| Description |
1 online resource (xxxix, 504 pages) : illustrations |
| Note |
Includes index. |
| Summary |
Implement a vendor-neutral and multi-cloud cybersecurity and risk mitigation framework with advice from seasoned threat hunting pros In Threat Hunting in the Cloud: Defending AWS, Azure and Other Cloud Platforms Against Cyberattacks, celebrated cybersecurity professionals and authors Chris Peiris, Binil Pillai, and Abbas Kudrati leverage their decades of experience building large scale cyber fusion centers to deliver the ideal threat hunting resource for both business and technical audiences. You'll find insightful analyses of cloud platform security tools and, using the industry leading MITRE ATT&CK framework, discussions of the most common threat vectors. You'll discover how to build a side-by-side cybersecurity fusion center on both Microsoft Azure and Amazon Web Services and deliver a multi-cloud strategy for enterprise customers. And you will find out how to create a vendor-neutral environment with rapid disaster recovery capability for maximum risk mitigation. With this book you'll learn: Key business and technical drivers of cybersecurity threat hunting frameworks in today's technological environment Metrics available to assess threat hunting effectiveness regardless of an organization's size How threat hunting works with vendor-specific single cloud security offerings and on multi-cloud implementations A detailed analysis of key threat vectors such as email phishing, ransomware and nation state attacks Comprehensive AWS and Azure "how to" solutions through the lens of MITRE Threat Hunting Framework Tactics, Techniques and Procedures (TTPs) Azure and AWS risk mitigation strategies to combat key TTPs such as privilege escalation, credential theft, lateral movement, defend against command & control systems, and prevent data exfiltration Tools available on both the Azure and AWS cloud platforms which provide automated responses to attacks, and orchestrate preventative measures and recovery strategies Many critical components for successful adoption of multi-cloud threat hunting framework such as Threat Hunting Maturity Model, Zero Trust Computing, Human Elements of Threat Hunting, Integration of Threat Hunting with Security Operation Centers (SOCs) and Cyber Fusion Centers The Future of Threat Hunting with the advances in Artificial Intelligence, Machine Learning, Quantum Computing and the proliferation of IoT devices. Perfect for technical executives (i.e., CTO, CISO), technical managers, architects, system admins and consultants with hands-on responsibility for cloud platforms, Threat Hunting in the Cloud is also an indispensable guide for business executives (i.e., CFO, COO CEO, board members) and managers who need to understand their organization's cybersecurity risk framework and mitigation strategy. |
| Contents |
Foreword xxxi -- Introduction xxxiii -- Part I Threat Hunting Frameworks 1 -- Chapter 1 Introduction to Threat Hunting 3 -- The Rise of Cybercrime 4 -- What Is Threat Hunting? 6 -- The Key Cyberthreats and Threat Actors 7 -- Phishing 7 -- Ransomware 8 -- Nation State 10 -- The Necessity of Threat Hunting 14 -- Does the Organization's Size Matter? 17 -- Threat Modeling 19 -- Threat-Hunting -- Maturity Model 23 -- Organization Maturity and Readiness 23 -- Level 0: INITIAL 24 -- Level 1: MINIMAL 25 -- Level 2: PROCEDURAL 25 -- Level 3: INNOVATIVE 25 -- Level 4: LEADING 25 -- Human Elements of Threat Hunting 26 -- How Do You Make the Board of Directors Cyber-Smart? 27 -- Threat-Hunting Team Structure 30 -- External Model 30 -- Dedicated Internal Hunting Team Model 30 -- Combined/Hybrid Team Model 30 -- Periodic Hunt Teams Model 30 -- Urgent Need for Human-Led Threat Hunting 31 -- The Threat Hunter's Role 31 -- Summary 33 -- Chapter 2 Modern Approach to Multi-Cloud Threat Hunting 35 -- Multi-Cloud Threat Hunting 35 -- Multi-Tenant Cloud Environment 38 -- Threat Hunting in Multi-Cloud and Multi-Tenant Environments 39 -- Building Blocks for the Security Operations Center 41 -- Scope and Type of SOC 43 -- Services, Not Just Monitoring 43 -- SOC Model 43 -- Define a Process for Identifying and Managing Threats 44 -- Tools and Technologies to Empower SOC 44 -- People (Specialized Teams) 45 -- Cyberthreat Detection, Threat Modeling, and the Need for Proactive Threat Hunting Within SOC 46 -- Cyberthreat Detection 46 -- Threat-Hunting Goals and Objectives 49 -- Threat Modeling and SOC 50 -- The Need for a Proactive Hunting Team Within SOC 50 -- Assume Breach and Be Proactive 51 -- Invest in People 51 -- Develop an Informed Hypothesis 52 -- Cyber Resiliency and Organizational Culture 53 -- Skillsets Required for Threat Hunting 54 -- Security Analysis 55 -- Data Analysis 56 -- Programming Languages 56 -- Analytical Mindset 56 -- Soft Skills 56 -- Outsourcing 56 -- Threat-Hunting Process and Procedures 57 -- Metrics for Assessing the Effectiveness of Threat Hunting 58 -- Foundational Metrics 58 -- Operational Metrics 59 -- Threat-Hunting Program Effectiveness 61 -- Summary 62 -- Chapter 3 Exploration of MITRE Key Attack Vectors 63 -- Understanding MITRE ATT&CK 63 -- What Is MITRE ATT&CK Used For? 64 -- How Is MITRE ATT&CK Used and Who Uses It? 65 -- How Is Testing Done According to MITRE? 65 -- Tactics 67 -- Techniques 67 -- Threat Hunting Using Five Common Tactics 69 -- Privilege Escalation 71 -- Case Study 72 -- Credential Access 73 -- Case Study 74 -- Lateral Movement 75 -- Case Study 75 -- Command and Control 77 -- Case Study 77 -- Exfiltration 79 -- Case Study 79 -- Other Methodologies and Key Threat-Hunting Tools to Combat -- Attack Vectors 80 -- Zero Trust 80 -- Threat Intelligence and Zero Trust 83 -- Build Cloud-Based Defense-in-Depth 84 -- Analysis Tools 86 -- Microsoft Tools 86 -- Connect To All Your Data 87 -- Workbooks 88 -- Analytics 88 -- Security Automation and Orchestration 90 -- Investigation 91 -- Hunting 92 -- Community 92 -- AWS Tools 93 -- Analyzing Logs Directly 93 -- SIEMs in the Cloud 94 -- Summary 95 -- Resources 96 -- Part II Hunting in Microsoft Azure 99 -- Chapter 4 Microsoft Azure Cloud Threat Prevention Framework 101 -- Introduction to Microsoft Security 102 -- Understanding the Shared Responsibility Model 102 -- Microsoft Services for Cloud Security Posture Management and Logging/Monitoring 105 -- Overview of Azure Security Center and Azure Defender 105 -- Overview of Microsoft Azure Sentinel 108 -- Using Microsoft Secure and Protect Features 112 -- Identity & Access Management 113 -- Infrastructure & Network 114 -- Data & Application 115 -- Customer Access 115 -- Using Azure Web Application Firewall to Protect a Website Against an "Initial Access" TTP 116 -- Using Microsoft Defender for Office 365 to Protect Against an "Initial Access" TTP 118 -- Using Microsoft Defender Endpoint to Protect Against an "Initial Access" TTP 121 -- Using Azure Conditional Access to Protect Against an "Initial Access" TTP 123 -- Microsoft Detect Services 127 -- Detecting "Privilege Escalation" TTPs 128 -- Using Azure Security Center and Azure Sentinel to Detect Threats Against a "Privilege Escalation" TTP 128 -- Detecting Credential Access 131 -- Using Azure Identity Protection to Detect Threats Against a "Credential Access" TTP 132 -- Steps to Configure and Enable Risk Polices (Sign-in Risk and User Risk) 134 -- Using Azure Security Center and Azure Sentinel to Detect Threats Against a "Credential Access" TTP 137 -- Detecting Lateral Movement 139 -- Using Just-in-Time in ASC to Protect and Detect Threats Against a "Lateral Movement" TTP 139 -- Using Azure Security Center and Azure Sentinel to Detect Threats Against a "Lateral Movement" TTP 144 -- Detecting Command and Control 145 -- Using Azure Security Center and Azure Sentinel to Detect Threats Against a "Command and Control" TTP 146 -- Detecting Data Exfiltration 147 -- Using Azure Information Protection to Detect Threats Against a "Data Exfiltration" TTP 148 -- Discovering Sensitive Content Using AIP 149 -- Using Azure Security Center and Azure Sentinel to Detect Threats Against a "Data Exfiltration" TTP 153 -- Detecting Threats and Proactively Hunting with Microsoft 365 Defender 154 -- Microsoft Investigate, Response, and Recover Features 155 -- Automating Investigation and Remediation with Microsoft Defender for Endpoint 157 -- Using Microsoft Threat Expert Support for Remediation and Investigation 159 -- Targeted Attack Notification 159 -- Experts on Demand 161 -- Automating Security Response with MCAS and Microsoft Flow 166 -- Step 1: Generate Your API Token in Cloud App Security 167 -- Step 2: Create Your Trigger in Microsoft Flow 167 -- Step 3: Create the Teams Message Action in Microsoft Flow 168 -- Step 4: Generate an Email in Microsoft Flow 168 -- Connecting the Flow in Cloud App Security 169 -- Performing an Automated Response Using Azure Security Center 170 -- Using Machine Learning and Artificial Intelligence in Threat Response 172 -- Overview of Fusion Detections 173 -- Overview of Azure Machine Learning 174 -- Summary 182 -- Chapter 5 Microsoft Cybersecurity Reference Architecture and Capability Map 183 -- Introduction 183 -- Microsoft Security Architecture versus the NIST Cybersecurity Framework (CSF) 184 -- Microsoft Security Architecture 185 -- The Identify Function 186 -- The Protect Function 187 -- The Detect Function 188 -- The Respond Function 189 -- The Recover Function 189 -- Using the Microsoft Reference Architecture 190 -- Microsoft Threat Intelligence 190 -- Service Trust Portal 192 -- Security Development Lifecycle (SDL) 193 -- Protecting the Hybrid Cloud Infrastructure 194 -- Azure Marketplace 194 -- Private Link 195 -- Azure Arc 196 -- Azure Lighthouse 197 -- Azure Firewall 198 -- Azure Web Application Firewall (WAF) 200 -- Azure DDOS Protection 200 -- Azure Key Vault 201 -- Azure Bastion 202 -- Azure Site Recovery 204 -- Azure Security Center (ASC) 205 -- Microsoft Azure Secure Score 205 -- Protecting Endpoints and Clients 206 -- Microsoft Endpoint Manager (MEM) Configuration Manager 207 -- Microsoft Intune 208 -- Protecting Identities and Access 209 -- Azure AD Conditional Access 210 -- Passwordless for End-to-End -- Secure Identity 211 -- Azure Active Directory (aka Azure AD) 211 -- Azure MFA 211 -- Azure Active Directory Identity Protection 212 -- Azure Active Directory Privilege Identity -- Management (PIM) 213 -- Microsoft Defender for Identity 214 -- Azure AD B2B and B2C 215 -- Azure AD Identity Governance 215 -- Protecting SaaS Apps 216 -- Protecting Data and Information 219 -- Azure Purview 220 -- Microsoft Information Protection (MIP) 221 -- Azure Information Protection Unified Labeling Scanner (File Scanner) 222 -- The Advanced eDiscovery Solution in Microsoft 365 223 -- Compliance Manager 224 -- Protecting IoT and Operation Technology 225 -- Security Concerns with IoT 226 -- Understanding That IoT Cybersecurity Starts with a Threat Model 227 -- Microsoft Investment in IoT Technology 229 -- Azure Sphere 229 -- Azure Defender 229 -- Azure Defender for IoT 230 -- Threat Modeling for the Azure IoT Reference Architecture 230 -- Azure Defender for IoT Architecture (Agentless Solutions) 233 -- Azure Defender for IoT Architecture (Agent-based solutions) 234 -- Understanding the Security Operations Solutions 235 -- Understanding the People |
|
Security Solutions 236 -- Attack Simulator 237 -- Insider Risk Management (IRM) 237 -- Communication Compliance 239 -- Summary 240 -- Part III Hunting in AWS 241 -- Chapter 6 AWS Cloud Threat Prevention Framework 243 -- Introduction to AWS Well-Architected Framework 244 -- The Five Pillars of the Well-Architected Framework 245 -- Operational Excellence 246 -- Security 246 -- Reliability 246 -- Performance Efficiency 246 -- Cost Optimization 246 -- The Shared Responsibility Model 246 -- AWS Services for Monitoring, Logging, and Alerting 248 -- AWS CloudTrail 249 -- Amazon CloudWatch Logs 251 -- Amazon VPC Flow Logs 252 -- Amazon GuardDuty 253 -- AWS Security Hub 254 -- AWS Protect Features 256 -- How Do You Prevent Initial Access? 256 -- How Do You Protect APIs from SQL Injection Attacks Using API -- Gateway and AWS WAF? 256 -- Prerequisites 257 -- Create an API 257 -- Create and Configure an AWS WAF 259 -- AWS Detection Features 263 -- How Do You Detect Privilege Escalation? 263 -- How Do You Detect the Abuse of Valid Account to Obtain High-Level Permissions? 264 -- Prerequisites 264 -- Configure GuardDuty to Detect Privilege Escalation 265 -- Reviewing the Findings 266 -- How Do You Detect Credential Access? 269 -- How Do You Detect Unsecured Credentials? 269 -- Prerequisites 270 -- Reviewing t ... |
| Subject |
Computer security.
|
|
Internet -- Security measures.
|
|
Cloud computing -- Security measures.
|
|
Sécurité informatique. |
|
Internet -- Sécurité -- Mesures. |
|
Infonuagique -- Sécurité -- Mesures. |
|
Computer security |
|
Internet -- Security measures |
| Added Author |
Kudrati, Abbas, author.
|
|
Pillai, Binil, author.
|
| Other Form: |
Print version: 111980406X 9781119804062 (OCoLC)1240412169 |
| ISBN |
1119804108 (electronic book) |
|
9781119804109 (electronic bk.) |
|
9781119804116 (electronic bk.) |
|
1119804116 (electronic bk.) |
|
9781394177493 (electronic bk.) |
|
1394177496 (electronic bk.) |
| Standard No. |
10.1002/9781394177493 doi |
|
More Resources