What do you think?
Rate this book
Practical Threat Intelligence and Data-Driven Threat Hunting: A hands-on guide to threat hunting with the ATT&CK™ Framework and open source tools
Get to grips with cyber threat intelligence and data-driven threat hunting while exploring expert tips and techniques
Key FeaturesSet up an environment to centralize all data in an Elasticsearch, Logstash, and Kibana (ELK) server that enables threat huntingCarry out atomic hunts to start the threat hunting process and understand the environmentPerform advanced hunting using MITRE ATT&CK Evals emulations and Mordor datasetsBook DescriptionThreat hunting (TH) provides cybersecurity analysts and enterprises with the opportunity to proactively defend themselves by getting ahead of threats before they can cause major damage to their business.
This book is not only an introduction for those who don’t know much about the cyber threat intelligence (CTI) and TH world, but also a guide for those with more advanced knowledge of other cybersecurity fields who are looking to implement a TH program from scratch.
You will start by exploring what threat intelligence is and how it can be used to detect and prevent cyber threats. As you progress, you’ll learn how to collect data, along with understanding it by developing data models. The book will also show you how to set up an environment for TH using open source tools. Later, you will focus on how to plan a hunt with practical examples, before going on to explore the MITRE ATT&CK framework.
By the end of this book, you’ll have the skills you need to be able to carry out effective hunts in your own environment.
What you will learnUnderstand what CTI is, its key concepts, and how it is useful for preventing threats and protecting your organizationExplore the different stages of the TH processModel the data collected and understand how to document the findingsSimulate threat actor activity in a lab environmentUse the information collected to detect breaches and validate the results of your queriesUse documentation and strategies to communicate processes to senior management and the wider businessWho this book is forIf you are looking to start out in the cyber intelligence and threat hunting domains and want to know more about how to implement a threat hunting division with open-source tools, then this cyber threat intelligence book is for you.
Table of ContentsWhat is Cyber Threat Intelligence?What is Threat Hunting?Where Does the Data Come From?Mapping the AdversaryWorking with DataEmulating the AdversaryCreating a Research EnvironmentHow to Query the DataHunting for the AdversaryImportance of Documenting and Automating the ProcessAssessing Data QualityUnderstanding the OutputDefining Good Metrics to Track SuccessEngaging the Response Team and Communicating the Result to Executives
Key FeaturesSet up an environment to centralize all data in an Elasticsearch, Logstash, and Kibana (ELK) server that enables threat huntingCarry out atomic hunts to start the threat hunting process and understand the environmentPerform advanced hunting using MITRE ATT&CK Evals emulations and Mordor datasetsBook DescriptionThreat hunting (TH) provides cybersecurity analysts and enterprises with the opportunity to proactively defend themselves by getting ahead of threats before they can cause major damage to their business.
This book is not only an introduction for those who don’t know much about the cyber threat intelligence (CTI) and TH world, but also a guide for those with more advanced knowledge of other cybersecurity fields who are looking to implement a TH program from scratch.
You will start by exploring what threat intelligence is and how it can be used to detect and prevent cyber threats. As you progress, you’ll learn how to collect data, along with understanding it by developing data models. The book will also show you how to set up an environment for TH using open source tools. Later, you will focus on how to plan a hunt with practical examples, before going on to explore the MITRE ATT&CK framework.
By the end of this book, you’ll have the skills you need to be able to carry out effective hunts in your own environment.
What you will learnUnderstand what CTI is, its key concepts, and how it is useful for preventing threats and protecting your organizationExplore the different stages of the TH processModel the data collected and understand how to document the findingsSimulate threat actor activity in a lab environmentUse the information collected to detect breaches and validate the results of your queriesUse documentation and strategies to communicate processes to senior management and the wider businessWho this book is forIf you are looking to start out in the cyber intelligence and threat hunting domains and want to know more about how to implement a threat hunting division with open-source tools, then this cyber threat intelligence book is for you.
Table of ContentsWhat is Cyber Threat Intelligence?What is Threat Hunting?Where Does the Data Come From?Mapping the AdversaryWorking with DataEmulating the AdversaryCreating a Research EnvironmentHow to Query the DataHunting for the AdversaryImportance of Documenting and Automating the ProcessAssessing Data QualityUnderstanding the OutputDefining Good Metrics to Track SuccessEngaging the Response Team and Communicating the Result to Executives
- GenresNonfiction
398 pages, Kindle Edition
Published February 12, 2021
62 people are currently reading
98 people want to read
Ratings & Reviews
Friends & Following
Create a free account to discover what your friends think of this book!
Community Reviews
Displaying 1 - 8 of 8 reviews
October 11, 2021
There is not many books that cover topics of CTI and threat hunting and this is a promising one so far. it's good for starters that exploring concepts and ideas to try with OSS. I hope there's is a sequel with advance level techniques and theories.
November 23, 2021
The word "Practical" in the title is accurate, as there are many sets of step-by-step instructions and many specific tools are mentioned. It seems the book is heavier on threat hunting than on threat intelligence, though there's plenty about threat intel as well.
I read this after hearing Palacín on the Hacker Valley Blue podcast.
Notes
What Is Cyber Threat Intelligence?
OSINT collection resources
• virustotal.com
• ccssforum.org
• urlhaus.abuse.ch
osintcurio.us: learn OSINT resources and techniques.
Sandboxing solutions
• any.run
• hybrid-analysis.com
• cuckoosandbox.org
Cyber Kill Chain has been criticized for not fitting modern attacks, but has been praised for identifying points to stop an attack.
Mapping the Adversary
ATT&CK Navigator helps visualize a threat actor's MO, behavior of a specific tool, or generate a security exercise.
To map an attack to ATT&CK, look for keywords in the attack description (persistence, execute, gather, send, etc.) Use ATT&CK search box to look for other keywords (DLL, Windows API, Registry Key, etc.).
Working with Data
OSSEM provides an open source standardized model for security events, documented in data dictionaries.
MITRE CAR was inspired by CybOX and is an organization of objects that may be monitored from a host- or network-based perspective. MITRE CARET is the GUI of the CAR project.
Sigma rules are the YARA rules of log files. Sigma is an open signature format that can be applied to any log file and can be used to describe and share detections.
Emulating the Adversary
Adversary emulation tools
• Atomic Red Team
• Mordor
• CALDERA
• C2 Matrix evaluates C2 frameworks
• OSSEM Power-up
• Sysmon Modular
• DeTT&CT
Creating a Research Environment
Research environment (using ESXi)
• ELK (bonus: add Mordor datasets)
• Winlogbeat
• The HELK
If you don't have the resources to build a virtual lab with ESXi, set up an ELK or The HELK instance and load the Mordor datasets.
Other research projects
• AutomatedLab
• Adaz
• Detection Lab
• Splunk Attack Range
How to Query the Data
Security Log Encyclopedia has extensive info about different event logs.
Invoke-AtomicRedTeam can carry out atomic tests in bulk.
Importance of Documenting and Automating the Process
writethedocs.org/about/learning-resou... teaches how to write good docs.
Items to document
• State hypothesis
• Clearly state whether hypothesis was confirmed or not
• State scope
• Tell how you carried out the hunt
• Define time frame
• Document hunting results
• Describe aftermath
• Lessons learned
• If new threat actor activity is discovered, include ATT&CK mapping
Open source documentation tools
• readthedocs.org
• pages.github.com
• docusaurus.io
• sphinx-doc.org
Threat Hunter Playbook is an interactive notebook that shares detections following ATT&CK tactics, and allows easy replication and visualization of detection data.
Jupyter Notebook is an open source web app to create and share text, equations, code, visualizations. It can be used to create interactive documentation.
I read this after hearing Palacín on the Hacker Valley Blue podcast.
Notes
What Is Cyber Threat Intelligence?
OSINT collection resources
• virustotal.com
• ccssforum.org
• urlhaus.abuse.ch
osintcurio.us: learn OSINT resources and techniques.
Sandboxing solutions
• any.run
• hybrid-analysis.com
• cuckoosandbox.org
Cyber Kill Chain has been criticized for not fitting modern attacks, but has been praised for identifying points to stop an attack.
Mapping the Adversary
ATT&CK Navigator helps visualize a threat actor's MO, behavior of a specific tool, or generate a security exercise.
To map an attack to ATT&CK, look for keywords in the attack description (persistence, execute, gather, send, etc.) Use ATT&CK search box to look for other keywords (DLL, Windows API, Registry Key, etc.).
Working with Data
OSSEM provides an open source standardized model for security events, documented in data dictionaries.
MITRE CAR was inspired by CybOX and is an organization of objects that may be monitored from a host- or network-based perspective. MITRE CARET is the GUI of the CAR project.
Sigma rules are the YARA rules of log files. Sigma is an open signature format that can be applied to any log file and can be used to describe and share detections.
Emulating the Adversary
Adversary emulation tools
• Atomic Red Team
• Mordor
• CALDERA
• C2 Matrix evaluates C2 frameworks
• OSSEM Power-up
• Sysmon Modular
• DeTT&CT
Creating a Research Environment
Research environment (using ESXi)
• ELK (bonus: add Mordor datasets)
• Winlogbeat
• The HELK
If you don't have the resources to build a virtual lab with ESXi, set up an ELK or The HELK instance and load the Mordor datasets.
Other research projects
• AutomatedLab
• Adaz
• Detection Lab
• Splunk Attack Range
How to Query the Data
Security Log Encyclopedia has extensive info about different event logs.
Invoke-AtomicRedTeam can carry out atomic tests in bulk.
Importance of Documenting and Automating the Process
writethedocs.org/about/learning-resou... teaches how to write good docs.
Items to document
• State hypothesis
• Clearly state whether hypothesis was confirmed or not
• State scope
• Tell how you carried out the hunt
• Define time frame
• Document hunting results
• Describe aftermath
• Lessons learned
• If new threat actor activity is discovered, include ATT&CK mapping
Open source documentation tools
• readthedocs.org
• pages.github.com
• docusaurus.io
• sphinx-doc.org
Threat Hunter Playbook is an interactive notebook that shares detections following ATT&CK tactics, and allows easy replication and visualization of detection data.
Jupyter Notebook is an open source web app to create and share text, equations, code, visualizations. It can be used to create interactive documentation.
August 5, 2025
What I learned and what I was expecting
Thank you for this book. It made me learn much. I started this book in a pursuit of knowledge in CTI but ended up with a deep knowledge in threat hunting. I am just a little bit disappointed that you did not consecrate the same energy to the CTI as to the TH. And all of the data sources were from inside the network. I think it will also be a good thing if we can hunt based on external data sources such as the dark web or OSINT. I really hope the next edition coming soon will tackle those aspects.
Thank you for this book. It made me learn much. I started this book in a pursuit of knowledge in CTI but ended up with a deep knowledge in threat hunting. I am just a little bit disappointed that you did not consecrate the same energy to the CTI as to the TH. And all of the data sources were from inside the network. I think it will also be a good thing if we can hunt based on external data sources such as the dark web or OSINT. I really hope the next edition coming soon will tackle those aspects.
March 30, 2021
Read this for work.
It was pretty solid. I think for someone already threat hunting it's maybe a 2 out of 5. Someone new it's probably a 4 of 5 so I split the difference.
I don't think it will age well, there are a lot of URLs and screenshots of applications and those things change.
Overall it was alright.
It was pretty solid. I think for someone already threat hunting it's maybe a 2 out of 5. Someone new it's probably a 4 of 5 so I split the difference.
I don't think it will age well, there are a lot of URLs and screenshots of applications and those things change.
Overall it was alright.
July 7, 2021
Great introduction to a number of different ways to ATT&CK threat intelligence. From gathering, performing and applying Threat Intel to your current security program this is a great primer on TI and Threat Hunting.
November 8, 2022
Incredible, in-depth and practical. I plan to use this at work.
December 19, 2023
I agree with others, in that some of the links and tools probably won’t be usable in a few years. However I think that the core concepts taught in this book go above and beyond any other book on threat hunting currently available. This book actually gives you a methodology for digesting threat reports and using them to perform threat hunting, whereas a lot of books just throw a bunch of techniques or event IDs at you and expect you to remember them. I’d recommend this to anybody who is new to blue team, such as a junior SOC analyst.
December 18, 2021
a must-read book for new cyber security researchers.
Displaying 1 - 8 of 8 reviews