Chad Maurice - The Foundations of Threat Hunting: Organize and design effective cyber threat hunts to meet business needs

Organize and design effective cyber threat hunts to meet business needs

Chad Maurice

Jeremy Thompson

William Copeland

BIRMINGHAMMUMBAI

Copyright 2022 Packt Publishing

All rights reserved. No part of this book may be reproduced, stored in a retrieval system, or transmitted in any form or by any means, without the prior written permission of the publisher, except in the case of brief quotations embedded in critical articles or reviews.

Every effort has been made in the preparation of this book to ensure the accuracy of the information presented. However, the information contained in this book is sold without warranty, either express or implied. Neither the author(s), nor Packt Publishing or its dealers and distributors, will be held liable for any damages caused or alleged to have been caused directly or indirectly by this book.

Packt Publishing has endeavored to provide trademark information about all of the companies and products mentioned in this book by the appropriate use of capitals. However, Packt Publishing cannot guarantee the accuracy of this information.

Group Product Manager: Vijin Boricha

Publishing Product Manager: Shrilekha Malpani

Senior Editor: Arun Nadar

Content Development Editor: Sujata Tripathi

Technical Editor: Shruthi Shetty

Copy Editor: Safis Editing

Project Coordinator: Shagun Saini

Proofreader: Safis Editing

Indexer: Tejal Daruwale Soni

Production Designer: Vijay Kamble

Marketing Coordinator: Hemangi Lotlikar

First published: June 2022

Production reference: 1130522

Published by Packt Publishing Ltd.

Livery Place

35 Livery Street

Birmingham

B3 2PB, UK.

ISBN 978-1-80324-299-6

www.packt.com

To my wife and children, thank you for all of the love and support over the years. You give everything meaning and have made this journey possible.

Chad Maurice

To my wife and family, thanks for the love and patience over the years and the extra support during the writing of this book. For all the Airmen I served with, thanks for helping me get to where I am today aim high!

Jeremy Thompson

For my wife and friends, who have continued to support me through all of life's ups and downs.

William Copeland

I have known William Copeland, Chad Maurice, and Jeremy Thompson for a combined 20 years. Each one of them is an information security professional who has continued to push evolution onto the organizations they have been a part of. They are not only technically proficient analysts but also knowledgeable leaders who understand how to balance an organization's operational requirements with their security needs in order to minimize exposure to emerging threats while maximizing effectiveness in the business landscape. Each one of these authors has led security teams in the pursuit of securing and hunting across multimillion-dollar networks while continuing to evolve their strategies to defend these networks from some of the most advanced malicious actors in the world.

Over the last 10 years, there has been a growing shift in Security Operations Centers (SOCs) to move beyond their past mindsets. These SOCs were initially built to simply respond to alerts and potentially "find bad" while it was happening or had already happened on a network. This reactive approach leaves a company and its network catching the problem too late and thereby just finding the data breach and subsequent exfiltration of data months to years after it has already left the network. For this reason, SOCs have taken a more proactive approach, hiring penetration testers to find holes in their network defense before a malicious actor does, while also performing threat hunts to find out where those same actors have already slipped past defenses.

You may be wondering, what is a hunt? How does a team perform this task? Where is a good place to start? If you asked any of these questions, or maybe you are just looking for a different perspective on how to conduct a hunt on your network, The Foundations of Threat Hunting is for you. This book helps you to understand how to put a team together, how to plan a hunt (a very crucial step), and how to use the data your SOC is collecting in order to assist the hunt.

Additionally, this book will help you understand threat intelligence and how to use it to improve your hunt. As a person who has performed several hunts, I cannot overstate the assistance that finding and utilizing threat intelligence properly can be to your hunt.

In The Foundations of Threat Hunting, you are being given over 30 years of combined knowledge and perspective on threat hunting and cybersecurity. This information is provided to you in an understandable and relatable way. Using instruction and stories to help bridge knowledge and application, you will understand threat hunting and be able to execute an effective hunt on your network.

Evolve your SOC into a proactive phase and begin threat hunting with The Foundations of Threat Hunting.

Anthony Particini

Threat Hunt Lead and Instructor (GCIH, GCFA)

Chad Maurice is a life-long cybersecurity enthusiast with a background in both offensive and defensive teams. He has led Red Teams in physical and network security assessments as well as overseen planning and daily management for numerous incident response and threat hunting teams that provided defenses for enterprise networks spanning the globe.

He earned a master's degree in information systems security/information assurance from Capella University in 2011. Additionally, Chad has achieved an array of industry certifications ranging from OSCP to CISSP. Currently, he is an engineer at a Fortune 100 company, enhancing defensive capabilities for all of their business assets.

Jeremy Thompson is a tenacious leader and technical expert who has dedicated the last two decades of his life to the profession of cybersecurity. His background includes broad experience from managing infrastructure in support of a large-scale network to directing operations for an organization conducting threat hunts on IT and OT networks around the globe.

He earned a master's degree in information systems management from the University of Nebraska at Omaha in 2014. Additionally, Jeremy has achieved the following certifications: CCNA Cyber Operations, GSEC, GCFA, GDAT, GFNA, and CISSP. Currently, he is an incident response and operations manager for CyberDefenses Inc out of Austin, TX.

William Copeland is a renowned leader and technician within the cyber defense community. He has endeavored, over the last two decades, to clear the path for the operators under his leadership to become more efficient and effective cyber defenders.

He earned a bachelor's degree in information technology from Western Governors University in 2018. Additionally, William has the following certifications: Security+, Linux+, Project+, Network+, GCFA, GPEN, GNFA, GREM, GDAT, GCDA, GSEC, GCIA, GCIH, SSAP, GCFE, and GCTI. Currently, he is a senior leader within a cyber hunting organization, providing planning, coordination, integration, and execution of defensive teams that track and eradicate adversaries on customer networks.