You're reading from Practical Threat Intelligence and Data-Driven Threat Hunting A hands-on guide to threat hunting with the ATT&CK™ Framework and open source tools

Product type Paperback

Published in Feb 2021

Publisher Packt

ISBN-13 9781838556372

Length 398 pages

Edition 1st Edition

Tools

Elasticsearch

Concepts

Application Security

Author (1):

Valentina Costa-Gazcón

View More author details

Table of Contents (21) Chapters

Preface

1. Section 1: Cyber Threat Intelligence

2. Chapter 1: What Is Cyber Threat Intelligence? FREE CHAPTER

3. Chapter 2: What Is Threat Hunting?

4. Chapter 3: Where Does the Data Come From?

5. Section 2: Understanding the Adversary

6. Chapter 4: Mapping the Adversary

7. Chapter 5: Working with Data

8. Chapter 6: Emulating the Adversary

9. Section 3: Working with a Research Environment

10. Chapter 7: Creating a Research Environment

11. Chapter 8: How to Query the Data

12. Chapter 9: Hunting for the Adversary

13. Chapter 10: Importance of Documenting and Automating the Process

14. Section 4: Communicating to Succeed

15. Chapter 11: Assessing Data Quality

16. Chapter 12: Understanding the Output

17. Chapter 13: Defining Good Metrics to Track Success

18. Chapter 14: Engaging the Response Team and Communicating the Result to Executives

19. Other Books You May Enjoy

Leave a review - let other readers know what you think

Appendix – The State of the Hunt

Using MITRE CAR

The data model that's implemented by MITRE Cyber Analytics Repository (MITRE CAR) (https://car.mitre.org/) was inspired by STIX's Cyber Observable eXpression (CybOX ™), and is an "organization of objects that may be monitored from a host-based or network-based perspective." Each of the objects is defined by the actions that can happen to it and the observable properties, called fields, that can be captured by a sensor.

So, for example, the CAR data model for a file looks as follows:

Figure 5.4 – MITRE CAR file data model example

To put it mildly, CAR's intent is to record detections based on the ATT&CK Framework. So, every analytic provided by CAR (https://car.mitre.org/analytics/) references the ATT&CK tactics and techniques detected, accompanied by the hypothesis behind the analytic.

Perhaps the most interesting thing about MITRE CAR is that it provides a list of possible detection implementations...