Search icon CANCEL
Arrow left icon
Explore Products
Best Sellers
New Releases
Books
Videos
Audiobooks
Learning Hub
Conferences
Free Learning
Arrow right icon
The Foundations of Threat Hunting
The Foundations of Threat Hunting

The Foundations of Threat Hunting: Organize and design effective cyber threat hunts to meet business needs

Arrow left icon
Profile Icon Maurice Profile Icon Chad Maurice Profile Icon Copeland Profile Icon Jeremiah Ginn Profile Icon William Copeland Profile Icon Jeremy Thompson +2 more Show less
Arrow right icon
€31.99
Full star icon Full star icon Full star icon Full star icon Half star icon 4.7 (3 Ratings)
Paperback Jun 2022 246 pages 1st Edition
eBook
€17.99 €25.99
Paperback
€31.99
Subscription
Free Trial
Renews at €18.99p/m
Arrow left icon
Profile Icon Maurice Profile Icon Chad Maurice Profile Icon Copeland Profile Icon Jeremiah Ginn Profile Icon William Copeland Profile Icon Jeremy Thompson +2 more Show less
Arrow right icon
€31.99
Full star icon Full star icon Full star icon Full star icon Half star icon 4.7 (3 Ratings)
Paperback Jun 2022 246 pages 1st Edition
eBook
€17.99 €25.99
Paperback
€31.99
Subscription
Free Trial
Renews at €18.99p/m
eBook
€17.99 €25.99
Paperback
€31.99
Subscription
Free Trial
Renews at €18.99p/m

What do you get with Print?

Product feature icon Instant access to your digital eBook copy whilst your Print order is Shipped
Product feature icon Paperback book shipped to your preferred address
Product feature icon Download this book in EPUB and PDF formats
Product feature icon Access this title in our online reader with advanced features
Product feature icon DRM FREE - Read whenever, wherever and however you want
Product feature icon AI Assistant (beta) to help accelerate your learning
Table of content icon View table of contents Preview book icon Preview Book

The Foundations of Threat Hunting

Chapter 1: An Introduction to Threat Hunting

Threat hunting is a concept that can bring to mind a myriad of different images and ideas. It is a concept that is shrouded in mystery for some, while others might have been able to hone it down to a science, perhaps going as far as applying their findings in new ways. The line that separates these two groups is an understanding that this idea of hunting is, in reality, a loosely based concept that is molded for each unique situation, environment, and the personnel involved.

In the event that you have not heard of this concept of threat hunting before, it is very helpful to understand that there is not a single cookie-cutter cybersecurity solution for any network, enterprise, or incident. A single solution simply does not and cannot exist. There are millions of variables and conditions, both technical and organizational, that will differentiate one organization's network from another. The simple appearance of security might be a deterrent for some adversaries against a target and a challenge to others.

Even if an organization does all of the correct steps, such as ensuring that the network is architected with proper layered defenses, vulnerabilities are thoroughly analyzed, and risks are minimized, there are still important protections to enforce. A continual improvement process must be in place to review all the previous findings to see how the environment has changed. Threat hunting is a critical part of that process for organizations looking to mature their cybersecurity posture and improve their resilience in the digital world.

Of the countless threat hunting events we have had the pleasure of taking part in or observing, no two were ever the same. Each hunt was tailored to the particular technical resources available, enterprise in question, perceived threat, personnel assigned, and business requirements of the client. The aim of this book is to provide you with foundational concepts and requirements needed to take a generic threat hunting framework and mold it into something that will fit a particular use case that a customer would be willing to accept based upon what they are experiencing. This framework will allow you to understand how to build a threat hunting team and define and respond in future hunts to meet business needs while minimizing resource waste and non-value-added efforts.

In this chapter, we will be covering the following topics

  • Incident response life cycle
  • Why is threat hunting important?
  • Application of detection levels
  • Book layout

By the end of this chapter, you will be able to do the following:

  • Comprehend the difference between cyber threat hunting and other types of cyber defense functions.
  • Discuss how threat hunting fits into the NIST incident response life cycle.
  • Comprehend the importance of conducting effective threat hunting missions.

Incident response life cycle (hunting as proactive detection)

There are numerous different incident response life cycles that can be found through a short search across the internet. To keep things simple, any time this book references the incident response life cycle, it will be alluding to the one found in the following diagram:

Figure 1.1 – NIST SP 800-61r2 incident response life cycle

Figure 1.1 – NIST SP 800-61r2 incident response life cycle

The cycle always starts out with a Preparation phase, regardless of whether it is done purposefully or not. The following two steps, Detection and Analysis and Containment, Eradication, and Recovery, are cycled between as new information is identified and cases expanded. Once everything has been recovered, there will be a Post-Incident Activity phase in which a review of the events can be conducted without any pressure to recover. Good practices can be encouraged and bad practices pruned. Let's take a closer look at each of these phases.

Preparation

Plan for incidents, document assets and actions, architect for secure solutions, baseline the network, and so on. This is where an organization will prepare for the employment of cybersecurity resources. Even if they completely outsource their risk and response to another entity, the owning organization will take part in this phase. There will always be a level of preparation completed; sometimes it just happens to be that the organization decides not to prepare at all.

Some such examples of activities found within this phase include measuring baseline network activity, reviewing and documenting standard processes, and stress testing response scenarios. For example, if a virus was found on a network, how would the administrators respond? Preparation would allow them to understand the best course of action in relation to the business priorities that would allow them to minimize risk to the organization and its priorities. With inadequate preparation, the next few phases will be purely responsive with a higher level of risk to the organization.

Detection and analysis

During this phase, the organization will identify what is perceived to be benign and what is potentially malicious. This includes detection of activity, analysis of that activity, and a full-scope investigation as needed to determine the root cause and scope of the event. Cyber threat hunting is only a part of this step. The threat hunting step can be iterated over and over before a vulnerability or incident is identified that requires containment, eradication, and recovery. It does well to understand that this phase does not have to be completed by the organization that owns the network. Detection of an event can come from any number of places, including government agencies, hacktivists, underground hacking forums, and news sites.

Some examples of activities found within this phase include monitoring antivirus and firewall lows, comparison of baseline network activity against current network activity, and threat hunting. Anything that brings a particular activity to the focus of a cyber defender could fall under this phase of the cycle.

Containment, eradication, and recovery

Slow down, remove, and recover from the realization of a vulnerability that was exploited. The overarching goal is for the enterprise and organization to leave this phase operating at whatever the previously defined concept of normal was. This phase is largely dependent upon the planning that was conducted during the first phase because it will outline the methods in which the recovery activities are executed. If these actions were not properly planned or completed poorly during the first phase, then this phase will be an extreme struggle in a time of already heightened stress. One item of note is that it is expected for the middle phases of this life cycle to loop back and forth as new information is identified and additional pieces of the puzzle on the adversary are put into place. There will be a clear stopping point: all key data points have been identified and recovered from or all funds for the incident have been expended.

This phase is dependent upon the thoroughness of the previous phase. Some example activities include the locking of accounts, the implementation of additional firewall rules, and having users retake cybersecurity awareness training. Any activity that helps reset the network back to the previous baseline without the offending action could be included in this phase. Many of the organizational-level activities that occur in this phase will be outside the scope of a traditional threat hunting team.

Post-incident activity

This phase is intended to ensure that the risk is removed and the vulnerability is not exploited again. Within this phase, the organization will attempt to learn from the incident that occurred and the recovery that took place. Unfortunately, at this point, the organization and defenders are normally tired of the whole event and want to be done. This phase is the most overlooked and underaccomplished of the four phases, which explains why many organizations are compromised in the same way repeatedly. Everyone must learn from the correct and incorrect things that occurred in order to not repeat the mistakes of the past. Failure to do so is inviting those same things to happen again to the detriment of the organization.

Some examples of activities that take place include the incident response debrief for an intrusion and the reviewing of patching policies. Many of the organizational-level activities that occur in this phase will be outside the scope of a traditional threat hunting team.

Figure 1.2 – Sample activities that occur in each phase

Figure 1.2 – Sample activities that occur in each phase

There are many activities that can occur in each phase of the incident response life cycle with stakeholders taking part in some or all of the phases. The most important takeaway to have when working through this cycle is to understand which phase you are in and what you are intending to accomplish. Follow the process and employ the correct teams and personnel as needed. If an adversary is just discovered, do not jump ahead and attempt to begin the removal of any artifacts that are found.

Why is threat hunting important?

Reactive detection methods, such as utilizing signatures of known malicious files (hashes) or monitoring for behaviors synonymous with an attack (heuristics), can fail for a number of reasons. Detection based on known hashes can easily fail as it is simple to change a known malicious file just enough to bypass standard and even advanced antivirus solutions. Any free hex editor can be used to modify a file with a single bit and bypass this defense. Heuristics can also fail as they rely on known bad behaviors while attempting to account for expected administration behavior on the network. This does little for the unknown bad behaviors that are evolving in the threat actors' environments.

Taking the opposite approach and whitelisting known good behavior and applications is a method that an enterprise can take to create a zero-trust environment. The truth behind this concept is that very few organizations can and should fully implement this type of construct. This method is extremely resource-intensive to deploy across an enterprise while keeping services up to date as software and people change. Even then, someone who is masquerading as a legit user following that user's normal behavior could operate under the defense's thresholds.

A proactive detection method such as threat hunting doesn't wait for an alert and doesn't require the administrative overhead to whitelist all approved actions. Threat hunting takes into account the current vulnerabilities, environment, and processes to apply human expertise against the evidence. Threat hunting allows an organization to apply a force multiplier to their cybersecurity processes by augmenting the automated and administrated defenses.

Another reason why threat hunting is important is that it provides a focus for cybersecurity that is from an entirely different point of view (POV) than is normally found in a Security Operations Center (SOC). This different POV eschews the alarms and tools associated with them. Threat hunting wants to look directly at the evidence on the endpoints to determine whether there was some activity that was missed or the SOC tools haven't been updated to detect.

While there are many different methods of detecting adversarial behavior on a network, they can all be put into one of two categories – reactive or proactive. Think of reactive detection like a building alarm that is triggered when a window is opened. Once triggered, security will go and investigate what happened and why that window was opened. Proactive detection, of which threat hunting is one method of detection, does not wait for an alarm to go off. Using the same analogy, this would be a security guard who patrols the building looking for unlocked windows even though no alarms have gone off.

The following is a real-world example:

  • Location: High-security facility.
  • Reaction detection methods: Alarms on doors and windows; each door is automatically secured with a locking mechanism; entry is protected by a radio frequency identification (RFID) badging in/out system; motion detectors for after business hours or in restricted/unoccupied spaces.
  • Behavior (heuristics) tracking methods: Each individual is issued an RFID picture badge to scan into the facility and enter restricted spaces. Members have unique accounts to log in to systems that track what system or resource was accessed at a specific time.
  • Proactive detection methods: Security guards will patrol the building and review access/personnel for abnormal or malicious activity and stop random individuals for security checks of bags and accesses. If anything appears out of the ordinary, the security guards have the authority to intervene and review the facts around the particular event before allowing it to continue further.

Without this proactive detection method employed across the building, any activity that mimics an insider or unknown threat would be almost impossible to detect.

Definition

True positive: An alert that is triggered by reactive defenses that is valid, in that it meets the intent of the signature or heuristics for which it triggered, for example, an antivirus signature alert of a trojan that was downloaded.

True negative: The lack of a trigger by reactive defenses during the analysis of normal and expected system behavior or communications.

False positive: An alert that is triggered by reactive defenses that is invalid, meaning that it does not meet the intent of the signature or heuristics for which it triggered, for example, an intrusion prevention system firing on someone searching the internet for testmyids.com.

False negative: The lack of a trigger by reactive defenses on abnormal or malicious system behavior or communications during analysis, for example, an adversary emulating an administrator in order to successfully exfiltrate data from the network.

Application of detection levels

Incident response and SOC teams will usually be concerned with having low false positive rates. Remember that these are the alarms that are triggered even though nothing malicious actually occurred. Having a false positive rate that is low will help ensure that any alarms that fire and are brought to the SOC analyst's attention are a true concern. The reason for this is that evaluating and investigating a false positive can cause a massive drain on the incident response or SOC resources. Investigating an alarm that is not malicious in nature and actually a benign activity does not provide any improvement to network defenses. The trade-off for focusing on a low false positive rate is that there will be a higher level of false negatives due to the higher requirements for alerts to trigger. This, in turn, means that there will be a higher percentage of activity that is malicious in nature but will not trigger any alarms.

A threat hunter is concerned with the inverse of SOC requirements. When setting the bar for what is considered anomalous and requiring further investigation, the threat hunting team accepts having a high false positive rate. High false positives will help ensure that the respective false negatives are kept very low. A threat hunting team can accept a high false positive rate due to the scope of their hunt being very narrow compared to the scope an SOC would be monitoring on a day-to-day basis.

Figure 1.3 – Daily defenses versus hunt team heuristic sensitivity threshold

Figure 1.3 – Daily defenses versus hunt team heuristic sensitivity threshold

The preceding diagram depicts this consideration of false negative versus false positive. For a business just getting into threat hunting, this could mean a paradigm shift for parts of their team in how they measure success on a daily basis. An example would be an organization that uses the false positive rate as a measurement of success. For daily defenses, this will normally be tuned so that it is low, thus enabling the front-line cyber defenders to focus only on the things that truly matter and not waste time with dead ends. When the organization starts hunting and needs to measure their success, the false positive rate for a hunt team should be very high. Leadership looking at those statistics might be trained to think that this is a bad thing when, in fact, it is expected.

Book layout

This book is laid out in a manner intended to help you better prepare for and understand the contents of each chapter. Each chapter will have five sections:

  • Introduction and learning outcomes: This area will introduce you to the main focus of the chapter, as well as outlining the expected high-level areas that you should remember as you review the material. Each learning objective will start with one of the following three words:
    • If the objective starts with Identify, then the intention is just for you to have a higher-level understanding of the topic. You do not need to worry about having an expert-level understanding of that material.
    • If the objective starts with Comprehend, then the intention is for you to be able to apply the topic and extrapolate how it would fit into a given scenario.
    • If the objective starts with Discuss, then the intention is for you to be able to have an educated discussion with another knowledgeable person on the topic. Not only would you fully understand the concept, but you would also be able to apply it in real time to various scenarios.
  • Topic focus: This area is the main focus of the chapter and will provide all of the details needed for you to understand the topic.
  • Scenarios: This area is broken up into two fictional subscenarios, one focused on an internal hunt team and one focused on an external hunt team. The internal hunt team is one that exists full time within the scenario's organization. The external hunt team is a team that was contracted out by the scenario's organization to perform a specific threat hunt. These scenarios will build upon the previous chapter's scenario.
  • Summary: This area will provide you with a summary of the chapter and any higher-level takeaways that you should continue to focus on.
  • Review questions: This area will provide you with a chance to test your understanding of the material through a few questions or scenarios aimed at reinforcing the learning objectives stated at the beginning of the chapter.

This structure should help you go through and understand the content of each chapter, and the book at large, in the most efficient manner.

Summary

In review, understanding the difference between threat hunting and other forms of cyber defense will be critical for your journey forward. Most cybersecurity defenses are reactive in nature, in that they act as an alarm that is triggered on a known bad event. Unlike many standard defense mechanisms found across networks, cyber threat hunting is a proactive defense mechanism in that it is executed without any warning or indication of malicious activity. With all of that in mind, cyber threat hunting can still be a part of the incident response life cycle.

It is able to do so by providing an additional layer of dynamic and proactive security onto the standard reactive defense mechanisms commonly employed by enterprises. This proactive defense concept is not new and can be found in many organizations' physical security elements. One of the main differences that defenders identify with is that day-to-day defenders will thrive in an environment with a low false positive rate in order to not waste resources. Threat hunters will want a low false negative rate in order to ensure nothing slips past their investigation.

Without proactive defenses, there will be a distinctive limit to what can be achieved in the realm of security. Many advanced technics and adversaries could easily slip past reactive defenses and wreak havoc before being detected.

Now that we know what cyber threat hunting is, we will look at the whys and hows for identifying what is needed for a cyber threat hunt in the next chapter.

Review questions

Answer the following questions to check your knowledge of this chapter:

  1. (True or false) Cyber threat hunting is reactive in nature.
  2. The NIST incident response life cycle is made up of which four stages?
    1. Preparation, Detection and Analysis, Re-Baselining Systems, Policy Alignment
    2. Planning, Preparation, Detection, Recovery
    3. Preparation, Detection and Analysis, Containment, Eradication, and Recovery, Post-Incident Activity
    4. Planning, Detection, Containment, Post-Incident Activity
  3. Threat hunting is mainly a part of which phase of the NIST incident response life cycle?
  4. (True or false) Threat hunting is unique to cyber defense.
  5. (Insert the correct answer) Steady-state defenses such as incident response will normally want low ______ _______ rates. Threat hunters will normally want high ______ ______ rates.
    • False positive
    • True positive
    • False negative
    • True negative

Review answers

The answers to the review questions are as follows:

  1. False. Cyber threat hunting is proactive as the hunter does not wait for an alarm or alert before searching for malicious behavior.
  2. C. See NIST SP 800-61r2 incident response life cycle.
  3. Detection and Analysis. See NIST SP 800-61r2 incident response life cycle.
  4. False. The threat hunting concept is used in many different fields.
  5. False positive; False negative. See the Application of detection levels section of this chapter.
Left arrow icon Right arrow icon

Key benefits

  • Learn foundational concepts for effective threat hunting teams in pursuit of cyber adversaries
  • Recognize processes and requirements for executing and conducting a hunt
  • Customize a defensive cyber framework needed to grow and mature a hunt team

Description

Threat hunting is a concept that takes traditional cyber defense and spins it onto its head. It moves the bar for network defenses beyond looking at the known threats and allows a team to pursue adversaries that are attacking in novel ways that have not previously been seen. To successfully track down and remove these advanced attackers, a solid understanding of the foundational concepts and requirements of the threat hunting framework is needed. Moreover, to confidently employ threat hunting in a business landscape, the same team will need to be able to customize that framework to fit a customer’s particular use case. This book breaks down the fundamental pieces of a threat hunting team, the stages of a hunt, and the process that needs to be followed through planning, execution, and recovery. It will take you through the process of threat hunting, starting from understanding cybersecurity basics through to the in-depth requirements of building a mature hunting capability. This is provided through written instructions as well as multiple story-driven scenarios that show the correct (and incorrect) way to effectively conduct a threat hunt. By the end of this cyber threat hunting book, you’ll be able to identify the processes of handicapping an immature cyber threat hunt team and systematically progress the hunting capabilities to maturity.

Who is this book for?

This book is for anyone interested in learning how to organize and execute effective cyber threat hunts, establishing extra defense capabilities within their company, and wanting to mature an organization's cybersecurity posture. It will also be useful for anyone looking for a framework to help a hunt team grow and evolve.

What you will learn

  • Understand what is required to conduct a threat hunt
  • Know everything your team needs to concentrate on for a successful hunt
  • Discover why intelligence must be included in a threat hunt
  • Recognize the phases of planning in order to prioritize efforts
  • Balance the considerations concerning toolset selection and employment
  • Achieve a mature team without wasting your resources
Estimated delivery fee Deliver to Norway

Standard delivery 10 - 13 business days

€11.95

Premium delivery 3 - 6 business days

€16.95
(Includes tracking information)

Product Details

Country selected
Publication date, Length, Edition, Language, ISBN-13
Publication date : Jun 17, 2022
Length: 246 pages
Edition : 1st
Language : English
ISBN-13 : 9781803242996
Category :
Concepts :

What do you get with Print?

Product feature icon Instant access to your digital eBook copy whilst your Print order is Shipped
Product feature icon Paperback book shipped to your preferred address
Product feature icon Download this book in EPUB and PDF formats
Product feature icon Access this title in our online reader with advanced features
Product feature icon DRM FREE - Read whenever, wherever and however you want
Product feature icon AI Assistant (beta) to help accelerate your learning
Estimated delivery fee Deliver to Norway

Standard delivery 10 - 13 business days

€11.95

Premium delivery 3 - 6 business days

€16.95
(Includes tracking information)

Product Details

Publication date : Jun 17, 2022
Length: 246 pages
Edition : 1st
Language : English
ISBN-13 : 9781803242996
Category :
Concepts :

Packt Subscriptions

See our plans and pricing
Modal Close icon
€18.99 billed monthly
Feature tick icon Unlimited access to Packt's library of 7,000+ practical books and videos
Feature tick icon Constantly refreshed with 50+ new titles a month
Feature tick icon Exclusive Early access to books as they're written
Feature tick icon Solve problems while you work with advanced search and reference features
Feature tick icon Offline reading on the mobile app
Feature tick icon Simple pricing, no contract
€189.99 billed annually
Feature tick icon Unlimited access to Packt's library of 7,000+ practical books and videos
Feature tick icon Constantly refreshed with 50+ new titles a month
Feature tick icon Exclusive Early access to books as they're written
Feature tick icon Solve problems while you work with advanced search and reference features
Feature tick icon Offline reading on the mobile app
Feature tick icon Choose a DRM-free eBook or Video every month to keep
Feature tick icon PLUS own as many other DRM-free eBooks or Videos as you like for just €5 each
Feature tick icon Exclusive print discounts
€264.99 billed in 18 months
Feature tick icon Unlimited access to Packt's library of 7,000+ practical books and videos
Feature tick icon Constantly refreshed with 50+ new titles a month
Feature tick icon Exclusive Early access to books as they're written
Feature tick icon Solve problems while you work with advanced search and reference features
Feature tick icon Offline reading on the mobile app
Feature tick icon Choose a DRM-free eBook or Video every month to keep
Feature tick icon PLUS own as many other DRM-free eBooks or Videos as you like for just €5 each
Feature tick icon Exclusive print discounts

Frequently bought together


Stars icon
Total 104.97
Mastering Cyber Intelligence
€36.99
The Foundations of Threat Hunting
€31.99
Operationalizing Threat Intelligence
€35.99
Total 104.97 Stars icon

Table of Contents

17 Chapters
Part 1: Preparation – Why and How to Start the Hunting Process Chevron down icon Chevron up icon
Chapter 1: An Introduction to Threat Hunting Chevron down icon Chevron up icon
Chapter 2: Requirements and Motivations Chevron down icon Chevron up icon
Chapter 3: Team Construct Chevron down icon Chevron up icon
Chapter 4: Communication Breakdown Chevron down icon Chevron up icon
Chapter 5: Methodologies Chevron down icon Chevron up icon
Chapter 6: Threat Intelligence Chevron down icon Chevron up icon
Chapter 7: Planning Chevron down icon Chevron up icon
Part 2: Execution – Conducting a Hunt Chevron down icon Chevron up icon
Chapter 8: Defending the Defenders Chevron down icon Chevron up icon
Chapter 9: Hardware and Toolsets Chevron down icon Chevron up icon
Chapter 10: Data Analysis Chevron down icon Chevron up icon
Chapter 11: Documentation Chevron down icon Chevron up icon
Part 3: Recovery – Post-Hunt Activity Chevron down icon Chevron up icon
Chapter 12: Deliverables Chevron down icon Chevron up icon
Chapter 13: Post-Hunt Activity and Maturing a Team Chevron down icon Chevron up icon
Other Books You May Enjoy Chevron down icon Chevron up icon

Customer reviews

Rating distribution
Full star icon Full star icon Full star icon Full star icon Half star icon 4.7
(3 Ratings)
5 star 66.7%
4 star 33.3%
3 star 0%
2 star 0%
1 star 0%
J Norris Jul 14, 2022
Full star icon Full star icon Full star icon Full star icon Full star icon 5
I was surprised by the amount of information captured within the 224 pages. The authors did an outstanding job of outlining the requirements for establishing a threat hunt team and did it in a very easy to read, succinct manner - truly written for someone new to threat hunting. They do not assume every reader is at the same level of knowledge on foundational concepts and highlight entry-level reading to gain additional knowledge. In addition, the authors do not assume they know everything and are the end-all, be-all experts on this topic and invite feedback to ensure they continue to expand their own knowledge.The formatting of each chapter is designed to really educate the reader and then check that the reader grasped the concepts presented. Each chapter provides the specific objectives that will be discussed and then enhances the learning of those objectives with a short “quiz” with answers to test the reader.They really thought of everything in presenting the foundations and executions of a threat hunt team. The authors encourage readers to establish basic cyber security measures within their organization prior to attempting any sort of threat hunting. They outline not only the benefits of a threat hunt, but also the dangers if not done correctly. They clearly provide the organizational makeup, identify the functional roles, and highlight the training required for a successful hunt team. They even provide the justification a cybersecurity expert can take to their management for establishing a threat hunt team - they’ve done all the work for you!Bottom line, highly recommend this book for any cyber security professional looking to take a proactive approach to cyber security within their organization.
Amazon Verified review Amazon
MA Jul 07, 2022
Full star icon Full star icon Full star icon Full star icon Full star icon 5
Jeremy, Chad, and William provide engaging insight on how to build a team, what elements are highly recommended for a successful endeavor, how to communicate not only amongst peers but external to the team as well, and much more. All content falls back on industry references and models. Each chapter includes review questions and walkthrough scenarios applying each of the concepts covered in text, along with advised do’s and don’ts.
Amazon Verified review Amazon
j Jul 13, 2022
Full star icon Full star icon Full star icon Full star icon Empty star icon 4
This book provides a high level understanding of management and organizational concepts for threat hunt/SOC management.
Amazon Verified review Amazon
Get free access to Packt library with over 7500+ books and video courses for 7 days!
Start Free Trial

FAQs

What is the delivery time and cost of print book? Chevron down icon Chevron up icon

Shipping Details

USA:

'

Economy: Delivery to most addresses in the US within 10-15 business days

Premium: Trackable Delivery to most addresses in the US within 3-8 business days

UK:

Economy: Delivery to most addresses in the U.K. within 7-9 business days.
Shipments are not trackable

Premium: Trackable delivery to most addresses in the U.K. within 3-4 business days!
Add one extra business day for deliveries to Northern Ireland and Scottish Highlands and islands

EU:

Premium: Trackable delivery to most EU destinations within 4-9 business days.

Australia:

Economy: Can deliver to P. O. Boxes and private residences.
Trackable service with delivery to addresses in Australia only.
Delivery time ranges from 7-9 business days for VIC and 8-10 business days for Interstate metro
Delivery time is up to 15 business days for remote areas of WA, NT & QLD.

Premium: Delivery to addresses in Australia only
Trackable delivery to most P. O. Boxes and private residences in Australia within 4-5 days based on the distance to a destination following dispatch.

India:

Premium: Delivery to most Indian addresses within 5-6 business days

Rest of the World:

Premium: Countries in the American continent: Trackable delivery to most countries within 4-7 business days

Asia:

Premium: Delivery to most Asian addresses within 5-9 business days

Disclaimer:
All orders received before 5 PM U.K time would start printing from the next business day. So the estimated delivery times start from the next day as well. Orders received after 5 PM U.K time (in our internal systems) on a business day or anytime on the weekend will begin printing the second to next business day. For example, an order placed at 11 AM today will begin printing tomorrow, whereas an order placed at 9 PM tonight will begin printing the day after tomorrow.


Unfortunately, due to several restrictions, we are unable to ship to the following countries:

  1. Afghanistan
  2. American Samoa
  3. Belarus
  4. Brunei Darussalam
  5. Central African Republic
  6. The Democratic Republic of Congo
  7. Eritrea
  8. Guinea-bissau
  9. Iran
  10. Lebanon
  11. Libiya Arab Jamahriya
  12. Somalia
  13. Sudan
  14. Russian Federation
  15. Syrian Arab Republic
  16. Ukraine
  17. Venezuela
What is custom duty/charge? Chevron down icon Chevron up icon

Customs duty are charges levied on goods when they cross international borders. It is a tax that is imposed on imported goods. These duties are charged by special authorities and bodies created by local governments and are meant to protect local industries, economies, and businesses.

Do I have to pay customs charges for the print book order? Chevron down icon Chevron up icon

The orders shipped to the countries that are listed under EU27 will not bear custom charges. They are paid by Packt as part of the order.

List of EU27 countries: www.gov.uk/eu-eea:

A custom duty or localized taxes may be applicable on the shipment and would be charged by the recipient country outside of the EU27 which should be paid by the customer and these duties are not included in the shipping charges been charged on the order.

How do I know my custom duty charges? Chevron down icon Chevron up icon

The amount of duty payable varies greatly depending on the imported goods, the country of origin and several other factors like the total invoice amount or dimensions like weight, and other such criteria applicable in your country.

For example:

  • If you live in Mexico, and the declared value of your ordered items is over $ 50, for you to receive a package, you will have to pay additional import tax of 19% which will be $ 9.50 to the courier service.
  • Whereas if you live in Turkey, and the declared value of your ordered items is over € 22, for you to receive a package, you will have to pay additional import tax of 18% which will be € 3.96 to the courier service.
How can I cancel my order? Chevron down icon Chevron up icon

Cancellation Policy for Published Printed Books:

You can cancel any order within 1 hour of placing the order. Simply contact customercare@packt.com with your order details or payment transaction id. If your order has already started the shipment process, we will do our best to stop it. However, if it is already on the way to you then when you receive it, you can contact us at customercare@packt.com using the returns and refund process.

Please understand that Packt Publishing cannot provide refunds or cancel any order except for the cases described in our Return Policy (i.e. Packt Publishing agrees to replace your printed book because it arrives damaged or material defect in book), Packt Publishing will not accept returns.

What is your returns and refunds policy? Chevron down icon Chevron up icon

Return Policy:

We want you to be happy with your purchase from Packtpub.com. We will not hassle you with returning print books to us. If the print book you receive from us is incorrect, damaged, doesn't work or is unacceptably late, please contact Customer Relations Team on customercare@packt.com with the order number and issue details as explained below:

  1. If you ordered (eBook, Video or Print Book) incorrectly or accidentally, please contact Customer Relations Team on customercare@packt.com within one hour of placing the order and we will replace/refund you the item cost.
  2. Sadly, if your eBook or Video file is faulty or a fault occurs during the eBook or Video being made available to you, i.e. during download then you should contact Customer Relations Team within 14 days of purchase on customercare@packt.com who will be able to resolve this issue for you.
  3. You will have a choice of replacement or refund of the problem items.(damaged, defective or incorrect)
  4. Once Customer Care Team confirms that you will be refunded, you should receive the refund within 10 to 12 working days.
  5. If you are only requesting a refund of one book from a multiple order, then we will refund you the appropriate single item.
  6. Where the items were shipped under a free shipping offer, there will be no shipping costs to refund.

On the off chance your printed book arrives damaged, with book material defect, contact our Customer Relation Team on customercare@packt.com within 14 days of receipt of the book with appropriate evidence of damage and we will work with you to secure a replacement copy, if necessary. Please note that each printed book you order from us is individually made by Packt's professional book-printing partner which is on a print-on-demand basis.

What tax is charged? Chevron down icon Chevron up icon

Currently, no tax is charged on the purchase of any print book (subject to change based on the laws and regulations). A localized VAT fee is charged only to our European and UK customers on eBooks, Video and subscriptions that they buy. GST is charged to Indian customers for eBooks and video purchases.

What payment methods can I use? Chevron down icon Chevron up icon

You can pay with the following card types:

  1. Visa Debit
  2. Visa Credit
  3. MasterCard
  4. PayPal
What is the delivery time and cost of print books? Chevron down icon Chevron up icon

Shipping Details

USA:

'

Economy: Delivery to most addresses in the US within 10-15 business days

Premium: Trackable Delivery to most addresses in the US within 3-8 business days

UK:

Economy: Delivery to most addresses in the U.K. within 7-9 business days.
Shipments are not trackable

Premium: Trackable delivery to most addresses in the U.K. within 3-4 business days!
Add one extra business day for deliveries to Northern Ireland and Scottish Highlands and islands

EU:

Premium: Trackable delivery to most EU destinations within 4-9 business days.

Australia:

Economy: Can deliver to P. O. Boxes and private residences.
Trackable service with delivery to addresses in Australia only.
Delivery time ranges from 7-9 business days for VIC and 8-10 business days for Interstate metro
Delivery time is up to 15 business days for remote areas of WA, NT & QLD.

Premium: Delivery to addresses in Australia only
Trackable delivery to most P. O. Boxes and private residences in Australia within 4-5 days based on the distance to a destination following dispatch.

India:

Premium: Delivery to most Indian addresses within 5-6 business days

Rest of the World:

Premium: Countries in the American continent: Trackable delivery to most countries within 4-7 business days

Asia:

Premium: Delivery to most Asian addresses within 5-9 business days

Disclaimer:
All orders received before 5 PM U.K time would start printing from the next business day. So the estimated delivery times start from the next day as well. Orders received after 5 PM U.K time (in our internal systems) on a business day or anytime on the weekend will begin printing the second to next business day. For example, an order placed at 11 AM today will begin printing tomorrow, whereas an order placed at 9 PM tonight will begin printing the day after tomorrow.


Unfortunately, due to several restrictions, we are unable to ship to the following countries:

  1. Afghanistan
  2. American Samoa
  3. Belarus
  4. Brunei Darussalam
  5. Central African Republic
  6. The Democratic Republic of Congo
  7. Eritrea
  8. Guinea-bissau
  9. Iran
  10. Lebanon
  11. Libiya Arab Jamahriya
  12. Somalia
  13. Sudan
  14. Russian Federation
  15. Syrian Arab Republic
  16. Ukraine
  17. Venezuela