You're reading from Incident Response with Threat Intelligence Practical insights into developing an incident response capability through intelligence-based threat hunting

Product type Paperback

Published in Jun 2022

Publisher Packt

ISBN-13 9781801072953

Length 468 pages

Edition 1st Edition

Languages

C++

Tools

Kali Linux

Concepts

Information Management

Author (1):

Roberto Martinez

View More author details

Table of Contents (20) Chapters

Preface

1. Section 1: The Fundamentals of Incident Response

2. Chapter 1: Threat Landscape and Cybersecurity Incidents FREE CHAPTER

3. Chapter 2: Concepts of Digital Forensics and Incident Response

4. Chapter 3: Basics of the Incident Response and Triage Procedures

5. Chapter 4: Applying First Response Procedures

6. Section 2: Getting to Know the Adversaries

7. Chapter 5: Identifying and Profiling Threat Actors

8. Chapter 6: Understanding the Cyber Kill Chain and the MITRE ATT&CK Framework

9. Chapter 7: Using Cyber Threat Intelligence in Incident Response

10. Section 3: Designing and Implementing Incident Response in Organizations

11. Chapter 8: Building an Incident Response Capability

12. Chapter 9: Creating Incident Response Plans and Playbooks

13. Chapter 10: Implementing an Incident Management System

14. Chapter 11: Integrating SOAR Capabilities into Incident Response

15. Section 4: Improving Threat Detection in Incident Response

16. Chapter 12: Working with Analytics and Detection Engineering in Incident Response

17. Chapter 13: Creating and Deploying Detection Rules

18. Chapter 14:  Hunting and Investigating Security Incidents

19. Other Books You May Enjoy

A SOAR use case – identifying malicious communications

Suppose that a monitoring system detects abnormal network behavior and tags the IP address or domain as suspicious and sends it to another system for verification in a database of malicious indicators of compromise (IoCs).

If this indicator is confirmed to be malicious, the Security Operation Center (SOC) operator opens a new case for a cybersecurity incident and notifies the IR team. The incident responder can then open a new case using the playbook related to this incident and start assigning tasks to the IR team.

If the IR system has integration with a threat intelligence system, you can search for additional information containing the details of a potential campaign, threat actors, affected industries, and related IoCs, as shown in the following figure:

Figure 11.1 – Incident automation and response

Once you have intelligence information and malicious indicators...