CHRIS PEIRIS, PhD, has advised Fortune 500 companies, Federal and State Governments, and Defense and Intelligence entities in the Americas, Asia, Japan, Europe, and Australia New Zealand. He has 25+ years of IT industry experience. He is the author of 10 published books and is a highly sought-after keynote speaker. BINIL PILLAI is a Microsoft Global Security Compliance and Identity (SCI) Director for Strategy and Business Development focusing on the Small Medium Enterprise segment. He has 21+ years of experience in B2B cybersecurity, digital transformation, and management consulting. He is also a board advisor to several start-ups to help grow their businesses successfully. ABBAS KUDRATI is a CISO and cybersecurity practitioner. He is currently Microsoft Asia's Lead Chief Cybersecurity Advisor for the Security Solution Area and serves as Executive Advisor to Deakin University, LaTrobe University, HITRUST ASIA, and EC Council ASIA.

Foreword xxxi Introduction xxxiii Part I Threat Hunting Frameworks 1 Chapter 1 Introduction to Threat Hunting 3 The Rise of Cybercrime 4 What Is Threat Hunting? 6 The Key Cyberthreats and Threat Actors 7 Phishing 7 Ransomware 8 Nation State 10 The Necessity of Threat Hunting 14 Does the Organization's Size Matter? 17 Threat Modeling 19 Threat-Hunting Maturity Model 23 Organization Maturity and Readiness 23 Level 0: INITIAL 24 Level 1: MINIMAL 25 Level 2: PROCEDURAL 25 Level 3: INNOVATIVE 25 Level 4: LEADING 25 Human Elements of Threat Hunting 26 How Do You Make the Board of Directors Cyber-Smart? 27 Threat-Hunting Team Structure 30 External Model 30 Dedicated Internal Hunting Team Model 30 Combined/Hybrid Team Model 30 Periodic Hunt Teams Model 30 Urgent Need for Human-Led Threat Hunting 31 The Threat Hunter's Role 31 Summary 33 Chapter 2 Modern Approach to Multi-Cloud Threat Hunting 35 Multi-Cloud Threat Hunting 35 Multi-Tenant Cloud Environment 38 Threat Hunting in Multi-Cloud and Multi-Tenant Environments 39 Building Blocks for the Security Operations Center 41 Scope and Type of SOC 43 Services, Not Just Monitoring 43 SOC Model 43 Define a Process for Identifying and Managing Threats 44 Tools and Technologies to Empower SOC 44 People (Specialized Teams) 45 Cyberthreat Detection, Threat Modeling, and the Need for Proactive Threat Hunting Within SOC 46 Cyberthreat Detection 46 Threat-Hunting Goals and Objectives 49 Threat Modeling and SOC 50 The Need for a Proactive Hunting Team Within SOC 50 Assume Breach and Be Proactive 51 Invest in People 51 Develop an Informed Hypothesis 52 Cyber Resiliency and Organizational Culture 53 Skillsets Required for Threat Hunting 54 Security Analysis 55 Data Analysis 56 Programming Languages 56 Analytical Mindset 56 Soft Skills 56 Outsourcing 56 Threat-Hunting Process and Procedures 57 Metrics for Assessing the Effectiveness of Threat Hunting 58 Foundational Metrics 58 Operational Metrics 59 Threat-Hunting Program Effectiveness 61 Summary 62 Chapter 3 Exploration of MITRE Key Attack Vectors 63 Understanding MITRE ATT&CK 63 What Is MITRE ATT&CK Used For? 64 How Is MITRE ATT&CK Used and Who Uses It? 65 How Is Testing Done According to MITRE? 65 Tactics 67 Techniques 67 Threat Hunting Using Five Common Tactics 69 Privilege Escalation 71 Case Study 72 Credential Access 73 Case Study 74 Lateral Movement 75 Case Study 75 Command and Control 77 Case Study 77 Exfiltration 79 Case Study 79 Other Methodologies and Key Threat-Hunting Tools to Combat Attack Vectors 80 Zero Trust 80 Threat Intelligence and Zero Trust 83 Build Cloud-Based Defense-in-Depth 84 Analysis Tools 86 Microsoft Tools 86 Connect To All Your Data 87 Workbooks 88 Analytics 88 Security Automation and Orchestration 90 Investigation 91 Hunting 92 Community 92 AWS Tools 93 Analyzing Logs Directly 93 SIEMs in the Cloud 94 Summary 95 Resources 96 Part II Hunting in Microsoft Azure 99 Chapter 4 Microsoft Azure Cloud Threat Prevention Framework 101 Introduction to Microsoft Security 102 Understanding the Shared Responsibility Model 102 Microsoft Services for Cloud Security Posture Management and Logging/Monitoring 105 Overview of Azure Security Center and Azure Defender 105 Overview of Microsoft Azure Sentinel 108 Using Microsoft Secure and Protect Features 112 Identity & Access Management 113 Infrastructure & Network 114 Data & Application 115 Customer Access 115 Using Azure Web Application Firewall to Protect a Website Against an "Initial Access" TTP 116 Using Microsoft Defender for Office 365 to Protect Against an "Initial Access" TTP 118 Using Microsoft Defender Endpoint to Protect Against an "Initial Access" TTP 121 Using Azure Conditional Access to Protect Against an "Initial Access" TTP 123 Microsoft Detect Services 127 Detecting "Privilege Escalation" TTPs 128 Using Azure Security Center and Azure Sentinel to Detect Threats Against a "Privilege Escalation" TTP 128 Detecting Credential Access 131 Using Azure Identity Protection to Detect Threats Against a "Credential Access" TTP 132 Steps to Configure and Enable Risk Polices (Sign-in Risk and User Risk) 134 Using Azure Security Center and Azure Sentinel to Detect Threats Against a "Credential Access" TTP 137 Detecting Lateral Movement 139 Using Just-in-Time in ASC to Protect and Detect Threats Against a "Lateral Movement" TTP 139 Using Azure Security Center and Azure Sentinel to Detect Threats Against a "Lateral Movement" TTP 144 Detecting Command and Control 145 Using Azure Security Center and Azure Sentinel to Detect Threats Against a "Command and Control" TTP 146 Detecting Data Exfiltration 147 Using Azure Information Protection to Detect Threats Against a "Data Exfiltration" TTP 148 Discovering Sensitive Content Using AIP 149 Using Azure Security Center and Azure Sentinel to Detect Threats Against a "Data Exfiltration" TTP 153 Detecting Threats and Proactively Hunting with Microsoft 365 Defender 154 Microsoft Investigate, Response, and Recover Features 155 Automating Investigation and Remediation with Microsoft Defender for Endpoint 157 Using Microsoft Threat Expert Support for Remediation and Investigation 159 Targeted Attack Notification 159 Experts on Demand 161 Automating Security Response with MCAS and Microsoft Flow 166 Step 1: Generate Your API Token in Cloud App Security 167 Step 2: Create Your Trigger in Microsoft Flow 167 Step 3: Create the Teams Message Action in Microsoft Flow 168 Step 4: Generate an Email in Microsoft Flow 168 Connecting the Flow in Cloud App Security 169 Performing an Automated Response Using Azure Security Center 170 Using Machine Learning and Artificial Intelligence in Threat Response 172 Overview of Fusion Detections 173 Overview of Azure Machine Learning 174 Summary 182 Chapter 5 Microsoft Cybersecurity Reference Architecture and Capability Map 183 Introduction 183 Microsoft Security Architecture versus the NIST Cybersecurity Framework (CSF) 184 Microsoft Security Architecture 185 The Identify Function 186 The Protect Function 187 The Detect Function 188 The Respond Function 189 The Recover Function 189 Using the Microsoft Reference Architecture 190 Microsoft Threat Intelligence 190 Service Trust Portal 192 Security Development Lifecycle (SDL) 193 Protecting the Hybrid Cloud Infrastructure 194 Azure Marketplace 194 Private Link 195 Azure Arc 196 Azure Lighthouse 197 Azure Firewall 198 Azure Web Application Firewall (WAF) 200 Azure DDOS Protection 200 Azure Key Vault 201 Azure Bastion 202 Azure Site Recovery 204 Azure Security Center (ASC) 205 Microsoft Azure Secure Score 205 Protecting Endpoints and Clients 206 Microsoft Endpoint Manager (MEM) Configuration Manager 207 Microsoft Intune 208 Protecting Identities and Access 209 Azure AD Conditional Access 210 Passwordless for End-to-End Secure Identity 211 Azure Active Directory (aka Azure AD) 211 Azure MFA 211 Azure Active Directory Identity Protection 212 Azure Active Directory Privilege Identity Management (PIM) 213 Microsoft Defender for Identity 214 Azure AD B2B and B2C 215 Azure AD Identity Governance 215 Protecting SaaS Apps 216 Protecting Data and Information 219 Azure Purview 220 Microsoft Information Protection (MIP) 221 Azure Information Protection Unified Labeling Scanner (File Scanner) 222 The Advanced eDiscovery Solution in Microsoft 365 223 Compliance Manager 224 Protecting IoT and Operation Technology 225 Security Concerns with IoT 226 Understanding That IoT Cybersecurity Starts with a Threat Model 227 Microsoft Investment in IoT Technology 229 Azure Sphere 229 Azure Defender 229 Azure Defender for IoT 230 Threat Modeling for the Azure IoT Reference Architecture 230 Azure Defender for IoT Architecture (Agentless Solutions) 233 Azure Defender for IoT Architecture (Agent-based solutions) 234 Understanding the Security Operations Solutions 235 Understanding the People Security Solutions 236 Attack Simulator 237 Insider Risk Management (IRM) 237 Communication Compliance 239 Summary 240 Part III Hunting in AWS 241 Chapter 6 AWS Cloud Threat Prevention Framework 243 Introduction to AWS Well-Architected Framework 244 The Five Pillars of the Well-Architected Framework 245 Operational Excellence 246 Security 246 Reliability 246 Performance Efficiency 246 Cost Optimization 246 The Shared Responsibility Model 246 AWS Services for Monitoring, Logging, and Alerting 248 AWS CloudTrail 249 Amazon CloudWatch Logs 251 Amazon VPC Flow Logs 252 Amazon GuardDuty 253 AWS Security Hub 254 AWS Protect Features 256 How Do You Prevent Initial Access? 256 How Do You Protect APIs from SQL Injection Attacks Using API Gateway and AWS WAF? 256 Prerequisites 257 Create an API 257 Create and Configure an AWS WAF 259 AWS Detection Features 263 How Do You Detect Privilege Escalation? 263 How Do You Detect the Abuse of Valid Account to Obtain High-Level Permissions? 264 Prerequisites 264 Configure GuardDuty to Detect Privilege Escalation 265 Reviewing the Findings 266 How Do You Detect Credential Access? 269 How Do You Detect Unsecured Credentials? 269 Prerequisites 270 Reviewing the Findings 274 How Do You Detect Lateral Movement? 276 How Do You Detect the Use of Stolen Alternate Authentication Material? 277 Prerequisites 277 How Do You Detect Potential Unauthorized Access to Your AWS Resources? 277 Reviewing the Findings 278 How Do You Detect Command and Control? 280 How Do You Detect the Communications to a Command and Control Server Using the Domain Name System (DNS)? 281 Prerequisites 281 How Do You Detect EC2 Instance Communication with a Command and Control (C&C) Server Using DNS 281 Reviewing the Findings 282 How Do You Detect Data Exfiltration? 284 Prerequisites 285 How Do You Detect the Exfiltration Using an Anomalous API Request? 285 Reviewing the Findings 286 How Do You Handle Response and Recover? 289 Foundation of Incident Response 289 How Do You Create an Automated Response? 290 Automating Incident Responses 290 Options for Automating Responses 291 Cost Comparisons in Scanning Methods 293 Event-Driven Responses 294 How Do You Automatically Respond to Unintended Disabling of CloudTrail Logging? 295 Prerequisites 296 Creating a Trail in CloudTrail 296 Creating an SNS Topic to Send Emails 299 Creating Rules in Amazon EventBridge 302 How Do You Orchestrate and Recover? 305 Decision Trees 305 Use Alternative Accounts 305 View or Copy Data 306 Sharing Amazon EBS Snapshots 306 Sharing Amazon CloudWatch Logs 306 Use Immutable Storage 307 Launch Resources Near the Event 307 Isolate Resources 308 Launch Forensic Workstations 309 Instance Types and Locations 309 How Do You Automatically Recover from Unintended Disabling of CloudTrail Logging? 310 Prerequisites 311 Aggregate and View Security Status in AWS Security Hub 311 Reviewing the Findings 312 Create Lambda Function to Orchestrate and Recover 314 How Are Machine Learning and Artificial Intelligence Used? 317 Summary 318 References 319 Chapter 7 AWS Reference Architecture 321 AWS Security Framework Overview 322 The Identify Function Overview 323 The Protect Function Overview 324 The Detect Function Overview 325 The Respond Function Overview 325 The Recover Function Overview 325 AWS Reference Architecture 326 The Identify Function 326 Security Hub 328 AWS Config 329 AWS Organizations 330 AWS Control Tower 331 AWS Trusted Advisor 332 AWS Well-Architected Tool 333 AWS Service Catalog 334 AWS Systems Manager 335 AWS Identity and Access Management (IAM) 337 AWS Single Sign-On (SSO) 338 AWS Shield 340 AWS Web Application Firewall (WAF) 340 AWS Firewall Manager 342 AWS Cloud HSM 343 AWS Secrets Manager 345 AWS Key Management Service (KMS) 345 AWS Certificate Manager 346 AWS IoT Device Defender 347 Amazon Virtual Private Cloud 347 AWS PrivateLink 349 AWS Direct Connect 349 AWS Transit Gateway 350 AWS Resource Access Manager 351 The Detect and Respond Functions 353 GuardDuty 354 Amazon Detective 356 Amazon Macie 357 Amazon Inspector 358 Amazon CloudTrail 359 Amazon CloudWatch 360 Amazon Lambda 361 AWS Step Functions 362 Amazon Route 53 363 AWS Personal Health Dashboard 364 The Recover Functions 365 Amazon Glacier 366 AWS CloudFormation 366 CloudEndure Disaster Recovery 367 AWS OpsWorks 368 Summary 369 Part IV The Future 371 Chapter 8 Threat Hunting in Other Cloud Providers 373 The Google Cloud Platform 374 Google Cloud Platform Security Architecture alignment to NIST 376 The Identify Function 376 The Protect Function 378 The Detect Function 380 The Respond Function 382 The Recover Function 383 The IBM Cloud 385 Oracle Cloud Infrastructure Security 386 Oracle SaaS Cloud Security Threat Intelligence 387 The Alibaba Cloud 388 Summary 389 References 389 Chapter 9 The Future of Threat Hunting 391 Artificial Intelligence and Machine Learning 393 How ML Reduces False Positives 395 How Machine Intelligence Applies to Malware Detection 395 How Machine Intelligence Applies to Risk Scoring in a Network 396 Advances in Quantum Computing 396 Quantum Computing Challenges 398 Preparing for the Quantum Future 399 Advances in IoT and Their Impact 399 Growing IoT Cybersecurity Risks 401 Preparing for IoT Challenges 403 Operational Technology (OT) 405 Importance of OT Security 406 Blockchain 406 The Future of Cybersecurity with Blockchain 407 Threat Hunting as a Service 407 The Evolution of the Threat-Hunting Tool 408 Potential Regulatory Guidance 408 Summary 409 References 409 Part V Appendices 411 Appendix A MITRE ATT&CK Tactics 413 Appendix B Privilege Escalation 415 Appendix C Credential Access 421 Appendix D Lateral Movement 431 Appendix E Command and Control 435 Appendix F Data Exfiltration 443 Appendix G MITRE Cloud Matrix 447 Initial Access 447 Drive-by Compromise 447 Exploiting a Public-Facing Application 450 Phishing 450 Using Trusted Relationships 451 Using Valid Accounts 452 Persistence 452 Manipulating Accounts 452 Creating Accounts 453 Implanting a Container Image 454 Office Application Startup 454 Using Valid Accounts 455 Privilege Escalation 456 Modifying the Domain Policy 456 Using Valid Accounts 457 Defense Evasion 457 Modifying Domain Policy 457 Impairing Defenses 458 Modifying the Cloud Compute Infrastructure 459 Using Unused/Unsupported Cloud Regions 459 Using Alternate Authentication Material 460 Using Valid Accounts 461 Credential Access 461 Using Brute Force Methods 461 Forging Web Credentials 462 Stealing an Application Access Token 462 Stealing Web Session Cookies 463 Using Unsecured Credentials 464 Discovery 464 Manipulating Account Discovery 464 Manipulating Cloud Infrastructure Discovery 465 Using a Cloud Service Dashboard 466 Using Cloud Service Discovery 466 Scanning Network Services 467 Discovering Permission Groups 467 Discovering Software 468 Discovering System Information 468 Discovering System Network Connections 469 Lateral Movement 469 Internal Spear Phishing 469 Using Alternate Authentication Material 470 Collection 471 Collecting Data from a Cloud Storage Object 471 Collecting Data from Information Repositories 471 Collecting Staged Data 472 Collecting Email 473 Data Exfiltration 474 Detecting Exfiltration 474 Impact 475 Defacement 475 Endpoint Denial of Service 475 Resource Hijacking 477 Appendix H Glossary 479 Index 489