Search icon CANCEL
Arrow left icon
Explore Products
Best Sellers
New Releases
Books
Videos
Audiobooks
Learning Hub
Conferences
Free Learning
Arrow right icon
Arrow up icon
GO TO TOP
Practical Threat Detection Engineering

You're reading from   Practical Threat Detection Engineering A hands-on guide to planning, developing, and validating detection capabilities

Arrow left icon
Product type Paperback
Published in Jul 2023
Publisher Packt
ISBN-13 9781801076715
Length 328 pages
Edition 1st Edition
Arrow right icon
Authors (3):
Arrow left icon
Megan Roddie Megan Roddie
Author Profile Icon Megan Roddie
Megan Roddie
Jason Deyalsingh Jason Deyalsingh
Author Profile Icon Jason Deyalsingh
Jason Deyalsingh
Gary J. Katz Gary J. Katz
Author Profile Icon Gary J. Katz
Gary J. Katz
Arrow right icon
View More author details
Toc

Table of Contents (20) Chapters Close

Preface 1. Part 1: Introduction to Detection Engineering
2. Chapter 1: Fundamentals of Detection Engineering FREE CHAPTER 3. Chapter 2: The Detection Engineering Life Cycle 4. Chapter 3: Building a Detection Engineering Test Lab 5. Part 2: Detection Creation
6. Chapter 4: Detection Data Sources 7. Chapter 5: Investigating Detection Requirements 8. Chapter 6: Developing Detections Using Indicators of Compromise 9. Chapter 7: Developing Detections Using Behavioral Indicators 10. Chapter 8: Documentation and Detection Pipelines 11. Part 3: Detection Validation
12. Chapter 9: Detection Validation 13. Chapter 10: Leveraging Threat Intelligence 14. Part 4: Metrics and Management
15. Chapter 11: Performance Management 16. Part 5: Detection Engineering as a Career
17. Chapter 12: Career Guidance for Detection Engineers 18. Index 19. Other Books You May Enjoy

Detecting tactice, techniques, and procedures (TTPs)

In our last example scenario, we are going to move to the top of the Pyramid of Pain and discuss the detection of TTPs. We are specifically looking at the detection methodology for MITRE ATT&CK technique T1553.005, Subvert Trust Controls: Mark of the Web Bypass. First, we’ll carry out the Investigate phase to understand the threat we are trying to detect and then we will move to the Develop phase to create the detection for such activity.

Example scenario – mark of the web bypass technique

Our goal in this scenario is to detect the mark of the web bypass technique and reconnaissance used by Qakbot as described here: https://www.trendmicro.com/en_us/research/22/j/black-basta-infiltrates-networks-via-qakbot-brute-ratel-and-coba.html

From the article, we can see this specific Qakbot campaign uses the technique T1553.005, Subvert Trust Controls: Mark of the web bypass. An email is delivered to a victim’...

lock icon The rest of the chapter is locked
Register for a free Packt account to unlock a world of extra content!
A free Packt account unlocks extra newsletters, articles, discounted offers, and much more. Start advancing your knowledge today.
Unlock this book and the full library FREE for 7 days
Get unlimited access to 7000+ expert-authored eBooks and videos courses covering every tech area you can think of
Renews at $19.99/month. Cancel anytime