Description

Book Synopsis


Table of Contents

Foreword xxxi

Introduction xxxiii

Part I Threat Hunting Frameworks 1

Chapter 1 Introduction to Threat Hunting 3

The Rise of Cybercrime 4

What Is Threat Hunting? 6

The Key Cyberthreats and Threat Actors 7

Phishing 7

Ransomware 8

Nation State 10

The Necessity of Threat Hunting 14

Does the Organization’s Size Matter? 17

Threat Modeling 19

Threat-Hunting

Maturity Model 23

Organization Maturity and Readiness 23

Level 0: INITIAL 24

Level 1: MINIMAL 25

Level 2: PROCEDURAL 25

Level 3: INNOVATIVE 25

Level 4: LEADING 25

Human Elements of Threat Hunting 26

How Do You Make the Board of Directors Cyber-Smart? 27

Threat-Hunting Team Structure 30

External Model 30

Dedicated Internal Hunting Team Model 30

Combined/Hybrid Team Model 30

Periodic Hunt Teams Model 30

Urgent Need for Human-Led Threat Hunting 31

The Threat Hunter’s Role 31

Summary 33

Chapter 2 Modern Approach to Multi-Cloud Threat Hunting 35

Multi-Cloud Threat Hunting 35

Multi-Tenant Cloud Environment 38

Threat Hunting in Multi-Cloud and Multi-Tenant Environments 39

Building Blocks for the Security Operations Center 41

Scope and Type of SOC 43

Services, Not Just Monitoring 43

SOC Model 43

Define a Process for Identifying and Managing Threats 44

Tools and Technologies to Empower SOC 44

People (Specialized Teams) 45

Cyberthreat Detection, Threat Modeling, and the Need for Proactive Threat Hunting Within SOC 46

Cyberthreat Detection 46

Threat-Hunting Goals and Objectives 49

Threat Modeling and SOC 50

The Need for a Proactive Hunting Team Within SOC 50

Assume Breach and Be Proactive 51

Invest in People 51

Develop an Informed Hypothesis 52

Cyber Resiliency and Organizational Culture 53

Skillsets Required for Threat Hunting 54

Security Analysis 55

Data Analysis 56

Programming Languages 56

Analytical Mindset 56

Soft Skills 56

Outsourcing 56

Threat-Hunting Process and Procedures 57

Metrics for Assessing the Effectiveness of Threat Hunting 58

Foundational Metrics 58

Operational Metrics 59

Threat-Hunting Program Effectiveness 61

Summary 62

Chapter 3 Exploration of MITRE Key Attack Vectors 63

Understanding MITRE ATT&CK 63

What Is MITRE ATT&CK Used For? 64

How Is MITRE ATT&CK Used and Who Uses It? 65

How Is Testing Done According to MITRE? 65

Tactics 67

Techniques 67

Threat Hunting Using Five Common Tactics 69

Privilege Escalation 71

Case Study 72

Credential Access 73

Case Study 74

Lateral Movement 75

Case Study 75

Command and Control 77

Case Study 77

Exfiltration 79

Case Study 79

Other Methodologies and Key Threat-Hunting Tools to Combat

Attack Vectors 80

Zero Trust 80

Threat Intelligence and Zero Trust 83

Build Cloud-Based Defense-in-Depth 84

Analysis Tools 86

Microsoft Tools 86

Connect To All Your Data 87

Workbooks 88

Analytics 88

Security Automation and Orchestration 90

Investigation 91

Hunting 92

Community 92

AWS Tools 93

Analyzing Logs Directly 93

SIEMs in the Cloud 94

Summary 95

Resources 96

Part II Hunting in Microsoft Azure 99

Chapter 4 Microsoft Azure Cloud Threat Prevention Framework 101

Introduction to Microsoft Security 102

Understanding the Shared Responsibility Model 102

Microsoft Services for Cloud Security Posture Management and Logging/Monitoring 105

Overview of Azure Security Center and Azure Defender 105

Overview of Microsoft Azure Sentinel 108

Using Microsoft Secure and Protect Features 112

Identity & Access Management 113

Infrastructure & Network 114

Data & Application 115

Customer Access 115

Using Azure Web Application Firewall to Protect a Website Against an “Initial Access” TTP 116

Using Microsoft Defender for Office 365 to Protect Against an “Initial Access” TTP 118

Using Microsoft Defender Endpoint to Protect Against an “Initial Access” TTP 121

Using Azure Conditional Access to Protect Against an “Initial Access” TTP 123

Microsoft Detect Services 127

Detecting “Privilege Escalation” TTPs 128

Using Azure Security Center and Azure Sentinel to Detect Threats Against a “Privilege Escalation” TTP 128

Detecting Credential Access 131

Using Azure Identity Protection to Detect Threats Against a “Credential Access” TTP 132

Steps to Configure and Enable Risk Polices (Sign-in Risk and User Risk) 134

Using Azure Security Center and Azure Sentinel to Detect Threats Against a “Credential Access” TTP 137

Detecting Lateral Movement 139

Using Just-in-Time in ASC to Protect and Detect Threats Against a “Lateral Movement” TTP 139

Using Azure Security Center and Azure Sentinel to Detect Threats Against a “Lateral Movement” TTP 144

Detecting Command and Control 145

Using Azure Security Center and Azure Sentinel to Detect Threats Against a “Command and Control” TTP 146

Detecting Data Exfiltration 147

Using Azure Information Protection to Detect Threats Against a “Data Exfiltration” TTP 148

Discovering Sensitive Content Using AIP 149

Using Azure Security Center and Azure Sentinel to Detect Threats Against a “Data Exfiltration” TTP 153

Detecting Threats and Proactively Hunting with Microsoft 365 Defender 154

Microsoft Investigate, Response, and Recover Features 155

Automating Investigation and Remediation with Microsoft Defender for Endpoint 157

Using Microsoft Threat Expert Support for Remediation and Investigation 159

Targeted Attack Notification 159

Experts on Demand 161

Automating Security Response with MCAS and Microsoft Flow 166

Step 1: Generate Your API Token in Cloud App Security 167

Step 2: Create Your Trigger in Microsoft Flow 167

Step 3: Create the Teams Message Action in Microsoft Flow 168

Step 4: Generate an Email in Microsoft Flow 168

Connecting the Flow in Cloud App Security 169

Performing an Automated Response Using Azure Security Center 170

Using Machine Learning and Artificial Intelligence in Threat Response 172

Overview of Fusion Detections 173

Overview of Azure Machine Learning 174

Summary 182

Chapter 5 Microsoft Cybersecurity Reference Architecture and Capability Map 183

Introduction 183

Microsoft Security Architecture versus the NIST Cybersecurity Framework (CSF) 184

Microsoft Security Architecture 185

The Identify Function 186

The Protect Function 187

The Detect Function 188

The Respond Function 189

The Recover Function 189

Using the Microsoft Reference Architecture 190

Microsoft Threat Intelligence 190

Service Trust Portal 192

Security Development Lifecycle (SDL) 193

Protecting the Hybrid Cloud Infrastructure 194

Azure Marketplace 194

Private Link 195

Azure Arc 196

Azure Lighthouse 197

Azure Firewall 198

Azure Web Application Firewall (WAF) 200

Azure DDOS Protection 200

Azure Key Vault 201

Azure Bastion 202

Azure Site Recovery 204

Azure Security Center (ASC) 205

Microsoft Azure Secure Score 205

Protecting Endpoints and Clients 206

Microsoft Endpoint Manager (MEM) Configuration Manager 207

Microsoft Intune 208

Protecting Identities and Access 209

Azure AD Conditional Access 210

Passwordless for End-to-End

Secure Identity 211

Azure Active Directory (aka Azure AD) 211

Azure MFA 211

Azure Active Directory Identity Protection 212

Azure Active Directory Privilege Identity

Management (PIM) 213

Microsoft Defender for Identity 214

Azure AD B2B and B2C 215

Azure AD Identity Governance 215

Protecting SaaS Apps 216

Protecting Data and Information 219

Azure Purview 220

Microsoft Information Protection (MIP) 221

Azure Information Protection Unified Labeling Scanner (File Scanner) 222

The Advanced eDiscovery Solution in Microsoft 365 223

Compliance Manager 224

Protecting IoT and Operation Technology 225

Security Concerns with IoT 226

Understanding That IoT Cybersecurity Starts with a Threat Model 227

Microsoft Investment in IoT Technology 229

Azure Sphere 229

Azure Defender 229

Azure Defender for IoT 230

Threat Modeling for the Azure IoT Reference Architecture 230

Azure Defender for IoT Architecture (Agentless Solutions) 233

Azure Defender for IoT Architecture (Agent-based solutions) 234

Understanding the Security Operations Solutions 235

Understanding the People Security Solutions 236

Attack Simulator 237

Insider Risk Management (IRM) 237

Communication Compliance 239

Summary 240

Part III Hunting in AWS 241

Chapter 6 AWS Cloud Threat Prevention Framework 243

Introduction to AWS Well-Architected Framework 244

The Five Pillars of the Well-Architected Framework 245

Operational Excellence 246

Security 246

Reliability 246

Performance Efficiency 246

Cost Optimization 246

The Shared Responsibility Model 246

AWS Services for Monitoring, Logging, and Alerting 248

AWS CloudTrail 249

Amazon CloudWatch Logs 251

Amazon VPC Flow Logs 252

Amazon GuardDuty 253

AWS Security Hub 254

AWS Protect Features 256

How Do You Prevent Initial Access? 256

How Do You Protect APIs from SQL Injection Attacks Using API

Gateway and AWS WAF? 256

Prerequisites 257

Create an API 257

Create and Configure an AWS WAF 259

AWS Detection Features 263

How Do You Detect Privilege Escalation? 263

How Do You Detect the Abuse of Valid Account to Obtain High-Level Permissions? 264

Prerequisites 264

Configure GuardDuty to Detect Privilege Escalation 265

Reviewing the Findings 266

How Do You Detect Credential Access? 269

How Do You Detect Unsecured Credentials? 269

Prerequisites 270

Reviewing the Findings 274

How Do You Detect Lateral Movement? 276

How Do You Detect the Use of Stolen Alternate Authentication Material? 277

Prerequisites 277

How Do You Detect Potential Unauthorized Access to Your AWS Resources? 277

Reviewing the Findings 278

How Do You Detect Command and Control? 280

How Do You Detect the Communications to a Command and Control Server Using the Domain Name System (DNS)? 281

Prerequisites 281

How Do You Detect EC2 Instance Communication with a Command and Control (C&C) Server Using DNS 281

Reviewing the Findings 282

How Do You Detect Data Exfiltration? 284

Prerequisites 285

How Do You Detect the Exfiltration Using an Anomalous API Request? 285

Reviewing the Findings 286

How Do You Handle Response and Recover? 289

Foundation of Incident Response 289

How Do You Create an Automated Response? 290

Automating Incident Responses 290

Options for Automating Responses 291

Cost Comparisons in Scanning Methods 293

Event-Driven Responses 294

How Do You Automatically Respond to Unintended Disabling of CloudTrail Logging? 295

Prerequisites 296

Creating a Trail in CloudTrail 296

Creating an SNS Topic to Send Emails 299

Creating Rules in Amazon EventBridge 302

How Do You Orchestrate and Recover? 305

Decision Trees 305

Use Alternative Accounts 305

View or Copy Data 306

Sharing Amazon EBS Snapshots 306

Sharing Amazon CloudWatch Logs 306

Use Immutable Storage 307

Launch Resources Near the Event 307

Isolate Resources 308

Launch Forensic Workstations 309

Instance Types and Locations 309

How Do You Automatically Recover from Unintended Disabling of CloudTrail Logging? 310

Prerequisites 311

Aggregate and View Security Status in AWS Security Hub 311

Reviewing the Findings 312

Create Lambda Function to Orchestrate and Recover 314

How Are Machine Learning and Artificial Intelligence Used? 317

Summary 318

References 319

Chapter 7 AWS Reference Architecture 321

AWS Security Framework Overview 322

The Identify Function Overview 323

The Protect Function Overview 324

The Detect Function Overview 325

The Respond Function Overview 325

The Recover Function Overview 325

AWS Reference Architecture 326

The Identify Function 326

Security Hub 328

AWS Config 329

AWS Organizations 330

AWS Control Tower 331

AWS Trusted Advisor 332

AWS Well-Architected Tool 333

AWS Service Catalog 334

AWS Systems Manager 335

AWS Identity and Access Management (IAM) 337

AWS Single Sign-On (SSO) 338

AWS Shield 340

AWS Web Application Firewall (WAF) 340

AWS Firewall Manager 342

AWS Cloud HSM 343

AWS Secrets Manager 345

AWS Key Management Service (KMS) 345

AWS Certificate Manager 346

AWS IoT Device Defender 347

Amazon Virtual Private Cloud 347

AWS PrivateLink 349

AWS Direct Connect 349

AWS Transit Gateway 350

AWS Resource Access Manager 351

The Detect and Respond Functions 353

GuardDuty 354

Amazon Detective 356

Amazon Macie 357

Amazon Inspector 358

Amazon CloudTrail 359

Amazon CloudWatch 360

Amazon Lambda 361

AWS Step Functions 362

Amazon Route 53 363

AWS Personal Health Dashboard 364

The Recover Functions 365

Amazon Glacier 366

AWS CloudFormation 366

CloudEndure Disaster Recovery 367

AWS OpsWorks 368

Summary 369

Part IV The Future 371

Chapter 8 Threat Hunting in Other Cloud Providers 373

The Google Cloud Platform 374

Google Cloud Platform Security Architecture alignment to NIST 376

The Identify Function 376

The Protect Function 378

The Detect Function 380

The Respond Function 382

The Recover Function 383

The IBM Cloud 385

Oracle Cloud Infrastructure Security 386

Oracle SaaS Cloud Security Threat Intelligence 387

The Alibaba Cloud 388

Summary 389

References 389

Chapter 9 The Future of Threat Hunting 391

Artificial Intelligence and Machine Learning 393

How ML Reduces False Positives 395

How Machine Intelligence Applies to Malware Detection 395

How Machine Intelligence Applies to Risk Scoring in a Network 396

Advances in Quantum Computing 396

Quantum Computing Challenges 398

Preparing for the Quantum Future 399

Advances in IoT and Their Impact 399

Growing IoT Cybersecurity Risks 401

Preparing for IoT Challenges 403

Operational Technology (OT) 405

Importance of OT Security 406

Blockchain 406

The Future of Cybersecurity with Blockchain 407

Threat Hunting as a Service 407

The Evolution of the Threat-Hunting Tool 408

Potential Regulatory Guidance 408

Summary 409

References 409

Part V Appendices 411

Appendix A MITRE ATT&CK Tactics 413

Appendix B Privilege Escalation 415

Appendix C Credential Access 421

Appendix D Lateral Movement 431

Appendix E Command and Control 435

Appendix F Data Exfiltration 443

Appendix G MITRE Cloud Matrix 447

Initial Access 447

Drive-by

Compromise 447

Exploiting a Public-Facing

Application 450

Phishing 450

Using Trusted Relationships 451

Using Valid Accounts 452

Persistence 452

Manipulating Accounts 452

Creating Accounts 453

Implanting a Container Image 454

Office Application Startup 454

Using Valid Accounts 455

Privilege Escalation 456

Modifying the Domain Policy 456

Using Valid Accounts 457

Defense Evasion 457

Modifying Domain Policy 457

Impairing Defenses 458

Modifying the Cloud Compute Infrastructure 459

Using Unused/Unsupported Cloud Regions 459

Using Alternate Authentication Material 460

Using Valid Accounts 461

Credential Access 461

Using Brute Force Methods 461

Forging Web Credentials 462

Stealing an Application Access Token 462

Stealing Web Session Cookies 463

Using Unsecured Credentials 464

Discovery 464

Manipulating Account Discovery 464

Manipulating Cloud Infrastructure Discovery 465

Using a Cloud Service Dashboard 466

Using Cloud Service Discovery 466

Scanning Network Services 467

Discovering Permission Groups 467

Discovering Software 468

Discovering System Information 468

Discovering System Network Connections 469

Lateral Movement 469

Internal Spear Phishing 469

Using Alternate Authentication Material 470

Collection 471

Collecting Data from a Cloud Storage Object 471

Collecting Data from Information Repositories 471

Collecting Staged Data 472

Collecting Email 473

Data Exfiltration 474

Detecting Exfiltration 474

Impact 475

Defacement 475

Endpoint Denial of Service 475

Resource Hijacking 477

Appendix H Glossary 479

Index 489

Threat Hunting in the Cloud

    Product form

    £30.39

    Includes FREE delivery

    RRP £37.99 – you save £7.60 (20%)

    Order before 4pm tomorrow for delivery by Sat 4 Jul 2026.

    A Paperback / softback by Chris Peiris, Binil Pillai, Abbas Kudrati

    15 in stock

      Trusted by thousands of customers. See 2,385+ Customer Reviews

      View other formats and editions of Threat Hunting in the Cloud by Chris Peiris

      Publisher: John Wiley & Sons Inc
      Publication Date: 18/11/2021
      ISBN13: 9781119804062, 978-1119804062
      ISBN10: 111980406X
      Also in:
      Computer networking and communications

      Description

      Book Synopsis


      Table of Contents

      Foreword xxxi

      Introduction xxxiii

      Part I Threat Hunting Frameworks 1

      Chapter 1 Introduction to Threat Hunting 3

      The Rise of Cybercrime 4

      What Is Threat Hunting? 6

      The Key Cyberthreats and Threat Actors 7

      Phishing 7

      Ransomware 8

      Nation State 10

      The Necessity of Threat Hunting 14

      Does the Organization’s Size Matter? 17

      Threat Modeling 19

      Threat-Hunting

      Maturity Model 23

      Organization Maturity and Readiness 23

      Level 0: INITIAL 24

      Level 1: MINIMAL 25

      Level 2: PROCEDURAL 25

      Level 3: INNOVATIVE 25

      Level 4: LEADING 25

      Human Elements of Threat Hunting 26

      How Do You Make the Board of Directors Cyber-Smart? 27

      Threat-Hunting Team Structure 30

      External Model 30

      Dedicated Internal Hunting Team Model 30

      Combined/Hybrid Team Model 30

      Periodic Hunt Teams Model 30

      Urgent Need for Human-Led Threat Hunting 31

      The Threat Hunter’s Role 31

      Summary 33

      Chapter 2 Modern Approach to Multi-Cloud Threat Hunting 35

      Multi-Cloud Threat Hunting 35

      Multi-Tenant Cloud Environment 38

      Threat Hunting in Multi-Cloud and Multi-Tenant Environments 39

      Building Blocks for the Security Operations Center 41

      Scope and Type of SOC 43

      Services, Not Just Monitoring 43

      SOC Model 43

      Define a Process for Identifying and Managing Threats 44

      Tools and Technologies to Empower SOC 44

      People (Specialized Teams) 45

      Cyberthreat Detection, Threat Modeling, and the Need for Proactive Threat Hunting Within SOC 46

      Cyberthreat Detection 46

      Threat-Hunting Goals and Objectives 49

      Threat Modeling and SOC 50

      The Need for a Proactive Hunting Team Within SOC 50

      Assume Breach and Be Proactive 51

      Invest in People 51

      Develop an Informed Hypothesis 52

      Cyber Resiliency and Organizational Culture 53

      Skillsets Required for Threat Hunting 54

      Security Analysis 55

      Data Analysis 56

      Programming Languages 56

      Analytical Mindset 56

      Soft Skills 56

      Outsourcing 56

      Threat-Hunting Process and Procedures 57

      Metrics for Assessing the Effectiveness of Threat Hunting 58

      Foundational Metrics 58

      Operational Metrics 59

      Threat-Hunting Program Effectiveness 61

      Summary 62

      Chapter 3 Exploration of MITRE Key Attack Vectors 63

      Understanding MITRE ATT&CK 63

      What Is MITRE ATT&CK Used For? 64

      How Is MITRE ATT&CK Used and Who Uses It? 65

      How Is Testing Done According to MITRE? 65

      Tactics 67

      Techniques 67

      Threat Hunting Using Five Common Tactics 69

      Privilege Escalation 71

      Case Study 72

      Credential Access 73

      Case Study 74

      Lateral Movement 75

      Case Study 75

      Command and Control 77

      Case Study 77

      Exfiltration 79

      Case Study 79

      Other Methodologies and Key Threat-Hunting Tools to Combat

      Attack Vectors 80

      Zero Trust 80

      Threat Intelligence and Zero Trust 83

      Build Cloud-Based Defense-in-Depth 84

      Analysis Tools 86

      Microsoft Tools 86

      Connect To All Your Data 87

      Workbooks 88

      Analytics 88

      Security Automation and Orchestration 90

      Investigation 91

      Hunting 92

      Community 92

      AWS Tools 93

      Analyzing Logs Directly 93

      SIEMs in the Cloud 94

      Summary 95

      Resources 96

      Part II Hunting in Microsoft Azure 99

      Chapter 4 Microsoft Azure Cloud Threat Prevention Framework 101

      Introduction to Microsoft Security 102

      Understanding the Shared Responsibility Model 102

      Microsoft Services for Cloud Security Posture Management and Logging/Monitoring 105

      Overview of Azure Security Center and Azure Defender 105

      Overview of Microsoft Azure Sentinel 108

      Using Microsoft Secure and Protect Features 112

      Identity & Access Management 113

      Infrastructure & Network 114

      Data & Application 115

      Customer Access 115

      Using Azure Web Application Firewall to Protect a Website Against an “Initial Access” TTP 116

      Using Microsoft Defender for Office 365 to Protect Against an “Initial Access” TTP 118

      Using Microsoft Defender Endpoint to Protect Against an “Initial Access” TTP 121

      Using Azure Conditional Access to Protect Against an “Initial Access” TTP 123

      Microsoft Detect Services 127

      Detecting “Privilege Escalation” TTPs 128

      Using Azure Security Center and Azure Sentinel to Detect Threats Against a “Privilege Escalation” TTP 128

      Detecting Credential Access 131

      Using Azure Identity Protection to Detect Threats Against a “Credential Access” TTP 132

      Steps to Configure and Enable Risk Polices (Sign-in Risk and User Risk) 134

      Using Azure Security Center and Azure Sentinel to Detect Threats Against a “Credential Access” TTP 137

      Detecting Lateral Movement 139

      Using Just-in-Time in ASC to Protect and Detect Threats Against a “Lateral Movement” TTP 139

      Using Azure Security Center and Azure Sentinel to Detect Threats Against a “Lateral Movement” TTP 144

      Detecting Command and Control 145

      Using Azure Security Center and Azure Sentinel to Detect Threats Against a “Command and Control” TTP 146

      Detecting Data Exfiltration 147

      Using Azure Information Protection to Detect Threats Against a “Data Exfiltration” TTP 148

      Discovering Sensitive Content Using AIP 149

      Using Azure Security Center and Azure Sentinel to Detect Threats Against a “Data Exfiltration” TTP 153

      Detecting Threats and Proactively Hunting with Microsoft 365 Defender 154

      Microsoft Investigate, Response, and Recover Features 155

      Automating Investigation and Remediation with Microsoft Defender for Endpoint 157

      Using Microsoft Threat Expert Support for Remediation and Investigation 159

      Targeted Attack Notification 159

      Experts on Demand 161

      Automating Security Response with MCAS and Microsoft Flow 166

      Step 1: Generate Your API Token in Cloud App Security 167

      Step 2: Create Your Trigger in Microsoft Flow 167

      Step 3: Create the Teams Message Action in Microsoft Flow 168

      Step 4: Generate an Email in Microsoft Flow 168

      Connecting the Flow in Cloud App Security 169

      Performing an Automated Response Using Azure Security Center 170

      Using Machine Learning and Artificial Intelligence in Threat Response 172

      Overview of Fusion Detections 173

      Overview of Azure Machine Learning 174

      Summary 182

      Chapter 5 Microsoft Cybersecurity Reference Architecture and Capability Map 183

      Introduction 183

      Microsoft Security Architecture versus the NIST Cybersecurity Framework (CSF) 184

      Microsoft Security Architecture 185

      The Identify Function 186

      The Protect Function 187

      The Detect Function 188

      The Respond Function 189

      The Recover Function 189

      Using the Microsoft Reference Architecture 190

      Microsoft Threat Intelligence 190

      Service Trust Portal 192

      Security Development Lifecycle (SDL) 193

      Protecting the Hybrid Cloud Infrastructure 194

      Azure Marketplace 194

      Private Link 195

      Azure Arc 196

      Azure Lighthouse 197

      Azure Firewall 198

      Azure Web Application Firewall (WAF) 200

      Azure DDOS Protection 200

      Azure Key Vault 201

      Azure Bastion 202

      Azure Site Recovery 204

      Azure Security Center (ASC) 205

      Microsoft Azure Secure Score 205

      Protecting Endpoints and Clients 206

      Microsoft Endpoint Manager (MEM) Configuration Manager 207

      Microsoft Intune 208

      Protecting Identities and Access 209

      Azure AD Conditional Access 210

      Passwordless for End-to-End

      Secure Identity 211

      Azure Active Directory (aka Azure AD) 211

      Azure MFA 211

      Azure Active Directory Identity Protection 212

      Azure Active Directory Privilege Identity

      Management (PIM) 213

      Microsoft Defender for Identity 214

      Azure AD B2B and B2C 215

      Azure AD Identity Governance 215

      Protecting SaaS Apps 216

      Protecting Data and Information 219

      Azure Purview 220

      Microsoft Information Protection (MIP) 221

      Azure Information Protection Unified Labeling Scanner (File Scanner) 222

      The Advanced eDiscovery Solution in Microsoft 365 223

      Compliance Manager 224

      Protecting IoT and Operation Technology 225

      Security Concerns with IoT 226

      Understanding That IoT Cybersecurity Starts with a Threat Model 227

      Microsoft Investment in IoT Technology 229

      Azure Sphere 229

      Azure Defender 229

      Azure Defender for IoT 230

      Threat Modeling for the Azure IoT Reference Architecture 230

      Azure Defender for IoT Architecture (Agentless Solutions) 233

      Azure Defender for IoT Architecture (Agent-based solutions) 234

      Understanding the Security Operations Solutions 235

      Understanding the People Security Solutions 236

      Attack Simulator 237

      Insider Risk Management (IRM) 237

      Communication Compliance 239

      Summary 240

      Part III Hunting in AWS 241

      Chapter 6 AWS Cloud Threat Prevention Framework 243

      Introduction to AWS Well-Architected Framework 244

      The Five Pillars of the Well-Architected Framework 245

      Operational Excellence 246

      Security 246

      Reliability 246

      Performance Efficiency 246

      Cost Optimization 246

      The Shared Responsibility Model 246

      AWS Services for Monitoring, Logging, and Alerting 248

      AWS CloudTrail 249

      Amazon CloudWatch Logs 251

      Amazon VPC Flow Logs 252

      Amazon GuardDuty 253

      AWS Security Hub 254

      AWS Protect Features 256

      How Do You Prevent Initial Access? 256

      How Do You Protect APIs from SQL Injection Attacks Using API

      Gateway and AWS WAF? 256

      Prerequisites 257

      Create an API 257

      Create and Configure an AWS WAF 259

      AWS Detection Features 263

      How Do You Detect Privilege Escalation? 263

      How Do You Detect the Abuse of Valid Account to Obtain High-Level Permissions? 264

      Prerequisites 264

      Configure GuardDuty to Detect Privilege Escalation 265

      Reviewing the Findings 266

      How Do You Detect Credential Access? 269

      How Do You Detect Unsecured Credentials? 269

      Prerequisites 270

      Reviewing the Findings 274

      How Do You Detect Lateral Movement? 276

      How Do You Detect the Use of Stolen Alternate Authentication Material? 277

      Prerequisites 277

      How Do You Detect Potential Unauthorized Access to Your AWS Resources? 277

      Reviewing the Findings 278

      How Do You Detect Command and Control? 280

      How Do You Detect the Communications to a Command and Control Server Using the Domain Name System (DNS)? 281

      Prerequisites 281

      How Do You Detect EC2 Instance Communication with a Command and Control (C&C) Server Using DNS 281

      Reviewing the Findings 282

      How Do You Detect Data Exfiltration? 284

      Prerequisites 285

      How Do You Detect the Exfiltration Using an Anomalous API Request? 285

      Reviewing the Findings 286

      How Do You Handle Response and Recover? 289

      Foundation of Incident Response 289

      How Do You Create an Automated Response? 290

      Automating Incident Responses 290

      Options for Automating Responses 291

      Cost Comparisons in Scanning Methods 293

      Event-Driven Responses 294

      How Do You Automatically Respond to Unintended Disabling of CloudTrail Logging? 295

      Prerequisites 296

      Creating a Trail in CloudTrail 296

      Creating an SNS Topic to Send Emails 299

      Creating Rules in Amazon EventBridge 302

      How Do You Orchestrate and Recover? 305

      Decision Trees 305

      Use Alternative Accounts 305

      View or Copy Data 306

      Sharing Amazon EBS Snapshots 306

      Sharing Amazon CloudWatch Logs 306

      Use Immutable Storage 307

      Launch Resources Near the Event 307

      Isolate Resources 308

      Launch Forensic Workstations 309

      Instance Types and Locations 309

      How Do You Automatically Recover from Unintended Disabling of CloudTrail Logging? 310

      Prerequisites 311

      Aggregate and View Security Status in AWS Security Hub 311

      Reviewing the Findings 312

      Create Lambda Function to Orchestrate and Recover 314

      How Are Machine Learning and Artificial Intelligence Used? 317

      Summary 318

      References 319

      Chapter 7 AWS Reference Architecture 321

      AWS Security Framework Overview 322

      The Identify Function Overview 323

      The Protect Function Overview 324

      The Detect Function Overview 325

      The Respond Function Overview 325

      The Recover Function Overview 325

      AWS Reference Architecture 326

      The Identify Function 326

      Security Hub 328

      AWS Config 329

      AWS Organizations 330

      AWS Control Tower 331

      AWS Trusted Advisor 332

      AWS Well-Architected Tool 333

      AWS Service Catalog 334

      AWS Systems Manager 335

      AWS Identity and Access Management (IAM) 337

      AWS Single Sign-On (SSO) 338

      AWS Shield 340

      AWS Web Application Firewall (WAF) 340

      AWS Firewall Manager 342

      AWS Cloud HSM 343

      AWS Secrets Manager 345

      AWS Key Management Service (KMS) 345

      AWS Certificate Manager 346

      AWS IoT Device Defender 347

      Amazon Virtual Private Cloud 347

      AWS PrivateLink 349

      AWS Direct Connect 349

      AWS Transit Gateway 350

      AWS Resource Access Manager 351

      The Detect and Respond Functions 353

      GuardDuty 354

      Amazon Detective 356

      Amazon Macie 357

      Amazon Inspector 358

      Amazon CloudTrail 359

      Amazon CloudWatch 360

      Amazon Lambda 361

      AWS Step Functions 362

      Amazon Route 53 363

      AWS Personal Health Dashboard 364

      The Recover Functions 365

      Amazon Glacier 366

      AWS CloudFormation 366

      CloudEndure Disaster Recovery 367

      AWS OpsWorks 368

      Summary 369

      Part IV The Future 371

      Chapter 8 Threat Hunting in Other Cloud Providers 373

      The Google Cloud Platform 374

      Google Cloud Platform Security Architecture alignment to NIST 376

      The Identify Function 376

      The Protect Function 378

      The Detect Function 380

      The Respond Function 382

      The Recover Function 383

      The IBM Cloud 385

      Oracle Cloud Infrastructure Security 386

      Oracle SaaS Cloud Security Threat Intelligence 387

      The Alibaba Cloud 388

      Summary 389

      References 389

      Chapter 9 The Future of Threat Hunting 391

      Artificial Intelligence and Machine Learning 393

      How ML Reduces False Positives 395

      How Machine Intelligence Applies to Malware Detection 395

      How Machine Intelligence Applies to Risk Scoring in a Network 396

      Advances in Quantum Computing 396

      Quantum Computing Challenges 398

      Preparing for the Quantum Future 399

      Advances in IoT and Their Impact 399

      Growing IoT Cybersecurity Risks 401

      Preparing for IoT Challenges 403

      Operational Technology (OT) 405

      Importance of OT Security 406

      Blockchain 406

      The Future of Cybersecurity with Blockchain 407

      Threat Hunting as a Service 407

      The Evolution of the Threat-Hunting Tool 408

      Potential Regulatory Guidance 408

      Summary 409

      References 409

      Part V Appendices 411

      Appendix A MITRE ATT&CK Tactics 413

      Appendix B Privilege Escalation 415

      Appendix C Credential Access 421

      Appendix D Lateral Movement 431

      Appendix E Command and Control 435

      Appendix F Data Exfiltration 443

      Appendix G MITRE Cloud Matrix 447

      Initial Access 447

      Drive-by

      Compromise 447

      Exploiting a Public-Facing

      Application 450

      Phishing 450

      Using Trusted Relationships 451

      Using Valid Accounts 452

      Persistence 452

      Manipulating Accounts 452

      Creating Accounts 453

      Implanting a Container Image 454

      Office Application Startup 454

      Using Valid Accounts 455

      Privilege Escalation 456

      Modifying the Domain Policy 456

      Using Valid Accounts 457

      Defense Evasion 457

      Modifying Domain Policy 457

      Impairing Defenses 458

      Modifying the Cloud Compute Infrastructure 459

      Using Unused/Unsupported Cloud Regions 459

      Using Alternate Authentication Material 460

      Using Valid Accounts 461

      Credential Access 461

      Using Brute Force Methods 461

      Forging Web Credentials 462

      Stealing an Application Access Token 462

      Stealing Web Session Cookies 463

      Using Unsecured Credentials 464

      Discovery 464

      Manipulating Account Discovery 464

      Manipulating Cloud Infrastructure Discovery 465

      Using a Cloud Service Dashboard 466

      Using Cloud Service Discovery 466

      Scanning Network Services 467

      Discovering Permission Groups 467

      Discovering Software 468

      Discovering System Information 468

      Discovering System Network Connections 469

      Lateral Movement 469

      Internal Spear Phishing 469

      Using Alternate Authentication Material 470

      Collection 471

      Collecting Data from a Cloud Storage Object 471

      Collecting Data from Information Repositories 471

      Collecting Staged Data 472

      Collecting Email 473

      Data Exfiltration 474

      Detecting Exfiltration 474

      Impact 475

      Defacement 475

      Endpoint Denial of Service 475

      Resource Hijacking 477

      Appendix H Glossary 479

      Index 489

      Recently viewed products

      © 2026 Book Curl

        • American Express
        • Apple Pay
        • Diners Club
        • Discover
        • Google Pay
        • Maestro
        • Mastercard
        • PayPal
        • Shop Pay
        • Union Pay
        • Visa

        Login

        Forgot your password?

        Don't have an account yet?
        Create account