Search icon CANCEL
Subscription
0
Cart icon
Your Cart (0 item)
Close icon
You have no products in your basket yet
Arrow left icon
Explore Products
Best Sellers
New Releases
Books
Videos
Audiobooks
Learning Hub
Free Learning
Arrow right icon
Arrow up icon
GO TO TOP
Incident Response with Threat Intelligence

You're reading from   Incident Response with Threat Intelligence Practical insights into developing an incident response capability through intelligence-based threat hunting

Arrow left icon
Product type Paperback
Published in Jun 2022
Publisher Packt
ISBN-13 9781801072953
Length 468 pages
Edition 1st Edition
Languages
Arrow right icon
Author (1):
Arrow left icon
Roberto Martinez Roberto Martinez
Author Profile Icon Roberto Martinez
Roberto Martinez
Arrow right icon
View More author details
Toc

Table of Contents (20) Chapters Close

Preface 1. Section 1: The Fundamentals of Incident Response
2. Chapter 1: Threat Landscape and Cybersecurity Incidents FREE CHAPTER 3. Chapter 2: Concepts of Digital Forensics and Incident Response 4. Chapter 3: Basics of the Incident Response and Triage Procedures 5. Chapter 4: Applying First Response Procedures 6. Section 2: Getting to Know the Adversaries
7. Chapter 5: Identifying and Profiling Threat Actors 8. Chapter 6: Understanding the Cyber Kill Chain and the MITRE ATT&CK Framework 9. Chapter 7: Using Cyber Threat Intelligence in Incident Response 10. Section 3: Designing and Implementing Incident Response in Organizations
11. Chapter 8: Building an Incident Response Capability 12. Chapter 9: Creating Incident Response Plans and Playbooks 13. Chapter 10: Implementing an Incident Management System 14. Chapter 11: Integrating SOAR Capabilities into Incident Response 15. Section 4: Improving Threat Detection in Incident Response
16. Chapter 12: Working with Analytics and Detection Engineering in Incident Response 17. Chapter 13: Creating and Deploying Detection Rules 18. Chapter 14: 
Hunting and Investigating Security Incidents 19. Other Books You May Enjoy

A SOAR use case – identifying malicious communications

Suppose that a monitoring system detects abnormal network behavior and tags the IP address or domain as suspicious and sends it to another system for verification in a database of malicious indicators of compromise (IoCs). 

If this indicator is confirmed to be malicious, the Security Operation Center (SOC) operator opens a new case for a cybersecurity incident and notifies the IR team. The incident responder can then open a new case using the playbook related to this incident and start assigning tasks to the IR team.

If the IR system has integration with a threat intelligence system, you can search for additional information containing the details of a potential campaign, threat actors, affected industries, and related IoCs, as shown in the following figure:

 

Figure 11.1 – Incident automation and response 

Once you have intelligence information and malicious indicators...

lock icon The rest of the chapter is locked
Register for a free Packt account to unlock a world of extra content!
A free Packt account unlocks extra newsletters, articles, discounted offers, and much more. Start advancing your knowledge today.
Unlock this book and the full library FREE for 7 days
Get unlimited access to 7000+ expert-authored eBooks and videos courses covering every tech area you can think of
Renews at $19.99/month. Cancel anytime
Banner background image