Foreword xxxiIntroduction xxxiiiPart I Threat Hunting Frameworks 1Chapter 1 Introduction to Threat Hunting 3The Rise of Cybercrime 4What Is Threat Hunting? 6The Key Cyberthreats and Threat Actors 7Phishing 7Ransomware 8Nation State 10The Necessity of Threat Hunting 14Does the Organization's Size Matter? 17Threat Modeling 19Threat-HuntingMaturity Model 23Organization Maturity and Readiness 23Level 0: INITIAL 24Level 1: MINIMAL 25Level 2: PROCEDURAL 25Level 3: INNOVATIVE 25Level 4: LEADING 25Human Elements of Threat Hunting 26How Do You Make the Board of Directors Cyber-Smart? 27Threat-Hunting Team Structure 30External Model 30Dedicated Internal Hunting Team Model 30Combined/Hybrid Team Model 30Periodic Hunt Teams Model 30Urgent Need for Human-Led Threat Hunting 31The Threat Hunter's Role 31Summary 33Chapter 2 Modern Approach to Multi-Cloud Threat Hunting 35Multi-Cloud Threat Hunting 35Multi-Tenant Cloud Environment 38Threat Hunting in Multi-Cloud and Multi-Tenant Environments 39Building Blocks for the Security Operations Center 41Scope and Type of SOC 43Services, Not Just Monitoring 43SOC Model 43Define a Process for Identifying and Managing Threats 44Tools and Technologies to Empower SOC 44People (Specialized Teams) 45Cyberthreat Detection, Threat Modeling, and the Need for Proactive Threat Hunting Within SOC 46Cyberthreat Detection 46Threat-Hunting Goals and Objectives 49Threat Modeling and SOC 50The Need for a Proactive Hunting Team Within SOC 50Assume Breach and Be Proactive 51Invest in People 51Develop an Informed Hypothesis 52Cyber Resiliency and Organizational Culture 53Skillsets Required for Threat Hunting 54Security Analysis 55Data Analysis 56Programming Languages 56Analytical Mindset 56Soft Skills 56Outsourcing 56Threat-Hunting Process and Procedures 57Metrics for Assessing the Effectiveness of Threat Hunting 58Foundational Metrics 58Operational Metrics 59Threat-Hunting Program Effectiveness 61Summary 62Chapter 3 Exploration of MITRE Key Attack Vectors 63Understanding MITRE ATT&CK 63What Is MITRE ATT&CK Used For? 64How Is MITRE ATT&CK Used and Who Uses It? 65How Is Testing Done According to MITRE? 65Tactics 67Techniques 67Threat Hunting Using Five Common Tactics 69Privilege Escalation 71Case Study 72Credential Access 73Case Study 74Lateral Movement 75Case Study 75Command and Control 77Case Study 77Exfiltration 79Case Study 79Other Methodologies and Key Threat-Hunting Tools to CombatAttack Vectors 80Zero Trust 80Threat Intelligence and Zero Trust 83Build Cloud-Based Defense-in-Depth 84Analysis Tools 86Microsoft Tools 86Connect To All Your Data 87Workbooks 88Analytics 88Security Automation and Orchestration 90Investigation 91Hunting 92Community 92AWS Tools 93Analyzing Logs Directly 93SIEMs in the Cloud 94Summary 95Resources 96Part II Hunting in Microsoft Azure 99Chapter 4 Microsoft Azure Cloud Threat Prevention Framework 101Introduction to Microsoft Security 102Understanding the Shared Responsibility Model 102Microsoft Services for Cloud Security Posture Management and Logging/Monitoring 105Overview of Azure Security Center and Azure Defender 105Overview of Microsoft Azure Sentinel 108Using Microsoft Secure and Protect Features 112Identity & Access Management 113Infrastructure & Network 114Data & Application 115Customer Access 115Using Azure Web Application Firewall to Protect a Website Against an "Initial Access" TTP 116Using Microsoft Defender for Office 365 to Protect Against an "Initial Access" TTP 118Using Microsoft Defender Endpoint to Protect Against an "Initial Access" TTP 121Using Azure Conditional Access to Protect Against an "Initial Access" TTP 123Microsoft Detect Services 127Detecting "Privilege Escalation" TTPs 128Using Azure Security Center and Azure Sentinel to Detect Threats Against a "Privilege Escalation" TTP 128Detecting Credential Access 131Using Azure Identity Protection to Detect Threats Against a "Credential Access" TTP 132Steps to Configure and Enable Risk Polices (Sign-in Risk and User Risk) 134Using Azure Security Center and Azure Sentinel to Detect Threats Against a "Credential Access" TTP 137Detecting Lateral Movement 139Using Just-in-Time in ASC to Protect and Detect Threats Against a "Lateral Movement" TTP 139Using Azure Security Center and Azure Sentinel to Detect Threats Against a "Lateral Movement" TTP 144Detecting Command and Control 145Using Azure Security Center and Azure Sentinel to Detect Threats Against a "Command and Control" TTP 146Detecting Data Exfiltration 147Using Azure Information Protection to Detect Threats Against a "Data Exfiltration" TTP 148Discovering Sensitive Content Using AIP 149Using Azure Security Center and Azure Sentinel to Detect Threats Against a "Data Exfiltration" TTP 153Detecting Threats and Proactively Hunting with Microsoft 365 Defender 154Microsoft Investigate, Response, and Recover Features 155Automating Investigation and Remediation with Microsoft Defender for Endpoint 157Using Microsoft Threat Expert Support for Remediation and Investigation 159Targeted Attack Notification 159Experts on Demand 161Automating Security Response with MCAS and Microsoft Flow 166Step 1: Generate Your API Token in Cloud App Security 167Step 2: Create Your Trigger in Microsoft Flow 167Step 3: Create the Teams Message Action in Microsoft Flow 168Step 4: Generate an Email in Microsoft Flow 168Connecting the Flow in Cloud App Security 169Performing an Automated Response Using Azure Security Center 170Using Machine Learning and Artificial Intelligence in Threat Response 172Overview of Fusion Detections 173Overview of Azure Machine Learning 174Summary 182Chapter 5 Microsoft Cybersecurity Reference Architecture and Capability Map 183Introduction 183Microsoft Security Architecture versus the NIST Cybersecurity Framework (CSF) 184Microsoft Security Architecture 185The Identify Function 186The Protect Function 187The Detect Function 188The Respond Function 189The Recover Function 189Using the Microsoft Reference Architecture 190Microsoft Threat Intelligence 190Service Trust Portal 192Security Development Lifecycle (SDL) 193Protecting the Hybrid Cloud Infrastructure 194Azure Marketplace 194Private Link 195Azure Arc 196Azure Lighthouse 197Azure Firewall 198Azure Web Application Firewall (WAF) 200Azure DDOS Protection 200Azure Key Vault 201Azure Bastion 202Azure Site Recovery 204Azure Security Center (ASC) 205Microsoft Azure Secure Score 205Protecting Endpoints and Clients 206Microsoft Endpoint Manager (MEM) Configuration Manager 207Microsoft Intune 208Protecting Identities and Access 209Azure AD Conditional Access 210Passwordless for End-to-EndSecure Identity 211Azure Active Directory (aka Azure AD) 211Azure MFA 211Azure Active Directory Identity Protection 212Azure Active Directory Privilege IdentityManagement (PIM) 213Microsoft Defender for Identity 214Azure AD B2B and B2C 215Azure AD Identity Governance 215Protecting SaaS Apps 216Protecting Data and Information 219Azure Purview 220Microsoft Information Protection (MIP) 221Azure Information Protection Unified Labeling Scanner (File Scanner) 222The Advanced eDiscovery Solution in Microsoft 365 223Compliance Manager 224Protecting IoT and Operation Technology 225Security Concerns with IoT 226Understanding That IoT Cybersecurity Starts with a Threat Model 227Microsoft Investment in IoT Technology 229Azure Sphere 229Azure Defender 229Azure Defender for IoT 230Threat Modeling for the Azure IoT Reference Architecture 230Azure Defender for IoT Architecture (Agentless Solutions) 233Azure Defender for IoT Architecture (Agent-based solutions) 234Understanding the Security Operations Solutions 235Understanding the People Security Solutions 236Attack Simulator 237Insider Risk Management (IRM) 237Communication Compliance 239Summary 240Part III Hunting in AWS 241Chapter 6 AWS Cloud Threat Prevention Framework 243Introduction to AWS Well-Architected Framework 244The Five Pillars of the Well-Architected Framework 245Operational Excellence 246Security 246Reliability 246Performance Efficiency 246Cost Optimization 246The Shared Responsibility Model 246AWS Services for Monitoring, Logging, and Alerting 248AWS CloudTrail 249Amazon CloudWatch Logs 251Amazon VPC Flow Logs 252Amazon GuardDuty 253AWS Security Hub 254AWS Protect Features 256How Do You Prevent Initial Access? 256How Do You Protect APIs from SQL Injection Attacks Using APIGateway and AWS WAF? 256Prerequisites 257Create an API 257Create and Configure an AWS WAF 259AWS Detection Features 263How Do You Detect Privilege Escalation? 263How Do You Detect the Abuse of Valid Account to Obtain High-Level Permissions? 264Prerequisites 264Configure GuardDuty to Detect Privilege Escalation 265Reviewing the Findings 266How Do You Detect Credential Access? 269How Do You Detect Unsecured Credentials? 269Prerequisites 270Reviewing the Findings 274How Do You Detect Lateral Movement? 276How Do You Detect the Use of Stolen Alternate Authentication Material? 277Prerequisites 277How Do You Detect Potential Unauthorized Access to Your AWS Resources? 277Reviewing the Findings 278How Do You Detect Command and Control? 280How Do You Detect the Communications to a Command and Control Server Using the Domain Name System (DNS)? 281Prerequisites 281How Do You Detect EC2 Instance Communication with a Command and Control (C&C) Server Using DNS 281Reviewing the Findings 282How Do You Detect Data Exfiltration? 284Prerequisites 285How Do You Detect the Exfiltration Using an Anomalous API Request? 285Reviewing the Findings 286How Do You Handle Response and Recover? 289Foundation of Incident Response 289How Do You Create an Automated Response? 290Automating Incident Responses 290Options for Automating Responses 291Cost Comparisons in Scanning Methods 293Event-Driven Responses 294How Do You Automatically Respond to Unintended Disabling of CloudTrail Logging? 295Prerequisites 296Creating a Trail in CloudTrail 296Creating an SNS Topic to Send Emails 299Creating Rules in Amazon EventBridge 302How Do You Orchestrate and Recover? 305Decision Trees 305Use Alternative Accounts 305View or Copy Data 306Sharing Amazon EBS Snapshots 306Sharing Amazon CloudWatch Logs 306Use Immutable Storage 307Launch Resources Near the Event 307Isolate Resources 308Launch Forensic Workstations 309Instance Types and Locations 309How Do You Automatically Recover from Unintended Disabling of CloudTrail Logging? 310Prerequisites 311Aggregate and View Security Status in AWS Security Hub 311Reviewing the Findings 312Create Lambda Function to Orchestrate and Recover 314How Are Machine Learning and Artificial Intelligence Used? 317Summary 318References 319Chapter 7 AWS Reference Architecture 321AWS Security Framework Overview 322The Identify Function Overview 323The Protect Function Overview 324The Detect Function Overview 325The Respond Function Overview 325The Recover Function Overview 325AWS Reference Architecture 326The Identify Function 326Security Hub 328AWS Config 329AWS Organizations 330AWS Control Tower 331AWS Trusted Advisor 332AWS Well-Architected Tool 333AWS Service Catalog 334AWS Systems Manager 335AWS Identity and Access Management (IAM) 337AWS Single Sign-On (SSO) 338AWS Shield 340AWS Web Application Firewall (WAF) 340AWS Firewall Manager 342AWS Cloud HSM 343AWS Secrets Manager 345AWS Key Management Service (KMS) 345AWS Certificate Manager 346AWS IoT Device Defender 347Amazon Virtual Private Cloud 347AWS PrivateLink 349AWS Direct Connect 349AWS Transit Gateway 350AWS Resource Access Manager 351The Detect and Respond Functions 353GuardDuty 354Amazon Detective 356Amazon Macie 357Amazon Inspector 358Amazon CloudTrail 359Amazon CloudWatch 360Amazon Lambda 361AWS Step Functions 362Amazon Route 53 363AWS Personal Health Dashboard 364The Recover Functions 365Amazon Glacier 366AWS CloudFormation 366CloudEndure Disaster Recovery 367AWS OpsWorks 368Summary 369Part IV The Future 371Chapter 8 Threat Hunting in Other Cloud Providers 373The Google Cloud Platform 374Google Cloud Platform Security Architecture alignment to NIST 376The Identify Function 376The Protect Function 378The Detect Function 380The Respond Function 382The Recover Function 383The IBM Cloud 385Oracle Cloud Infrastructure Security 386Oracle SaaS Cloud Security Threat Intelligence 387The Alibaba Cloud 388Summary 389References 389Chapter 9 The Future of Threat Hunting 391Artificial Intelligence and Machine Learning 393How ML Reduces False Positives 395How Machine Intelligence Applies to Malware Detection 395How Machine Intelligence Applies to Risk Scoring in a Network 396Advances in Quantum Computing 396Quantum Computing Challenges 398Preparing for the Quantum Future 399Advances in IoT and Their Impact 399Growing IoT Cybersecurity Risks 401Preparing for IoT Challenges 403Operational Technology (OT) 405Importance of OT Security 406Blockchain 406The Future of Cybersecurity with Blockchain 407Threat Hunting as a Service 407The Evolution of the Threat-Hunting Tool 408Potential Regulatory Guidance 408Summary 409References 409Part V Appendices 411Appendix A MITRE ATT&CK Tactics 413Appendix B Privilege Escalation 415Appendix C Credential Access 421Appendix D Lateral Movement 431Appendix E Command and Control 435Appendix F Data Exfiltration 443Appendix G MITRE Cloud Matrix 447Initial Access 447Drive-byCompromise 447Exploiting a Public-FacingApplication 450Phishing 450Using Trusted Relationships 451Using Valid Accounts 452Persistence 452Manipulating Accounts 452Creating Accounts 453Implanting a Container Image 454Office Application Startup 454Using Valid Accounts 455Privilege Escalation 456Modifying the Domain Policy 456Using Valid Accounts 457Defense Evasion 457Modifying Domain Policy 457Impairing Defenses 458Modifying the Cloud Compute Infrastructure 459Using Unused/Unsupported Cloud Regions 459Using Alternate Authentication Material 460Using Valid Accounts 461Credential Access 461Using Brute Force Methods 461Forging Web Credentials 462Stealing an Application Access Token 462Stealing Web Session Cookies 463Using Unsecured Credentials 464Discovery 464Manipulating Account Discovery 464Manipulating Cloud Infrastructure Discovery 465Using a Cloud Service Dashboard 466Using Cloud Service Discovery 466Scanning Network Services 467Discovering Permission Groups 467Discovering Software 468Discovering System Information 468Discovering System Network Connections 469Lateral Movement 469Internal Spear Phishing 469Using Alternate Authentication Material 470Collection 471Collecting Data from a Cloud Storage Object 471Collecting Data from Information Repositories 471Collecting Staged Data 472Collecting Email 473Data Exfiltration 474Detecting Exfiltration 474Impact 475Defacement 475Endpoint Denial of Service 475Resource Hijacking 477Appendix H Glossary 479Index 489

CHRIS PEIRIS, PhD, has advised Fortune 500 companies, Federal and State Governments, and Defense and Intelligence entities in the Americas, Asia, Japan, Europe, and Australia New Zealand. He has 25+ years of IT industry experience. He is the author of 10 published books and is a highly sought-after keynote speaker.BINIL PILLAI is a Microsoft Global Security Compliance and Identity (SCI) Director for Strategy and Business Development focusing on the Small Medium Enterprise segment. He has 21+ years of experience in B2B cybersecurity, digital transformation, and management consulting. He is also a board advisor to several start-ups to help grow their businesses successfully.ABBAS KUDRATI is a CISO and cybersecurity practitioner. He is currently Microsoft Asia's Lead Chief Cybersecurity Advisor for the Security Solution Area and serves as Executive Advisor to Deakin University, LaTrobe University, HITRUST ASIA, and EC Council ASIA.