Foreword xxvPreface xxixIntroduction xxxiiiChapter 1 What Is an Active Defender? 1The Hacker Mindset 1Traditional Defender Mindset 3Getting from Here to There 4Active Defender Activities 7Threat Modeling 7Threat Hunting 8Attack Simulations 9Active Defense 9"Active Defense" for the Active Defender 10Another Take on Active Defense 10Annoyance 11Attribution 11Attack 11Active Defense According to Security Vendors 11Active > Passive 12Active Defense by the Numbers 13Active Defense and Staffing 13Active Defender > Passive Defender 13Relevant Intel Recognition 13Understanding Existing Threats 14Attacker Behavior 14Pyramid of Pain 15MITRE Att&ck 15TTP Pyramid 15Toward a Deeper Understanding 16Return to the Beginning 16Summary 18Notes 18Chapter 2 Immersion into the Hacker Mindset 21Reluctance 21Media Portrayal 21Fear of Government Retribution 22The Rock Star Myth 22Imposter Syndrome 23A Leap of Faith 23My First Security BSides 24My First DEF CON 24Finding the Community 27Security BSides 27Structured Format 27Unconference Format 28Hybrid Format 28Additional Events 28Other Security Conferences 29CircleCityCon 29GrrCON 29Thotcon 29ShmooCon 30Wild West Hackin' Fest 30DEF Con 30Local Security Meetups 30Infosec 716 31Burbsec 31#misec 31Makerspaces 31DEF CON Groups 322600 Meetings 32Online Security Communities 33Traditional Security Communities 34An Invitation 34Summary 36Notes 36Chapter 3 Offensive Security Engagements, Trainings, and Gathering Intel 37Offensive Security Engagements 37Targeting 38Initial Access 38Persistence 39Expansion 39Exfiltration 40Detection 40Offensive Security Trainings 40Conference Trainings 41Security BSides 41DEF Con 42GrrCON 42Thotcon 43CircleCityCon 43Wild West Hackin' Fest 43Black Hat 44Security Companies 44Offensive Security 44TrustedSec 44Antisyphon 45SANS 45Online Options 46Hackthebox 46Tryhackme 46Hackthissite 47CTFs 47YouTube 47Higher Education 48Gathering Intel 48Tradecraft Intel 49Project Zero 49AttackerKB 49Discord/Slack 50Twitter 50Organizational Intel 51LinkedIn 51Pastebin 52GitHub 52Message Boards 52Internal Wikis 53Haveibeenpwned 53Summary 54Notes 54Chapter 4 Understanding the Offensive Toolset 55Nmap/Zenmap 57Burp Suite/ZAP 59sqlmap 60Wireshark 61Metasploit Framework 63Shodan 64Social-Engineer Toolkit 66Mimikatz 67Responder 70Cobalt Strike 71Impacket 73Mitm6 75CrackMapExec 76evil-winrm 77BloodHound/SharpHound 78Summary 79Notes 80Chapter 5 Implementing Defense While Thinking Like a Hacker 81OSINT for Organizations 81OPSEC 82OSINT 82Social Engineering 82Actively Defending 84ASM 84ATO Prevention 84Benefits 86Types of Risks Mitigated 86Threat Modeling Revisited 87Framing the Engagement 87Scoping in Frame 87Motivation in Frame 88The Right Way In 88Reverse Engineering 88Targeting 89Inbound Access 89Persistence 89Egress Controls 90LOLBins 90Rundll32.exe 91Regsvr32.exe 91MSbuild.exe 92Cscript.exe 92Csc.exe 92Legitimate Usage? 92Threat Hunting 93Begin with a Question 93The Hunt 94Applying the Concepts 94Dumping Memory 95Lateral Movement 95Secondary C2 96Proof of Concept 97Attack Simulations 97Simulation vs. Emulation 97Why Test? 98Risky Assumptions 99Practice Is Key 100Tools for Testing 100Microsoft Defender for O365 101Atomic Red Team 102Caldera 103Scythe 103Summary 104Notes 104Chapter 6 Becoming an Advanced Active Defender 107The Advanced Active Defender 107Automated Attack Emulations 108Using Deceptive Technologies 108Honey Tokens 109Decoy Accounts 109Email Addresses 110Database Data 110AWS Keys 111Canary Tokens 111Honeypots 111Other Forms of Deception 112Web Server Header 112User Agent Strings 113Fake DNS Records 113Working with Offensive Security Teams 114But We Need a PenTest! 114Potential Testing Outcomes 115Vulnerability Identification 116Vulnerability Exploitation 116Targeted Detection/Response 116Real Threat Actor 117Detection Analysis 117Scope 117Scoping Challenges 118Additional Scope Considerations 118Decisions, Decisions 119Measuring Existing Defenses 119Crown Jewels 119Selecting a Vendor 120Reputation 120Experience and Expertise 121Processes 121Data Security 122Adversarial Attitudes 122Results 123Additional Considerations 123Purple Teaming - Collaborative Testing 124What Is a Purple Team? 124Purple Team Exercises 125Cyber Threat Intelligence 125Preparation 126Exercise Execution 126Lessons Learned 127Purple Teams and Advanced Active Defenders 127Summary 127Notes 128Chapter 7 Building Effective Detections 129Purpose of Detection 129Funnel of Fidelity 130Collection 130Detection 130Triage 131Investigation 131Remediation 131Building Detections: Identification and Classification 131Overall Detection Challenges 132Attention Problem 132Perception Problem 133Abstraction Problem 134Validation Problem 135The Pyramids Return 135Lower Levels 136Tools 137Wrong Viewpoint 137Bypass Options 138Higher Levels 139Testing 140Literal Level 140Functional Level 140Operational Level 141Technical Level 142Proper Validation: Both Telemetry and Detection 143Telemetry Coverage 143Detection Coverage 144Testing Solutions 144Atomic Red Team 144AtomicTestHarness 145Summary 146Notes 147Chapter 8 Actively Defending Cloud Computing Environments 149Cloud Service Models 150IaaS 150PaaS 150SaaS 150Cloud Deployment Environments 151Private Cloud 151Public Cloud 151Fundamental Differences 151On-Demand Infrastructure 152Shared Responsibility Model 152Control Plane and Data Plane 153Infrastructure as an API 154Data Center Mapping 154IAM Focus 155Cloud Security Implications 157Larger Attack Surface 158New Types of Exposed Services 158Application Security Emphasis 159Challenges with API Use 160Custom Applications 161Cloud Offensive Security 161Enumeration of Cloud Environments 162Code Repositories 162Publicly Accessible Resources 163Initial Access 164Phishing/Password Spraying 164Stealing Access Tokens 164Resource Exploitation 165Post-Compromise Recon 165Post-Exploitation Enumeration 166Roles, Policies, and Permissions 166Dangerous Implied Trusts 166Overly Permissive Configurations 170Multi-Level Access 170Persistence/Expansion 171Lateral Movement 172Privilege Escalation 173Defense Strategies 175Summary 175Notes 176Chapter 9 Future Challenges 179Software Supply Chain Attacks 179A Growing Problem 180Actively Defending 180Counterfeit Hardware 181Fake CISCO Hardware 181Actively Defending 182UEFI 182Increasing Vulnerabilities 182Enter BlackLotus 183MSI Key Leak 184Actively Defending 185BYOVD Attacks 185Lazarus Group 186Cuba Ransomware Group 186Actively Defending 186Ransomware 186Continuing Evolution 187Actively Defending 187Tabletop Exercises 188Ransomware Playbooks 189Frameworks 191Cobalt Strike 192Silver 192Metasploit 192Brute Ratel 193Havoc 193Mythic 193Actively Defending 194Living Off the Land 194Actively Defending 195API Security 195Defining APIs 195API Impact 196Security Significance 196Actively Defending 196Everything Old Is New Again 197OWASP Top 10 197Old Malware Never (Really) Dies 198Emotet 198REvil 199Actively Defending 199Summary 200Notes 201Index 203

CATHERINE J. ULLMAN is a security researcher, speaker, and Principal Technology Architect, Security at the University at Buffalo. She is a DFIR specialist and expert in incident management, intrusion detection, investigative services, and personnel case resolution. She offers security awareness training in an academic setting and is a well-known presenter at information security conferences, including DEF CON and Blue Team Con.