapters, a purple team exercise is a joint project where offensive operations are carried out to test the visibility and efficiency of alerts in place. This can also be useful in proving the negative, which means proving that attacks can be conducted without any visibility, which helps push the importance of increasing coverage.

After you have determined where the gaps are, you need to prioritize them and create a plan on how to fix them. One of the strategies for prioritizing is to list out the types of logs and visibility each missing source would give. For example, if you are not capturing logs from your organization’s Virtual Private Network (VPN), and it’s a remote work environment, then you have limited visibility into User browsing logs. You would then write out the risks or potential attacks that could be discovered with those logs and write down any mitigations. For example, while you might not capture user browsing logs but capture endpoint detection and response logs, you’ll still have some visibility into the applications used, and downloads, so that might lower the risk of not capturing those initial logs. Another strategy is after writing down the missing sources and suspected size of the logs, to prioritize them based on an effort to ingest them. For example, if you can download an app on your SIEM, utilize an API key and creds, and everything is managed in-house, then as long as the size of the logs isn’t the problem, you should be able to easily configure the new ingest. I typically recommend picking a mix of harder-to-implement logs to start the process for ingest while also implementing a few that are considered a quick win. Another way to prioritize coverage gaps is based on what you are prepared to write detections for or base it on team expertise. That way, you know whatever source of data that gets added will immediately be used to increase coverage because, in theory, you don’t want to waste licensing space, time, or money if you can’t take advantage of the additional coverage.

Filling any coverage gaps after prioritization can be done by expanding your ingest license for your current SIEM tool or using a data lake to capture additional logs without ingest in your SIEM tool. Therefore, you’ll still be able to run analytics and only ingest absolutely necessary data within your SIEM tool. Expanding your resources and current license seems like the simplest path, but a common issue with that path is that it can be cost-prohibitive. That’s where other solutions such as log tiering or using a data lake come into play. By implementing a different technical solution, such as a data lake through providers such as Snowflake, you are able to have logs transferred and collected in a centralized location, and then run analytics over those logs, and only ingest detections on a subset of the logs. That way, you have the coverage, but your ingest costs are lower. One of the downsides to this approach is that you need to implement a new technical implementation, connectors, and so on, and that, of course, has its own costs associated with it. Of course, any approach that is taken to fill a coverage gap is reliant on proper cross-team collaboration.

Coverage is always an ongoing battle as your company grows and gains capabilities. It’s important to regularly evaluate your coverage for improvements and to document any gaps, as this will help your SOC team mature. As mentioned, there are multiple ways to evaluate coverage and identify gaps, which will allow you to make an action plan for how to remediate those gaps.

SOC cross-team collaboration

“Alone we can do so little; together we can do so much” – Helen Keller.

This quote applies to the SOC environment as much as it does to most of life. One of the key functions that the SOC needs to be involved in will be promoting cross-team collaboration. This can be applied to all individual teams and functions of SOCs. For example, an analyst might triage an alert about suspicious DNS calls. While they can speculate on whether it’s DNS poisoning or a possible misconfiguration, they really need to reach out and work with a networking team to be able to fully triage and get to the root cause of what caused that alert. Similarly, in a trust-but-verify role, a cloud security engineer in the SOC would need to work with the infrastructure team, or potential development operations teams, which will be the ones standing up the initial cloud resources.

One of the key responsibilities of the SOC is “trust but verify,” and that relies on the principle of least privilege. The reasoning is that you want someone independent of the change to have the ability to validate the security behind it, so there is a lack of conflict of interest. In general, you would want security implemented by design, and the SOC or subsequent teams should coordinate to discuss security implementations prior to implementing any changes, which would shorten the validation period.

Other responsibilities, such as purple teaming exercises, are an inherently collaborative effort because they require multiple personnel of different roles to work together. As mentioned in the previous section, they primarily require a red team engineer to work collaboratively with other teams. We’ll also cover purple team exercises in depth in future chapters. Similarly, incident response efforts regularly require cross-team collaboration work in the mitigation stages. The reason is that in the case of a distributed denial-of-service (DDoS) attack, the SOC team might not be the one to implement firewall rule changes; they might have to work with a network engineer to implement changes. Or if the SOC works in an engineering environment, they might have to work with the respective engineering teams to implement CAPTCHAs, restrict logins, and so on.

There are many cases where the SOC is only able to conduct their work through effective cross-team collaboration. That effort provides a more security-informed workforce, and while issues might arise due to differing opinions on technical implementations, restraints, or even personalities, it’s critical that the lines of communication remain open and that all teams continue to work together.

Cross-team collaboration is critical for any team, but especially for a SOC. The reason is that the SOC must work with time-sensitive and potentially damaging incidents and data. The SOC is also responsible for maturing the security posture of the organization and ensuring that the principle of least privilege is in place; that can only be accomplished through cross-team collaboration. There are many times when a suspected incident turns out to be a misconfiguration, and by reaching out to other teams such as a network engineering team, your SOC will be more efficient and have the ability to triage more alerts.

Summary

To summarize, no two SOCs will ever be the same, and this can be inherently complex at first. Once you break it down and identify the needs of the organization, you will be able to determine what roles are needed and what the minimum size for your SOC is so that you can scale appropriately. Once you have at least some of the roles in place, you must evaluate your coverage so that you can identify your coverage gaps, and what the risks are for your organization. From there, you can remediate those gaps and risks through increased logging, increased detection engineering, or making technical changes. The increase in coverage is typically only accomplished through cross-team collaboration, which also makes the SOC team more efficient and ensures that proper access controls such as the principle of least privilege remain in place.

In the next chapter, we’ll take a deeper look at identifying risks through creating a risk registry, making a test plan, and conducting a purple team exercise, and hear from an industry analyst about common gaps and shortfalls. All of this will involve practical information, which you will be able to implement in your SOC environment to help increase your organization’s security maturity.

Left arrow icon Right arrow icon

Key benefits

  • Understand Cloud, Windows, and Network ATT&CK Framework using different techniques
  • Assess the attack potential and implement frameworks aligned with Mitre ATT&CK
  • Address security gaps to detect and respond to all security threats

Description

The Mitre ATT&CK framework is an extraordinary resource for all SOC environments, however, determining the appropriate implementation techniques for different use cases can be a daunting task. This book will help you gain an understanding of the current state of your SOC, identify areas for improvement, and then fill the security gaps with appropriate parts of the ATT&CK framework. You’ll learn new techniques to tackle modern security threats and gain tools and knowledge to advance in your career. In this book, you’ll first learn to identify the strengths and weaknesses of your SOC environment, and how ATT&CK can help you improve it. Next, you’ll explore how to implement the framework and use it to fill any security gaps you’ve identified, expediting the process without the need for any external or extra resources. Finally, you’ll get a glimpse into the world of active SOC managers and practitioners using the ATT&CK framework, unlocking their expertise, cautionary tales, best practices, and ways to continuously improve. By the end of this book, you’ll be ready to assess your SOC environment, implement the ATT&CK framework, and advance in your security career.

Who is this book for?

This book is for SOC managers, security analysts, CISOs, security engineers, or security consultants looking to improve their organization's security posture. Basic knowledge of Mitre ATT&CK, as well as a deep understanding of triage and detections is a must.

What you will learn

  • Get a deeper understanding of the Mitre ATT&CK Framework
  • Avoid common implementation mistakes and provide maximum value
  • Create efficient detections to align with the framework
  • Implement continuous improvements on detections and review ATT&CK mapping
  • Discover how to optimize SOC environments with automation
  • Review different threat models and their use cases
Estimated delivery fee Deliver to Spain

Premium delivery 7 - 10 business days

€17.95
(Includes tracking information)

Product Details

Country selected
Publication date, Length, Edition, Language, ISBN-13
Publication date : May 19, 2023
Length: 192 pages
Edition : 1st
Language : English
ISBN-13 : 9781804614266
Category :
Concepts :

What do you get with Print?

Product feature icon Instant access to your digital eBook copy whilst your Print order is Shipped
Product feature icon Paperback book shipped to your preferred address
Product feature icon Download this book in EPUB and PDF formats
Product feature icon Access this title in our online reader with advanced features
Product feature icon DRM FREE - Read whenever, wherever and however you want
Product feature icon AI Assistant (beta) to help accelerate your learning
Estimated delivery fee Deliver to Spain

Premium delivery 7 - 10 business days

€17.95
(Includes tracking information)

Product Details

Publication date : May 19, 2023
Length: 192 pages
Edition : 1st
Language : English
ISBN-13 : 9781804614266
Category :
Concepts :

Packt Subscriptions

See our plans and pricing
Modal Close icon
€18.99 billed monthly
Feature tick icon Unlimited access to Packt's library of 7,000+ practical books and videos
Feature tick icon Constantly refreshed with 50+ new titles a month
Feature tick icon Exclusive Early access to books as they're written
Feature tick icon Solve problems while you work with advanced search and reference features
Feature tick icon Offline reading on the mobile app
Feature tick icon Simple pricing, no contract
€189.99 billed annually
Feature tick icon Unlimited access to Packt's library of 7,000+ practical books and videos
Feature tick icon Constantly refreshed with 50+ new titles a month
Feature tick icon Exclusive Early access to books as they're written
Feature tick icon Solve problems while you work with advanced search and reference features
Feature tick icon Offline reading on the mobile app
Feature tick icon Choose a DRM-free eBook or Video every month to keep
Feature tick icon PLUS own as many other DRM-free eBooks or Videos as you like for just €5 each
Feature tick icon Exclusive print discounts
€264.99 billed in 18 months
Feature tick icon Unlimited access to Packt's library of 7,000+ practical books and videos
Feature tick icon Constantly refreshed with 50+ new titles a month
Feature tick icon Exclusive Early access to books as they're written
Feature tick icon Solve problems while you work with advanced search and reference features
Feature tick icon Offline reading on the mobile app
Feature tick icon Choose a DRM-free eBook or Video every month to keep
Feature tick icon PLUS own as many other DRM-free eBooks or Videos as you like for just €5 each
Feature tick icon Exclusive print discounts

Frequently bought together


Stars icon
Total 97.97 124.97 27.00 saved
Effective Threat Investigation for SOC Analysts
€28.99 €41.99
Practical Threat Detection Engineering
€30.99 €44.99
Aligning Security Operations with the MITRE ATT&CK Framework
€37.99
Total 97.97 124.97 27.00 saved Stars icon

Table of Contents

17 Chapters
Part 1 – The Basics: SOC and ATT&CK, Two Worlds in a Delicate Balance Chevron down icon Chevron up icon
Chapter 1: SOC Basics – Structure, Personnel, Coverage, and Tools Chevron down icon Chevron up icon
Chapter 2: Analyzing Your Environment for Potential Pitfalls Chevron down icon Chevron up icon
Chapter 3: Reviewing Different Threat Models Chevron down icon Chevron up icon
Chapter 4: What Is the ATT&CK Framework? Chevron down icon Chevron up icon
Part 2 – Detection Improvements and Alignment with ATT&CK Chevron down icon Chevron up icon
Chapter 5: A Deep Dive into the ATT&CK Framework Chevron down icon Chevron up icon
Chapter 6: Strategies to Map to ATT&CK Chevron down icon Chevron up icon
Chapter 7: Common Mistakes with Implementation Chevron down icon Chevron up icon
Chapter 8: Return on Investment Detections Chevron down icon Chevron up icon
Part 3 – Continuous Improvement and Innovation Chevron down icon Chevron up icon
Chapter 9: What Happens After an Alert is Triggered? Chevron down icon Chevron up icon
Chapter 10: Validating Any Mappings and Detections Chevron down icon Chevron up icon
Chapter 11: Implementing ATT&CK in All Parts of Your SOC Chevron down icon Chevron up icon
Chapter 12: What’s Next? Areas for Innovation in Your SOC Chevron down icon Chevron up icon
Index Chevron down icon Chevron up icon
Other Books You May Enjoy Chevron down icon Chevron up icon

Customer reviews

Most Recent
Rating distribution
Full star icon Full star icon Full star icon Full star icon Half star icon 4.8
(17 Ratings)
5 star 88.2%
4 star 5.9%
3 star 5.9%
2 star 0%
1 star 0%
Filter icon Filter
Most Recent

Filter reviews by




David Kosorok Sep 04, 2024
Full star icon Full star icon Full star icon Full star icon Full star icon 5
Rebecca demonstrates her deep expertise in Security Operations in this comprehensive guide, offering a clear and actionable strategy for implementing the MITRE ATT&CK Framework. The book provides a logical approach that beefs up your organization’s security posture as well as ensures your SecOps team stays aligned in detecting and responding to adversaries throughout the attack lifecycle. This is an essential resource for any security team, and I highly recommend that organizations add it to their libraries and make it required reading for their teams.
Amazon Verified review Amazon
sahil jain Aug 11, 2023
Full star icon Full star icon Full star icon Full star icon Full star icon 5
I found this book written by an experienced security leader very practical and effective. Unlike many other security books which are heavy on theory but lacks addressing real world challenges, this book has the right blend of theory and implementation recommendations.You can sense that the author has probably faced some of these challenges and has on ground experience.This book is highly recommended for infosec professionals of organization of any size or shape. I can forsee myself referring this book for guidance through our team’s SOC expansion journey.
Amazon Verified review Amazon
ICarryOn Aug 06, 2023
Full star icon Full star icon Full star icon Empty star icon Empty star icon 3
I really wanted to like this book. It is written by a practitioner, it was published this year, and, looking at its size, it contains little-to-zero fluff. As a textbook for the SecOps course that I am writing, this looked like a great choice…until I began to read it. From the mildly annoying typos (e.g., “you should talk [sic] a look at your access lists” (p. 12)) to the more serious issues (e.g. having DMARC, DKIM, and SPF enabled does NOT mean that one “is at a higher risk of phishing emails” (p. 12) but quite the opposite, as the author argues in the paragraph that follows the misstatement), the book quickly became unreliable as a source of truth in general and as a textbook in particular.I really wish that a knowledgeable technical editor was given a copy of this book to read before publication. As is, I am unable to use or recommend it to anyone.
Amazon Verified review Amazon
Raymond Aug 02, 2023
Full star icon Full star icon Full star icon Full star icon Full star icon 5
The author gives an excellent initial (4 chapter) introduction covering the basic building blocks of a Security Operations Center. This can be a complex task and should never follow a cookie cutter approach. A SOC should be scaled appropriately to the needs and priorities of the organization while identifying risks and threats and mitigating of threats with controls and detection. and logging. The author goes on to discuss the identification of risks and shows how to create a risk registry, test plan and how red teams, blue teams and purple teams can be implemented as well as covering common security gaps. I found the use of visual tables and breakdown of risk registry categories to be especially helpful. I enjoyed the example purple team exercise and example of utilizing Atomic Red from Red Canary (open source tool ) to run purple team exercises. The practical examples give an overview of the necessity of active reviews of gaps and documentation via the risk registry.Part 2 of the book goes deep into the ATT&CK framework and discusses strategies to implement the framework to the particular environment, find gaps in coverage and ways to increase efficiency of efforts and avoid adding unnecessary tools and implements that muddy the waters and/or flush the ROI down the proverbial toilet. The book goes much deeper into alerts, alert validation and playbooks with excellent visualizations and flowcharts and methods of mapping these to MITRE ATT&CK. I found the book to be an excellent source of information for SOC practitioners and managers and a great source for future reference in my security career.
Amazon Verified review Amazon
Ryan F. Jul 12, 2023
Full star icon Full star icon Full star icon Full star icon Full star icon 5
This book is an amazing resource. MITRE's ATT&CK Framework is widely referenced by the security community, but few organizations have found impactful ways to leverage it to enhance their security program. In this book, Rebecca provides an overview of the ATT&CK framework and common implementations. She also provides some examples which cause us to challenge assumptions regarding our security technologies and coverage. For example, when most users are not connecting to a VPN, how effective does that make outbound blocking rules on a corporate firewall? Rebecca has a wealth of knowledge to share, and I would encourage anyone in this industry to give this book a read.
Amazon Verified review Amazon
Get free access to Packt library with over 7500+ books and video courses for 7 days!
Start Free Trial

FAQs

What is the delivery time and cost of print book? Chevron down icon Chevron up icon

Shipping Details

USA:

'

Economy: Delivery to most addresses in the US within 10-15 business days

Premium: Trackable Delivery to most addresses in the US within 3-8 business days

UK:

Economy: Delivery to most addresses in the U.K. within 7-9 business days.
Shipments are not trackable

Premium: Trackable delivery to most addresses in the U.K. within 3-4 business days!
Add one extra business day for deliveries to Northern Ireland and Scottish Highlands and islands

EU:

Premium: Trackable delivery to most EU destinations within 4-9 business days.

Australia:

Economy: Can deliver to P. O. Boxes and private residences.
Trackable service with delivery to addresses in Australia only.
Delivery time ranges from 7-9 business days for VIC and 8-10 business days for Interstate metro
Delivery time is up to 15 business days for remote areas of WA, NT & QLD.

Premium: Delivery to addresses in Australia only
Trackable delivery to most P. O. Boxes and private residences in Australia within 4-5 days based on the distance to a destination following dispatch.

India:

Premium: Delivery to most Indian addresses within 5-6 business days

Rest of the World:

Premium: Countries in the American continent: Trackable delivery to most countries within 4-7 business days

Asia:

Premium: Delivery to most Asian addresses within 5-9 business days

Disclaimer:
All orders received before 5 PM U.K time would start printing from the next business day. So the estimated delivery times start from the next day as well. Orders received after 5 PM U.K time (in our internal systems) on a business day or anytime on the weekend will begin printing the second to next business day. For example, an order placed at 11 AM today will begin printing tomorrow, whereas an order placed at 9 PM tonight will begin printing the day after tomorrow.


Unfortunately, due to several restrictions, we are unable to ship to the following countries:

  1. Afghanistan
  2. American Samoa
  3. Belarus
  4. Brunei Darussalam
  5. Central African Republic
  6. The Democratic Republic of Congo
  7. Eritrea
  8. Guinea-bissau
  9. Iran
  10. Lebanon
  11. Libiya Arab Jamahriya
  12. Somalia
  13. Sudan
  14. Russian Federation
  15. Syrian Arab Republic
  16. Ukraine
  17. Venezuela
What is custom duty/charge? Chevron down icon Chevron up icon

Customs duty are charges levied on goods when they cross international borders. It is a tax that is imposed on imported goods. These duties are charged by special authorities and bodies created by local governments and are meant to protect local industries, economies, and businesses.

Do I have to pay customs charges for the print book order? Chevron down icon Chevron up icon

The orders shipped to the countries that are listed under EU27 will not bear custom charges. They are paid by Packt as part of the order.

List of EU27 countries: www.gov.uk/eu-eea:

A custom duty or localized taxes may be applicable on the shipment and would be charged by the recipient country outside of the EU27 which should be paid by the customer and these duties are not included in the shipping charges been charged on the order.

How do I know my custom duty charges? Chevron down icon Chevron up icon

The amount of duty payable varies greatly depending on the imported goods, the country of origin and several other factors like the total invoice amount or dimensions like weight, and other such criteria applicable in your country.

For example:

  • If you live in Mexico, and the declared value of your ordered items is over $ 50, for you to receive a package, you will have to pay additional import tax of 19% which will be $ 9.50 to the courier service.
  • Whereas if you live in Turkey, and the declared value of your ordered items is over € 22, for you to receive a package, you will have to pay additional import tax of 18% which will be € 3.96 to the courier service.
How can I cancel my order? Chevron down icon Chevron up icon

Cancellation Policy for Published Printed Books:

You can cancel any order within 1 hour of placing the order. Simply contact customercare@packt.com with your order details or payment transaction id. If your order has already started the shipment process, we will do our best to stop it. However, if it is already on the way to you then when you receive it, you can contact us at customercare@packt.com using the returns and refund process.

Please understand that Packt Publishing cannot provide refunds or cancel any order except for the cases described in our Return Policy (i.e. Packt Publishing agrees to replace your printed book because it arrives damaged or material defect in book), Packt Publishing will not accept returns.

What is your returns and refunds policy? Chevron down icon Chevron up icon

Return Policy:

We want you to be happy with your purchase from Packtpub.com. We will not hassle you with returning print books to us. If the print book you receive from us is incorrect, damaged, doesn't work or is unacceptably late, please contact Customer Relations Team on customercare@packt.com with the order number and issue details as explained below:

  1. If you ordered (eBook, Video or Print Book) incorrectly or accidentally, please contact Customer Relations Team on customercare@packt.com within one hour of placing the order and we will replace/refund you the item cost.
  2. Sadly, if your eBook or Video file is faulty or a fault occurs during the eBook or Video being made available to you, i.e. during download then you should contact Customer Relations Team within 14 days of purchase on customercare@packt.com who will be able to resolve this issue for you.
  3. You will have a choice of replacement or refund of the problem items.(damaged, defective or incorrect)
  4. Once Customer Care Team confirms that you will be refunded, you should receive the refund within 10 to 12 working days.
  5. If you are only requesting a refund of one book from a multiple order, then we will refund you the appropriate single item.
  6. Where the items were shipped under a free shipping offer, there will be no shipping costs to refund.

On the off chance your printed book arrives damaged, with book material defect, contact our Customer Relation Team on customercare@packt.com within 14 days of receipt of the book with appropriate evidence of damage and we will work with you to secure a replacement copy, if necessary. Please note that each printed book you order from us is individually made by Packt's professional book-printing partner which is on a print-on-demand basis.

What tax is charged? Chevron down icon Chevron up icon

Currently, no tax is charged on the purchase of any print book (subject to change based on the laws and regulations). A localized VAT fee is charged only to our European and UK customers on eBooks, Video and subscriptions that they buy. GST is charged to Indian customers for eBooks and video purchases.

What payment methods can I use? Chevron down icon Chevron up icon

You can pay with the following card types:

  1. Visa Debit
  2. Visa Credit
  3. MasterCard
  4. PayPal
What is the delivery time and cost of print books? Chevron down icon Chevron up icon

Shipping Details

USA:

'

Economy: Delivery to most addresses in the US within 10-15 business days

Premium: Trackable Delivery to most addresses in the US within 3-8 business days

UK:

Economy: Delivery to most addresses in the U.K. within 7-9 business days.
Shipments are not trackable

Premium: Trackable delivery to most addresses in the U.K. within 3-4 business days!
Add one extra business day for deliveries to Northern Ireland and Scottish Highlands and islands

EU:

Premium: Trackable delivery to most EU destinations within 4-9 business days.

Australia:

Economy: Can deliver to P. O. Boxes and private residences.
Trackable service with delivery to addresses in Australia only.
Delivery time ranges from 7-9 business days for VIC and 8-10 business days for Interstate metro
Delivery time is up to 15 business days for remote areas of WA, NT & QLD.

Premium: Delivery to addresses in Australia only
Trackable delivery to most P. O. Boxes and private residences in Australia within 4-5 days based on the distance to a destination following dispatch.

India:

Premium: Delivery to most Indian addresses within 5-6 business days

Rest of the World:

Premium: Countries in the American continent: Trackable delivery to most countries within 4-7 business days

Asia:

Premium: Delivery to most Asian addresses within 5-9 business days

Disclaimer:
All orders received before 5 PM U.K time would start printing from the next business day. So the estimated delivery times start from the next day as well. Orders received after 5 PM U.K time (in our internal systems) on a business day or anytime on the weekend will begin printing the second to next business day. For example, an order placed at 11 AM today will begin printing tomorrow, whereas an order placed at 9 PM tonight will begin printing the day after tomorrow.


Unfortunately, due to several restrictions, we are unable to ship to the following countries:

  1. Afghanistan
  2. American Samoa
  3. Belarus
  4. Brunei Darussalam
  5. Central African Republic
  6. The Democratic Republic of Congo
  7. Eritrea
  8. Guinea-bissau
  9. Iran
  10. Lebanon
  11. Libiya Arab Jamahriya
  12. Somalia
  13. Sudan
  14. Russian Federation
  15. Syrian Arab Republic
  16. Ukraine
  17. Venezuela