Threat Hunting with Elastic Stack

Threat Hunting with Elastic Stack

by Andrew Pease
Released July 2021
Publisher(s): Packt Publishing
ISBN: 9781801073783

Read it now on the O’Reilly learning platform with a 10-day free trial.

O’Reilly members get unlimited access to books, live events, courses curated by job role, and more from O’Reilly and nearly 200 top publishers.

Start your free trial

Book description

Learn advanced threat analysis techniques in practice by implementing Elastic Stack security features

Key Features

  • Get started with Elastic Security configuration and features
  • Leverage Elastic Stack features to provide optimal protection against threats
  • Discover tips, tricks, and best practices to enhance the security of your environment

Book Description

Threat Hunting with Elastic Stack will show you how to make the best use of Elastic Security to provide optimal protection against cyber threats. With this book, security practitioners working with Kibana will be able to put their knowledge to work and detect malicious adversary activity within their contested network.

You'll take a hands-on approach to learning the implementation and methodologies that will have you up and running in no time. Starting with the foundational parts of the Elastic Stack, you'll explore analytical models and how they support security response and finally leverage Elastic technology to perform defensive cyber operations.

You'll then cover threat intelligence analytical models, threat hunting concepts and methodologies, and how to leverage them in cyber operations. After you've mastered the basics, you'll apply the knowledge you've gained to build and configure your own Elastic Stack, upload data, and explore that data directly as well as by using the built-in tools in the Kibana app to hunt for nefarious activities.

By the end of this book, you'll be able to build an Elastic Stack for self-training or to monitor your own network and/or assets and use Kibana to monitor and hunt for adversaries within your network.

What you will learn

  • Explore cyber threat intelligence analytical models and hunting methodologies
  • Build and configure Elastic Stack for cyber threat hunting
  • Leverage the Elastic endpoint and Beats for data collection
  • Perform security data analysis using the Kibana Discover, Visualize, and Dashboard apps
  • Execute hunting and response operations using the Kibana Security app
  • Use Elastic Common Schema to ensure data uniformity across organizations

Who this book is for

Security analysts, cybersecurity enthusiasts, information systems security staff, or anyone who works with the Elastic Stack for security monitoring, incident response, intelligence analysis, or threat hunting will find this book useful. Basic working knowledge of IT security operations and network and endpoint systems is necessary to get started.

Table of contents

  1. Threat Hunting with Elastic Stack
  2. Contributors
  3. About the author
  4. About the reviewers
  5. Preface
    1. Who this book is for
    2. What this book covers
    3. To get the most out of this book
    4. Download the example code files
    5. Code in Action
    6. Download the color images
    7. Conventions used
    8. Get in touch
    9. Share Your Thoughts
  6. Section 1: Introduction to Threat Hunting, Analytical Models, and Hunting Methodologies
  7. Chapter 1: Introduction to Cyber Threat Intelligence, Analytical Models, and Frameworks
    1. What is cyber threat intelligence?
    2. The Intelligence Pipeline
    3. The Lockheed Martin Cyber Kill Chain
      1. Reconnaissance
      2. Weaponization
      3. Delivery
      4. Exploitation
      5. Installation
      6. Command & Control
      7. Actions on the Objective
    4. MITRE's ATT&CK Matrices
    5. The Diamond Model
      1. Adversary (a)
      2. Infrastructure (i)
      3. Victim (v)
      4. Capabilities (c)
      5. Motivations
      6. Directionality
    6. Strategic, operational, and tactical intelligence
    7. Summary
    8. Questions
    9. Further reading
  8. Chapter 2: Hunting Concepts, Methodologies, and Techniques
    1. Introducing threat hunting
      1. Measuring success
      2. The Six D's
    2. The Pyramid of Pain
      1. Hash values
      2. IP addresses
      3. Domain names
      4. Network/host artifacts
      5. Tools
      6. TTPs
    3. Profiling data
    4. Expected data
      1. Detection types
      2. Machine learning
    5. Missing data
    6. Data pattern of life
    7. Indicators
    8. The depreciation life cycle
      1. Indicator decay
      2. Shunning
      3. The deprecation pipeline
      4. The HIPESR model
    9. Summary
    10. Questions
    11. Further reading
  9. Section 2: Leveraging the Elastic Stack for Collection and Analysis
  10. Chapter 3: Introduction to the Elastic Stack
    1. Technical requirements
    2. Introducing Logstash
      1. Input plugins
      2. Filter plugins
      3. Output plugins
    3. Elasticsearch, the heart of the stack
      1. Bringing data into Elasticsearch
    4. Beats and Agents
      1. Filebeat
      2. Packetbeat
      3. Winlogbeat
      4. Elastic Agent
    5. Viewing Elasticsearch data with Kibana
      1. Using Kibana to view Elasticsearch data
    6. Elastic solutions
      1. Enterprise Search
      2. Observability
      3. Security
    7. Summary
    8. Questions
    9. Further reading
  11. Chapter 4: Building Your Hunting Lab – Part 1
    1. Technical requirements
    2. Your lab architecture
      1. Hypervisor
    3. Building an Elastic machine
      1. Creating the Elastic VM
      2. Installing CentOS
      3. Enabling the internal network interface
      4. Installing VirtualBox Guest Additions
    4. Summary
    5. Questions
  12. Chapter 5: Building Your Hunting Lab – Part 2
    1. Technical requirements
    2. Installing and configuring Elasticsearch
      1. Adding the Elastic repository
      2. Installing Elasticsearch
      3. Securing Elasticsearch
    3. Installing Elastic Agent
    4. Installing and configuring Kibana
      1. Installing Kibana
      2. Connecting Kibana to Elasticsearch
      3. Connecting to Kibana from a browser
    5. Enabling the detection engine and Fleet
      1. Detection engine
      2. Fleet
      3. Enrolling Fleet Server
    6. Building a victim machine
      1. Collecting the operating systems
      2. Creating the virtual machine
      3. Installing Windows
    7. Filebeat Threat Intel module
    8. Summary
    9. Questions
    10. Further reading
  13. Chapter 6: Data Collection with Beats and Elastic Agent
    1. Technical requirements
    2. Data flow
    3. Configuring Winlogbeat and Packetbeat
      1. Installing Beats
    4. Configuring Sysmon for endpoint collection
    5. Configuring Elastic Agent
    6. Deploying Elastic Agent
    7. Summary
    8. Questions
    9. Further reading
  14. Chapter 7: Using Kibana to Explore and Visualize Data
    1. Technical requirements
    2. The Discover app
      1. The spaces selector
      2. The search bar
      3. The filter controller
      4. The Index Pattern selector
      5. The field name search bar
      6. The field type search
      7. Available fields
      8. The Kibana search bar
      9. The query language selector
      10. The date picker
      11. The Action menu
      12. Support information
      13. The search/refresh button
      14. The timebox
      15. The Event view
      16. Exercise
    3. Query languages
      1. Lucene
      2. KQL
      3. EQL
    4. The Visualize app
      1. Considerations
      2. The data table
      3. Bar charts
      4. Pie charts
      5. Line charts
      6. Others
      7. Lens
      8. Exercise
    5. The Dashboard app
    6. Summary
    7. Questions
    8. Further reading
  15. Chapter 8: The Elastic Security App
    1. Technical requirements
    2. The Elastic Security app overview
    3. The detection engine
      1. Managing detection rules
      2. Creating a detection rule
      3. Trend timeline
    4. Hosts
    5. Network
    6. Timelines
    7. Cases
    8. Administration
    9. Summary
    10. Questions
    11. Further reading
  16. Section 3: Operationalizing Threat Hunting
  17. Chapter 9: Using Kibana to Pivot Through Data to Find Adversaries
    1. Technical requirements
    2. Connecting events with a timeline
    3. Using observations to perform targeted hunts
      1. Pivoting to find more infections
    4. Generating tailored detection logic
    5. Summary
    6. Questions
    7. Further reading
  18. Chapter 10: Leveraging Hunting to Inform Operations
    1. Technical requirements
    2. An overview of incident response
      1. Preparation
      2. Detection and analysis
      3. Containment
      4. Eviction
      5. Recovery
      6. Lessons learned
    3. Using threat hunting information to assist IR
    4. Prioritizing improvements to the security posture
      1. Lockheed Martin Cyber Kill Chain
    5. Using external information to drive hunting techniques
    6. Summary
    7. Questions
    8. Further reading
  19. Chapter 11: Enriching Data to Make Intelligence
    1. Technical requirements
    2. Enhancing analysis with open source tools
      1. MITRE ATT&CK Navigator
    3. Enriching events with third-party tools
      1. IPinfo
      2. Abuse.ch's ThreatFox
      3. VirusTotal
    4. Enrichments within Elastic
    5. Summary
    6. Questions
    7. Further reading
  20. Chapter 12: Sharing Information and Analysis
    1. Technical requirements
    2. The Elastic Common Schema
      1. Describing data uniformly
      2. Collecting non-ECS data
    3. Importing and exporting Kibana saved objects
      1. Type
      2. Tags
      3. Export
      4. Import
    4. Developing and contributing detection logic
    5. Summary
    6. Questions
    7. Further reading
  21. Assessments
    1. Chapter 1 – Introduction to Cyber Threat Intelligence, Analytical Models, and Frameworks
    2. Chapter 2 – Hunting Concepts, Methodologies, and Techniques
    3. Chapter 3 – Introduction to the Elastic Stack
    4. Chapter 4 – Building Your Hunting Lab – Part 1
    5. Chapter 5 – Building Your Hunting Lab – Part 2
    6. Chapter 6 – Data Collection with Beats and the Elastic Agent
    7. Chapter 7 – Using Kibana to Explore and Visualize Data
    8. Chapter 8 – The Elastic Security App
    9. Chapter 9 – Using Kibana to Pivot through Data to Find Adversaries
    10. Chapter 10 – Leveraging Hunting to Inform Operations
    11. Chapter 11 – Enriching Data to Make Intelligence
    12. Chapter 12 – Sharing Information and Analysis
    13. Why subscribe?
  22. Other Books You May Enjoy
    1. Packt is searching for authors like you
    2. Share Your Thoughts

Product information

  • Title: Threat Hunting with Elastic Stack
  • Author(s): Andrew Pease
  • Release date: July 2021
  • Publisher(s): Packt Publishing
  • ISBN: 9781801073783