Preface

• Who this book is for
• What this book covers
• To get the most out of this book
• Download the color images
• Conventions used
• Get in touch
• Reviews

1. Section 1: Cyber Threat Intelligence

2. Chapter 1: What Is Cyber Threat Intelligence? FREE CHAPTER

• Cyber threat intelligence
• The intelligence cycle
• Defining your IR
• The collection process
• Processing and exploitation
• Bias and analysis
• Summary

3. Chapter 2: What Is Threat Hunting?

• Technical requirements
• What is threat hunting?
• The Threat Hunting Maturity Model
• The threat hunting process
• Building a hypothesis
• Summary

4. Chapter 3: Where Does the Data Come From?

• Technical requirements
• Understanding the data that's been collected
• Windows-native tools
• Data sources
• Summary

5. Section 2: Understanding the Adversary

6. Chapter 4: Mapping the Adversary

• Technical requirements
• The ATT&CK Framework
• Mapping with ATT&CK
• Testing yourself
• Summary

7. Chapter 5: Working with Data

• Technical requirements
• Using data dictionaries
• Using MITRE CAR
• Using Sigma
• Summary

8. Chapter 6: Emulating the Adversary

• Creating an adversary emulation plan
• Test yourself
• Summary

9. Section 3: Working with a Research Environment

10. Chapter 7: Creating a Research Environment

• Technical requirements
• Setting up a research environment
• Installing VMware ESXI
• Installing Windows Server
• Configuring Windows Server as a domain controller
• Setting up ELK
• Configuring Winlogbeat
• Bonus – adding Mordor datasets to our ELK instance
• The HELK – an open source tool by Roberto Rodriguez

11. Chapter 8: How to Query the Data

• Technical requirements
• Atomic hunting with Atomic Red Team
• The Atomic Red Team testing cycle
• Quasar RAT
• Summary

12. Chapter 9: Hunting for the Adversary

• Technical requirements
• MITRE evaluations
• Using MITRE CALDERA
• Sigma rules
• Summary

13. Chapter 10: Importance of Documenting and Automating the Process

• The importance of documentation
• The Threat Hunter Playbook
• The Jupyter Notebook
• Updating the hunting process
• The importance of automation
• Summary

14. Section 4: Communicating to Succeed

15. Chapter 11: Assessing Data Quality

• Technical requirements
• Distinguishing good-quality data from bad-quality data
• Improving data quality
• Summary

16. Chapter 12: Understanding the Output

• Understanding the hunt results
• The importance of choosing good analytics
• Testing yourself
• Summary

17. Chapter 13: Defining Good Metrics to Track Success

• Technical requirements
• The importance of defining good metrics
• How to determine the success of a hunting program
• Summary

18. Chapter 14: Engaging the Response Team and Communicating the Result to Executives

• Getting the incident response team involved
• The impact of communication on the success of the threat hunting program
• Testing yourself
• Summary

19. Other Books You May Enjoy

• Leave a review - let other readers know what you think

Appendix – The State of the Hunt