What this book covers
Chapter 1, SOC Basics – Structure, Personnel, Coverage, and Tools, introduces the landscape of the SOC, which is a critical team in security and can have many different roles and sub-teams. We’ll discuss SOC basics such as alert triaging, creating detections, incident response, and “trust but verify,” as well as how it can interact with other teams or have sub-teams. This information is important because depending on the environment, you’ll be able to apply different aspects of ATT&CK.
Chapter 2, Analyzing your Environment for Potential Pitfalls, discusses techniques for critically reviewing your processes, coverage, and systems, and provides advice on potential problem areas. By following this, the reader will be able to directly apply it to their environments to look for areas of improvement and avoid any pitfalls; it will also be helpful when looking to implement ATT&CK.
Chapter 3, Reviewing Different Threat Models, reviews multiple different threat models, their use cases, and their advantages and disadvantages. Doing so will allow the reader to apply the one that makes the most sense for their environment; the chapter also provides a comparison point to compare those threat models to ATT&CK.
Chapter 4, What is the ATT&CK Framework?, outlines the evolution of the ATT&CK framework and the various different high-level configurations for types of systems (i.e. cloud, mobile, Windows, etc.). It will also be the first introduction to related use cases.
Chapter 5, A Deep Dive into the ATT&CK Framework, provides a deeper look at the different techniques that are covered by the framework, and potential gaps within the framework. The reader will understand how to rank different techniques and their applicability to their own environments. This will focus specifically on the cloud, Windows, Mac, and network frameworks.
Chapter 6, Strategies to Map to ATT&CK, discusses how to analyze your environment, identify coverage gaps, and identify areas for improvement. Then, we’ll cover how to map those gaps to the ATT&CK framework, to increase coverage and build out maturity in your security posture.
Chapter 7, Common Mistakes with Implementation, presents an overview of common mistakes that I have personally made in mappings and detections, as well as areas where I’ve seen others make mistakes. That way, you can learn from our shortcomings and implement mappings the right way.
Chapter 8, Return on Investment Detections, explains how creating detections and alerts is the bread and butter of any SOC environment. It should not be a surprise to anyone that less-than-stellar detections are created/triggered on a daily basis. This chapter will discuss alerts that we have had the highest efficiency ratings on, as well as the lowest, and how to measure their success.
Chapter 9, What Happens After an Alert is Triggered?, covers how once an alert is triggered, in theory, a set of actions begins. This chapter will discuss the different sets of actions, how to create playbooks, and how to ultimately triage alerts.
Chapter 10, Validating Any Mappings and Detections, argues that the most important step you can take to help yourself is setting up a review process. This can be completed manually, or you can create an automated feedback loop to track the efficiency ratings of your mappings and make improvements when necessary.
Chapter 11, Implementing ATT&CK in All Parts of Your SOC, goes through how to narrow down your environment and prioritize where you need to fix a coverage area. The chapter will then outline how you can implement detections and the ATT&CK framework as part of your overall security posture, and how it can be applied to teams outside of the SOC as well.
Chapter 12, What’s Next? Areas for Innovation in Your SOC, points out some key areas that can take a SOC from basic to mature, covering topics such as scalability and automation. This chapter will include ideas that I had for innovating my own SOC but also interviews with other industry professionals and what they think needs to be done to achieve innovation.