{"product_id":"threat-hunting-in-the-cloud-9781119804062","title":"Threat Hunting in the Cloud","description":"\u003cb\u003eBook Synopsis\u003c\/b\u003e\u003cbr\u003e\u003cbr\u003e\u003cbr\u003e\u003cb\u003eTable of Contents\u003c\/b\u003e\u003cbr\u003e\u003cp\u003eForeword xxxi\u003c\/p\u003e \u003cp\u003eIntroduction xxxiii\u003c\/p\u003e \u003cp\u003e\u003cb\u003ePart I Threat Hunting Frameworks 1\u003c\/b\u003e\u003c\/p\u003e \u003cp\u003e\u003cb\u003eChapter 1 Introduction to Threat Hunting 3\u003c\/b\u003e\u003c\/p\u003e \u003cp\u003eThe Rise of Cybercrime 4\u003c\/p\u003e \u003cp\u003eWhat Is Threat Hunting? 6\u003c\/p\u003e \u003cp\u003eThe Key Cyberthreats and Threat Actors 7\u003c\/p\u003e \u003cp\u003ePhishing 7\u003c\/p\u003e \u003cp\u003eRansomware 8\u003c\/p\u003e \u003cp\u003eNation State 10\u003c\/p\u003e \u003cp\u003eThe Necessity of Threat Hunting 14\u003c\/p\u003e \u003cp\u003eDoes the Organization’s Size Matter? 17\u003c\/p\u003e \u003cp\u003eThreat Modeling 19\u003c\/p\u003e \u003cp\u003eThreat-Hunting\u003c\/p\u003e \u003cp\u003eMaturity Model 23\u003c\/p\u003e \u003cp\u003eOrganization Maturity and Readiness 23\u003c\/p\u003e \u003cp\u003eLevel 0: INITIAL 24\u003c\/p\u003e \u003cp\u003eLevel 1: MINIMAL 25\u003c\/p\u003e \u003cp\u003eLevel 2: PROCEDURAL 25\u003c\/p\u003e \u003cp\u003eLevel 3: INNOVATIVE 25\u003c\/p\u003e \u003cp\u003eLevel 4: LEADING 25\u003c\/p\u003e \u003cp\u003eHuman Elements of Threat Hunting 26\u003c\/p\u003e \u003cp\u003eHow Do You Make the Board of Directors Cyber-Smart? 27\u003c\/p\u003e \u003cp\u003eThreat-Hunting Team Structure 30\u003c\/p\u003e \u003cp\u003eExternal Model 30\u003c\/p\u003e \u003cp\u003eDedicated Internal Hunting Team Model 30\u003c\/p\u003e \u003cp\u003eCombined\/Hybrid Team Model 30\u003c\/p\u003e \u003cp\u003ePeriodic Hunt Teams Model 30\u003c\/p\u003e \u003cp\u003eUrgent Need for Human-Led Threat Hunting 31\u003c\/p\u003e \u003cp\u003eThe Threat Hunter’s Role 31\u003c\/p\u003e \u003cp\u003eSummary 33\u003c\/p\u003e \u003cp\u003e\u003cb\u003eChapter 2 Modern Approach to Multi-Cloud Threat Hunting 35\u003c\/b\u003e\u003c\/p\u003e \u003cp\u003eMulti-Cloud Threat Hunting 35\u003c\/p\u003e \u003cp\u003eMulti-Tenant Cloud Environment 38\u003c\/p\u003e \u003cp\u003eThreat Hunting in Multi-Cloud and Multi-Tenant Environments 39\u003c\/p\u003e \u003cp\u003eBuilding Blocks for the Security Operations Center 41\u003c\/p\u003e \u003cp\u003eScope and Type of SOC 43\u003c\/p\u003e \u003cp\u003eServices, Not Just Monitoring 43\u003c\/p\u003e \u003cp\u003eSOC Model 43\u003c\/p\u003e \u003cp\u003eDefine a Process for Identifying and Managing Threats 44\u003c\/p\u003e \u003cp\u003eTools and Technologies to Empower SOC 44\u003c\/p\u003e \u003cp\u003ePeople (Specialized Teams) 45\u003c\/p\u003e \u003cp\u003eCyberthreat Detection, Threat Modeling, and the Need for Proactive Threat Hunting Within SOC 46\u003c\/p\u003e \u003cp\u003eCyberthreat Detection 46\u003c\/p\u003e \u003cp\u003eThreat-Hunting Goals and Objectives 49\u003c\/p\u003e \u003cp\u003eThreat Modeling and SOC 50\u003c\/p\u003e \u003cp\u003eThe Need for a Proactive Hunting Team Within SOC 50\u003c\/p\u003e \u003cp\u003eAssume Breach and Be Proactive 51\u003c\/p\u003e \u003cp\u003eInvest in People 51\u003c\/p\u003e \u003cp\u003eDevelop an Informed Hypothesis 52\u003c\/p\u003e \u003cp\u003eCyber Resiliency and Organizational Culture 53\u003c\/p\u003e \u003cp\u003eSkillsets Required for Threat Hunting 54\u003c\/p\u003e \u003cp\u003eSecurity Analysis 55\u003c\/p\u003e \u003cp\u003eData Analysis 56\u003c\/p\u003e \u003cp\u003eProgramming Languages 56\u003c\/p\u003e \u003cp\u003eAnalytical Mindset 56\u003c\/p\u003e \u003cp\u003eSoft Skills 56\u003c\/p\u003e \u003cp\u003eOutsourcing 56\u003c\/p\u003e \u003cp\u003eThreat-Hunting Process and Procedures 57\u003c\/p\u003e \u003cp\u003eMetrics for Assessing the Effectiveness of Threat Hunting 58\u003c\/p\u003e \u003cp\u003eFoundational Metrics 58\u003c\/p\u003e \u003cp\u003eOperational Metrics 59\u003c\/p\u003e \u003cp\u003eThreat-Hunting Program Effectiveness 61\u003c\/p\u003e \u003cp\u003eSummary 62\u003c\/p\u003e \u003cp\u003e\u003cb\u003eChapter 3 Exploration of MITRE Key Attack Vectors 63\u003c\/b\u003e\u003c\/p\u003e \u003cp\u003eUnderstanding MITRE ATT\u0026amp;CK 63\u003c\/p\u003e \u003cp\u003eWhat Is MITRE ATT\u0026amp;CK Used For? 64\u003c\/p\u003e \u003cp\u003eHow Is MITRE ATT\u0026amp;CK Used and Who Uses It? 65\u003c\/p\u003e \u003cp\u003eHow Is Testing Done According to MITRE? 65\u003c\/p\u003e \u003cp\u003eTactics 67\u003c\/p\u003e \u003cp\u003eTechniques 67\u003c\/p\u003e \u003cp\u003eThreat Hunting Using Five Common Tactics 69\u003c\/p\u003e \u003cp\u003ePrivilege Escalation 71\u003c\/p\u003e \u003cp\u003eCase Study 72\u003c\/p\u003e \u003cp\u003eCredential Access 73\u003c\/p\u003e \u003cp\u003eCase Study 74\u003c\/p\u003e \u003cp\u003eLateral Movement 75\u003c\/p\u003e \u003cp\u003eCase Study 75\u003c\/p\u003e \u003cp\u003eCommand and Control 77\u003c\/p\u003e \u003cp\u003eCase Study 77\u003c\/p\u003e \u003cp\u003eExfiltration 79\u003c\/p\u003e \u003cp\u003eCase Study 79\u003c\/p\u003e \u003cp\u003eOther Methodologies and Key Threat-Hunting Tools to Combat\u003c\/p\u003e \u003cp\u003eAttack Vectors 80\u003c\/p\u003e \u003cp\u003eZero Trust 80\u003c\/p\u003e \u003cp\u003eThreat Intelligence and Zero Trust 83\u003c\/p\u003e \u003cp\u003eBuild Cloud-Based Defense-in-Depth 84\u003c\/p\u003e \u003cp\u003eAnalysis Tools 86\u003c\/p\u003e \u003cp\u003eMicrosoft Tools 86\u003c\/p\u003e \u003cp\u003eConnect To All Your Data 87\u003c\/p\u003e \u003cp\u003eWorkbooks 88\u003c\/p\u003e \u003cp\u003eAnalytics 88\u003c\/p\u003e \u003cp\u003eSecurity Automation and Orchestration 90\u003c\/p\u003e \u003cp\u003eInvestigation 91\u003c\/p\u003e \u003cp\u003eHunting 92\u003c\/p\u003e \u003cp\u003eCommunity 92\u003c\/p\u003e \u003cp\u003eAWS Tools 93\u003c\/p\u003e \u003cp\u003eAnalyzing Logs Directly 93\u003c\/p\u003e \u003cp\u003eSIEMs in the Cloud 94\u003c\/p\u003e \u003cp\u003eSummary 95\u003c\/p\u003e \u003cp\u003eResources 96\u003c\/p\u003e \u003cp\u003e\u003cb\u003ePart II Hunting in Microsoft Azure 99\u003c\/b\u003e\u003c\/p\u003e \u003cp\u003e\u003cb\u003eChapter 4 Microsoft Azure Cloud Threat Prevention Framework 101\u003c\/b\u003e\u003c\/p\u003e \u003cp\u003eIntroduction to Microsoft Security 102\u003c\/p\u003e \u003cp\u003eUnderstanding the Shared Responsibility Model 102\u003c\/p\u003e \u003cp\u003eMicrosoft Services for Cloud Security Posture Management and Logging\/Monitoring 105\u003c\/p\u003e \u003cp\u003eOverview of Azure Security Center and Azure Defender 105\u003c\/p\u003e \u003cp\u003eOverview of Microsoft Azure Sentinel 108\u003c\/p\u003e \u003cp\u003eUsing Microsoft Secure and Protect Features 112\u003c\/p\u003e \u003cp\u003eIdentity \u0026amp; Access Management 113\u003c\/p\u003e \u003cp\u003eInfrastructure \u0026amp; Network 114\u003c\/p\u003e \u003cp\u003eData \u0026amp; Application 115\u003c\/p\u003e \u003cp\u003eCustomer Access 115\u003c\/p\u003e \u003cp\u003eUsing Azure Web Application Firewall to Protect a Website Against an “Initial Access” TTP 116\u003c\/p\u003e \u003cp\u003eUsing Microsoft Defender for Office 365 to Protect Against an “Initial Access” TTP 118\u003c\/p\u003e \u003cp\u003eUsing Microsoft Defender Endpoint to Protect Against an “Initial Access” TTP 121\u003c\/p\u003e \u003cp\u003eUsing Azure Conditional Access to Protect Against an “Initial Access” TTP 123\u003c\/p\u003e \u003cp\u003eMicrosoft Detect Services 127\u003c\/p\u003e \u003cp\u003eDetecting “Privilege Escalation” TTPs 128\u003c\/p\u003e \u003cp\u003eUsing Azure Security Center and Azure Sentinel to Detect Threats Against a “Privilege Escalation” TTP 128\u003c\/p\u003e \u003cp\u003eDetecting Credential Access 131\u003c\/p\u003e \u003cp\u003eUsing Azure Identity Protection to Detect Threats Against a “Credential Access” TTP 132\u003c\/p\u003e \u003cp\u003eSteps to Configure and Enable Risk Polices (Sign-in Risk and User Risk) 134\u003c\/p\u003e \u003cp\u003eUsing Azure Security Center and Azure Sentinel to Detect Threats Against a “Credential Access” TTP 137\u003c\/p\u003e \u003cp\u003eDetecting Lateral Movement 139\u003c\/p\u003e \u003cp\u003eUsing Just-in-Time in ASC to Protect and Detect Threats Against a “Lateral Movement” TTP 139\u003c\/p\u003e \u003cp\u003eUsing Azure Security Center and Azure Sentinel to Detect Threats Against a “Lateral Movement” TTP 144\u003c\/p\u003e \u003cp\u003eDetecting Command and Control 145\u003c\/p\u003e \u003cp\u003eUsing Azure Security Center and Azure Sentinel to Detect Threats Against a “Command and Control” TTP 146\u003c\/p\u003e \u003cp\u003eDetecting Data Exfiltration 147\u003c\/p\u003e \u003cp\u003eUsing Azure Information Protection to Detect Threats Against a “Data Exfiltration” TTP 148\u003c\/p\u003e \u003cp\u003eDiscovering Sensitive Content Using AIP 149\u003c\/p\u003e \u003cp\u003eUsing Azure Security Center and Azure Sentinel to Detect Threats Against a “Data Exfiltration” TTP 153\u003c\/p\u003e \u003cp\u003eDetecting Threats and Proactively Hunting with Microsoft 365 Defender 154\u003c\/p\u003e \u003cp\u003eMicrosoft Investigate, Response, and Recover Features 155\u003c\/p\u003e \u003cp\u003eAutomating Investigation and Remediation with Microsoft Defender for Endpoint 157\u003c\/p\u003e \u003cp\u003eUsing Microsoft Threat Expert Support for Remediation and Investigation 159\u003c\/p\u003e \u003cp\u003eTargeted Attack Notification 159\u003c\/p\u003e \u003cp\u003eExperts on Demand 161\u003c\/p\u003e \u003cp\u003eAutomating Security Response with MCAS and Microsoft Flow 166\u003c\/p\u003e \u003cp\u003eStep 1: Generate Your API Token in Cloud App Security 167\u003c\/p\u003e \u003cp\u003eStep 2: Create Your Trigger in Microsoft Flow 167\u003c\/p\u003e \u003cp\u003eStep 3: Create the Teams Message Action in Microsoft Flow 168\u003c\/p\u003e \u003cp\u003eStep 4: Generate an Email in Microsoft Flow 168\u003c\/p\u003e \u003cp\u003eConnecting the Flow in Cloud App Security 169\u003c\/p\u003e \u003cp\u003ePerforming an Automated Response Using Azure Security Center 170\u003c\/p\u003e \u003cp\u003eUsing Machine Learning and Artificial Intelligence in Threat Response 172\u003c\/p\u003e \u003cp\u003eOverview of Fusion Detections 173\u003c\/p\u003e \u003cp\u003eOverview of Azure Machine Learning 174\u003c\/p\u003e \u003cp\u003eSummary 182\u003c\/p\u003e \u003cp\u003e\u003cb\u003eChapter 5 Microsoft Cybersecurity Reference Architecture and Capability Map 183\u003c\/b\u003e\u003c\/p\u003e \u003cp\u003eIntroduction 183\u003c\/p\u003e \u003cp\u003eMicrosoft Security Architecture versus the NIST Cybersecurity Framework (CSF) 184\u003c\/p\u003e \u003cp\u003eMicrosoft Security Architecture 185\u003c\/p\u003e \u003cp\u003eThe Identify Function 186\u003c\/p\u003e \u003cp\u003eThe Protect Function 187\u003c\/p\u003e \u003cp\u003eThe Detect Function 188\u003c\/p\u003e \u003cp\u003eThe Respond Function 189\u003c\/p\u003e \u003cp\u003eThe Recover Function 189\u003c\/p\u003e \u003cp\u003eUsing the Microsoft Reference Architecture 190\u003c\/p\u003e \u003cp\u003eMicrosoft Threat Intelligence 190\u003c\/p\u003e \u003cp\u003eService Trust Portal 192\u003c\/p\u003e \u003cp\u003eSecurity Development Lifecycle (SDL) 193\u003c\/p\u003e \u003cp\u003eProtecting the Hybrid Cloud Infrastructure 194\u003c\/p\u003e \u003cp\u003eAzure Marketplace 194\u003c\/p\u003e \u003cp\u003ePrivate Link 195\u003c\/p\u003e \u003cp\u003eAzure Arc 196\u003c\/p\u003e \u003cp\u003eAzure Lighthouse 197\u003c\/p\u003e \u003cp\u003eAzure Firewall 198\u003c\/p\u003e \u003cp\u003eAzure Web Application Firewall (WAF) 200\u003c\/p\u003e \u003cp\u003eAzure DDOS Protection 200\u003c\/p\u003e \u003cp\u003eAzure Key Vault 201\u003c\/p\u003e \u003cp\u003eAzure Bastion 202\u003c\/p\u003e \u003cp\u003eAzure Site Recovery 204\u003c\/p\u003e \u003cp\u003eAzure Security Center (ASC) 205\u003c\/p\u003e \u003cp\u003eMicrosoft Azure Secure Score 205\u003c\/p\u003e \u003cp\u003eProtecting Endpoints and Clients 206\u003c\/p\u003e \u003cp\u003eMicrosoft Endpoint Manager (MEM) Configuration Manager 207\u003c\/p\u003e \u003cp\u003eMicrosoft Intune 208\u003c\/p\u003e \u003cp\u003eProtecting Identities and Access 209\u003c\/p\u003e \u003cp\u003eAzure AD Conditional Access 210\u003c\/p\u003e \u003cp\u003ePasswordless for End-to-End\u003c\/p\u003e \u003cp\u003eSecure Identity 211\u003c\/p\u003e \u003cp\u003eAzure Active Directory (aka Azure AD) 211\u003c\/p\u003e \u003cp\u003eAzure MFA 211\u003c\/p\u003e \u003cp\u003eAzure Active Directory Identity Protection 212\u003c\/p\u003e \u003cp\u003eAzure Active Directory Privilege Identity\u003c\/p\u003e \u003cp\u003eManagement (PIM) 213\u003c\/p\u003e \u003cp\u003eMicrosoft Defender for Identity 214\u003c\/p\u003e \u003cp\u003eAzure AD B2B and B2C 215\u003c\/p\u003e \u003cp\u003eAzure AD Identity Governance 215\u003c\/p\u003e \u003cp\u003eProtecting SaaS Apps 216\u003c\/p\u003e \u003cp\u003eProtecting Data and Information 219\u003c\/p\u003e \u003cp\u003eAzure Purview 220\u003c\/p\u003e \u003cp\u003eMicrosoft Information Protection (MIP) 221\u003c\/p\u003e \u003cp\u003eAzure Information Protection Unified Labeling Scanner (File Scanner) 222\u003c\/p\u003e \u003cp\u003eThe Advanced eDiscovery Solution in Microsoft 365 223\u003c\/p\u003e \u003cp\u003eCompliance Manager 224\u003c\/p\u003e \u003cp\u003eProtecting IoT and Operation Technology 225\u003c\/p\u003e \u003cp\u003eSecurity Concerns with IoT 226\u003c\/p\u003e \u003cp\u003eUnderstanding That IoT Cybersecurity Starts with a Threat Model 227\u003c\/p\u003e \u003cp\u003eMicrosoft Investment in IoT Technology 229\u003c\/p\u003e \u003cp\u003eAzure Sphere 229\u003c\/p\u003e \u003cp\u003eAzure Defender 229\u003c\/p\u003e \u003cp\u003eAzure Defender for IoT 230\u003c\/p\u003e \u003cp\u003eThreat Modeling for the Azure IoT Reference Architecture 230\u003c\/p\u003e \u003cp\u003eAzure Defender for IoT Architecture (Agentless Solutions) 233\u003c\/p\u003e \u003cp\u003eAzure Defender for IoT Architecture (Agent-based solutions) 234\u003c\/p\u003e \u003cp\u003eUnderstanding the Security Operations Solutions 235\u003c\/p\u003e \u003cp\u003eUnderstanding the People Security Solutions 236\u003c\/p\u003e \u003cp\u003eAttack Simulator 237\u003c\/p\u003e \u003cp\u003eInsider Risk Management (IRM) 237\u003c\/p\u003e \u003cp\u003eCommunication Compliance 239\u003c\/p\u003e \u003cp\u003eSummary 240\u003c\/p\u003e \u003cp\u003e\u003cb\u003ePart III Hunting in AWS 241\u003c\/b\u003e\u003c\/p\u003e \u003cp\u003e\u003cb\u003eChapter 6 AWS Cloud Threat Prevention Framework 243\u003c\/b\u003e\u003c\/p\u003e \u003cp\u003eIntroduction to AWS Well-Architected Framework 244\u003c\/p\u003e \u003cp\u003eThe Five Pillars of the Well-Architected Framework 245\u003c\/p\u003e \u003cp\u003eOperational Excellence 246\u003c\/p\u003e \u003cp\u003eSecurity 246\u003c\/p\u003e \u003cp\u003eReliability 246\u003c\/p\u003e \u003cp\u003ePerformance Efficiency 246\u003c\/p\u003e \u003cp\u003eCost Optimization 246\u003c\/p\u003e \u003cp\u003eThe Shared Responsibility Model 246\u003c\/p\u003e \u003cp\u003eAWS Services for Monitoring, Logging, and Alerting 248\u003c\/p\u003e \u003cp\u003eAWS CloudTrail 249\u003c\/p\u003e \u003cp\u003eAmazon CloudWatch Logs 251\u003c\/p\u003e \u003cp\u003eAmazon VPC Flow Logs 252\u003c\/p\u003e \u003cp\u003eAmazon GuardDuty 253\u003c\/p\u003e \u003cp\u003eAWS Security Hub 254\u003c\/p\u003e \u003cp\u003eAWS Protect Features 256\u003c\/p\u003e \u003cp\u003eHow Do You Prevent Initial Access? 256\u003c\/p\u003e \u003cp\u003eHow Do You Protect APIs from SQL Injection Attacks Using API\u003c\/p\u003e \u003cp\u003eGateway and AWS WAF? 256\u003c\/p\u003e \u003cp\u003ePrerequisites 257\u003c\/p\u003e \u003cp\u003eCreate an API 257\u003c\/p\u003e \u003cp\u003eCreate and Configure an AWS WAF 259\u003c\/p\u003e \u003cp\u003eAWS Detection Features 263\u003c\/p\u003e \u003cp\u003eHow Do You Detect Privilege Escalation? 263\u003c\/p\u003e \u003cp\u003eHow Do You Detect the Abuse of Valid Account to Obtain High-Level Permissions? 264\u003c\/p\u003e \u003cp\u003ePrerequisites 264\u003c\/p\u003e \u003cp\u003eConfigure GuardDuty to Detect Privilege Escalation 265\u003c\/p\u003e \u003cp\u003eReviewing the Findings 266\u003c\/p\u003e \u003cp\u003eHow Do You Detect Credential Access? 269\u003c\/p\u003e \u003cp\u003eHow Do You Detect Unsecured Credentials? 269\u003c\/p\u003e \u003cp\u003ePrerequisites 270\u003c\/p\u003e \u003cp\u003eReviewing the Findings 274\u003c\/p\u003e \u003cp\u003eHow Do You Detect Lateral Movement? 276\u003c\/p\u003e \u003cp\u003eHow Do You Detect the Use of Stolen Alternate Authentication Material? 277\u003c\/p\u003e \u003cp\u003ePrerequisites 277\u003c\/p\u003e \u003cp\u003eHow Do You Detect Potential Unauthorized Access to Your AWS Resources? 277\u003c\/p\u003e \u003cp\u003eReviewing the Findings 278\u003c\/p\u003e \u003cp\u003eHow Do You Detect Command and Control? 280\u003c\/p\u003e \u003cp\u003eHow Do You Detect the Communications to a Command and Control Server Using the Domain Name System (DNS)? 281\u003c\/p\u003e \u003cp\u003ePrerequisites 281\u003c\/p\u003e \u003cp\u003eHow Do You Detect EC2 Instance Communication with a Command and Control (C\u0026amp;C) Server Using DNS 281\u003c\/p\u003e \u003cp\u003eReviewing the Findings 282\u003c\/p\u003e \u003cp\u003eHow Do You Detect Data Exfiltration? 284\u003c\/p\u003e \u003cp\u003ePrerequisites 285\u003c\/p\u003e \u003cp\u003eHow Do You Detect the Exfiltration Using an Anomalous API Request? 285\u003c\/p\u003e \u003cp\u003eReviewing the Findings 286\u003c\/p\u003e \u003cp\u003eHow Do You Handle Response and Recover? 289\u003c\/p\u003e \u003cp\u003eFoundation of Incident Response 289\u003c\/p\u003e \u003cp\u003eHow Do You Create an Automated Response? 290\u003c\/p\u003e \u003cp\u003eAutomating Incident Responses 290\u003c\/p\u003e \u003cp\u003eOptions for Automating Responses 291\u003c\/p\u003e \u003cp\u003eCost Comparisons in Scanning Methods 293\u003c\/p\u003e \u003cp\u003eEvent-Driven Responses 294\u003c\/p\u003e \u003cp\u003eHow Do You Automatically Respond to Unintended Disabling of CloudTrail Logging? 295\u003c\/p\u003e \u003cp\u003ePrerequisites 296\u003c\/p\u003e \u003cp\u003eCreating a Trail in CloudTrail 296\u003c\/p\u003e \u003cp\u003eCreating an SNS Topic to Send Emails 299\u003c\/p\u003e \u003cp\u003eCreating Rules in Amazon EventBridge 302\u003c\/p\u003e \u003cp\u003eHow Do You Orchestrate and Recover? 305\u003c\/p\u003e \u003cp\u003eDecision Trees 305\u003c\/p\u003e \u003cp\u003eUse Alternative Accounts 305\u003c\/p\u003e \u003cp\u003eView or Copy Data 306\u003c\/p\u003e \u003cp\u003eSharing Amazon EBS Snapshots 306\u003c\/p\u003e \u003cp\u003eSharing Amazon CloudWatch Logs 306\u003c\/p\u003e \u003cp\u003eUse Immutable Storage 307\u003c\/p\u003e \u003cp\u003eLaunch Resources Near the Event 307\u003c\/p\u003e \u003cp\u003eIsolate Resources 308\u003c\/p\u003e \u003cp\u003eLaunch Forensic Workstations 309\u003c\/p\u003e \u003cp\u003eInstance Types and Locations 309\u003c\/p\u003e \u003cp\u003eHow Do You Automatically Recover from Unintended Disabling of CloudTrail Logging? 310\u003c\/p\u003e \u003cp\u003ePrerequisites 311\u003c\/p\u003e \u003cp\u003eAggregate and View Security Status in AWS Security Hub 311\u003c\/p\u003e \u003cp\u003eReviewing the Findings 312\u003c\/p\u003e \u003cp\u003eCreate Lambda Function to Orchestrate and Recover 314\u003c\/p\u003e \u003cp\u003eHow Are Machine Learning and Artificial Intelligence Used? 317\u003c\/p\u003e \u003cp\u003eSummary 318\u003c\/p\u003e \u003cp\u003eReferences 319\u003c\/p\u003e \u003cp\u003e\u003cb\u003eChapter 7 AWS Reference Architecture 321\u003c\/b\u003e\u003c\/p\u003e \u003cp\u003eAWS Security Framework Overview 322\u003c\/p\u003e \u003cp\u003eThe Identify Function Overview 323\u003c\/p\u003e \u003cp\u003eThe Protect Function Overview 324\u003c\/p\u003e \u003cp\u003eThe Detect Function Overview 325\u003c\/p\u003e \u003cp\u003eThe Respond Function Overview 325\u003c\/p\u003e \u003cp\u003eThe Recover Function Overview 325\u003c\/p\u003e \u003cp\u003eAWS Reference Architecture 326\u003c\/p\u003e \u003cp\u003eThe Identify Function 326\u003c\/p\u003e \u003cp\u003eSecurity Hub 328\u003c\/p\u003e \u003cp\u003eAWS Config 329\u003c\/p\u003e \u003cp\u003eAWS Organizations 330\u003c\/p\u003e \u003cp\u003eAWS Control Tower 331\u003c\/p\u003e \u003cp\u003eAWS Trusted Advisor 332\u003c\/p\u003e \u003cp\u003eAWS Well-Architected Tool 333\u003c\/p\u003e \u003cp\u003eAWS Service Catalog 334\u003c\/p\u003e \u003cp\u003eAWS Systems Manager 335\u003c\/p\u003e \u003cp\u003eAWS Identity and Access Management (IAM) 337\u003c\/p\u003e \u003cp\u003eAWS Single Sign-On (SSO) 338\u003c\/p\u003e \u003cp\u003eAWS Shield 340\u003c\/p\u003e \u003cp\u003eAWS Web Application Firewall (WAF) 340\u003c\/p\u003e \u003cp\u003eAWS Firewall Manager 342\u003c\/p\u003e \u003cp\u003eAWS Cloud HSM 343\u003c\/p\u003e \u003cp\u003eAWS Secrets Manager 345\u003c\/p\u003e \u003cp\u003eAWS Key Management Service (KMS) 345\u003c\/p\u003e \u003cp\u003eAWS Certificate Manager 346\u003c\/p\u003e \u003cp\u003eAWS IoT Device Defender 347\u003c\/p\u003e \u003cp\u003eAmazon Virtual Private Cloud 347\u003c\/p\u003e \u003cp\u003eAWS PrivateLink 349\u003c\/p\u003e \u003cp\u003eAWS Direct Connect 349\u003c\/p\u003e \u003cp\u003eAWS Transit Gateway 350\u003c\/p\u003e \u003cp\u003eAWS Resource Access Manager 351\u003c\/p\u003e \u003cp\u003eThe Detect and Respond Functions 353\u003c\/p\u003e \u003cp\u003eGuardDuty 354\u003c\/p\u003e \u003cp\u003eAmazon Detective 356\u003c\/p\u003e \u003cp\u003eAmazon Macie 357\u003c\/p\u003e \u003cp\u003eAmazon Inspector 358\u003c\/p\u003e \u003cp\u003eAmazon CloudTrail 359\u003c\/p\u003e \u003cp\u003eAmazon CloudWatch 360\u003c\/p\u003e \u003cp\u003eAmazon Lambda 361\u003c\/p\u003e \u003cp\u003eAWS Step Functions 362\u003c\/p\u003e \u003cp\u003eAmazon Route 53 363\u003c\/p\u003e \u003cp\u003eAWS Personal Health Dashboard 364\u003c\/p\u003e \u003cp\u003eThe Recover Functions 365\u003c\/p\u003e \u003cp\u003eAmazon Glacier 366\u003c\/p\u003e \u003cp\u003eAWS CloudFormation 366\u003c\/p\u003e \u003cp\u003eCloudEndure Disaster Recovery 367\u003c\/p\u003e \u003cp\u003eAWS OpsWorks 368\u003c\/p\u003e \u003cp\u003eSummary 369\u003c\/p\u003e \u003cp\u003e\u003cb\u003ePart IV The Future 371\u003c\/b\u003e\u003c\/p\u003e \u003cp\u003e\u003cb\u003eChapter 8 Threat Hunting in Other Cloud Providers 373\u003c\/b\u003e\u003c\/p\u003e \u003cp\u003eThe Google Cloud Platform 374\u003c\/p\u003e \u003cp\u003eGoogle Cloud Platform Security Architecture alignment to NIST 376\u003c\/p\u003e \u003cp\u003eThe Identify Function 376\u003c\/p\u003e \u003cp\u003eThe Protect Function 378\u003c\/p\u003e \u003cp\u003eThe Detect Function 380\u003c\/p\u003e \u003cp\u003eThe Respond Function 382\u003c\/p\u003e \u003cp\u003eThe Recover Function 383\u003c\/p\u003e \u003cp\u003eThe IBM Cloud 385\u003c\/p\u003e \u003cp\u003eOracle Cloud Infrastructure Security 386\u003c\/p\u003e \u003cp\u003eOracle SaaS Cloud Security Threat Intelligence 387\u003c\/p\u003e \u003cp\u003eThe Alibaba Cloud 388\u003c\/p\u003e \u003cp\u003eSummary 389\u003c\/p\u003e \u003cp\u003eReferences 389\u003c\/p\u003e \u003cp\u003e\u003cb\u003eChapter 9 The Future of Threat Hunting 391\u003c\/b\u003e\u003c\/p\u003e \u003cp\u003eArtificial Intelligence and Machine Learning 393\u003c\/p\u003e \u003cp\u003eHow ML Reduces False Positives 395\u003c\/p\u003e \u003cp\u003eHow Machine Intelligence Applies to Malware Detection 395\u003c\/p\u003e \u003cp\u003eHow Machine Intelligence Applies to Risk Scoring in a Network 396\u003c\/p\u003e \u003cp\u003eAdvances in Quantum Computing 396\u003c\/p\u003e \u003cp\u003eQuantum Computing Challenges 398\u003c\/p\u003e \u003cp\u003ePreparing for the Quantum Future 399\u003c\/p\u003e \u003cp\u003eAdvances in IoT and Their Impact 399\u003c\/p\u003e \u003cp\u003eGrowing IoT Cybersecurity Risks 401\u003c\/p\u003e \u003cp\u003ePreparing for IoT Challenges 403\u003c\/p\u003e \u003cp\u003eOperational Technology (OT) 405\u003c\/p\u003e \u003cp\u003eImportance of OT Security 406\u003c\/p\u003e \u003cp\u003eBlockchain 406\u003c\/p\u003e \u003cp\u003eThe Future of Cybersecurity with Blockchain 407\u003c\/p\u003e \u003cp\u003eThreat Hunting as a Service 407\u003c\/p\u003e \u003cp\u003eThe Evolution of the Threat-Hunting Tool 408\u003c\/p\u003e \u003cp\u003ePotential Regulatory Guidance 408\u003c\/p\u003e \u003cp\u003eSummary 409\u003c\/p\u003e \u003cp\u003eReferences 409\u003c\/p\u003e \u003cp\u003e\u003cb\u003ePart V Appendices 411\u003c\/b\u003e\u003c\/p\u003e \u003cp\u003e\u003cb\u003eAppendix A MITRE ATT\u0026amp;CK Tactics 413\u003c\/b\u003e\u003c\/p\u003e \u003cp\u003e\u003cb\u003eAppendix B Privilege Escalation 415\u003c\/b\u003e\u003c\/p\u003e \u003cp\u003e\u003cb\u003eAppendix C Credential Access 421\u003c\/b\u003e\u003c\/p\u003e \u003cp\u003e\u003cb\u003eAppendix D Lateral Movement 431\u003c\/b\u003e\u003c\/p\u003e \u003cp\u003e\u003cb\u003eAppendix E Command and Control 435\u003c\/b\u003e\u003c\/p\u003e \u003cp\u003e\u003cb\u003eAppendix F Data Exfiltration 443\u003c\/b\u003e\u003c\/p\u003e \u003cp\u003e\u003cb\u003eAppendix G MITRE Cloud Matrix 447\u003c\/b\u003e\u003c\/p\u003e \u003cp\u003eInitial Access 447\u003c\/p\u003e \u003cp\u003eDrive-by\u003c\/p\u003e \u003cp\u003eCompromise 447\u003c\/p\u003e \u003cp\u003eExploiting a Public-Facing\u003c\/p\u003e \u003cp\u003eApplication 450\u003c\/p\u003e \u003cp\u003ePhishing 450\u003c\/p\u003e \u003cp\u003eUsing Trusted Relationships 451\u003c\/p\u003e \u003cp\u003eUsing Valid Accounts 452\u003c\/p\u003e \u003cp\u003ePersistence 452\u003c\/p\u003e \u003cp\u003eManipulating Accounts 452\u003c\/p\u003e \u003cp\u003eCreating Accounts 453\u003c\/p\u003e \u003cp\u003eImplanting a Container Image 454\u003c\/p\u003e \u003cp\u003eOffice Application Startup 454\u003c\/p\u003e \u003cp\u003eUsing Valid Accounts 455\u003c\/p\u003e \u003cp\u003ePrivilege Escalation 456\u003c\/p\u003e \u003cp\u003eModifying the Domain Policy 456\u003c\/p\u003e \u003cp\u003eUsing Valid Accounts 457\u003c\/p\u003e \u003cp\u003eDefense Evasion 457\u003c\/p\u003e \u003cp\u003eModifying Domain Policy 457\u003c\/p\u003e \u003cp\u003eImpairing Defenses 458\u003c\/p\u003e \u003cp\u003eModifying the Cloud Compute Infrastructure 459\u003c\/p\u003e \u003cp\u003eUsing Unused\/Unsupported Cloud Regions 459\u003c\/p\u003e \u003cp\u003eUsing Alternate Authentication Material 460\u003c\/p\u003e \u003cp\u003eUsing Valid Accounts 461\u003c\/p\u003e \u003cp\u003eCredential Access 461\u003c\/p\u003e \u003cp\u003eUsing Brute Force Methods 461\u003c\/p\u003e \u003cp\u003eForging Web Credentials 462\u003c\/p\u003e \u003cp\u003eStealing an Application Access Token 462\u003c\/p\u003e \u003cp\u003eStealing Web Session Cookies 463\u003c\/p\u003e \u003cp\u003eUsing Unsecured Credentials 464\u003c\/p\u003e \u003cp\u003eDiscovery 464\u003c\/p\u003e \u003cp\u003eManipulating Account Discovery 464\u003c\/p\u003e \u003cp\u003eManipulating Cloud Infrastructure Discovery 465\u003c\/p\u003e \u003cp\u003eUsing a Cloud Service Dashboard 466\u003c\/p\u003e \u003cp\u003eUsing Cloud Service Discovery 466\u003c\/p\u003e \u003cp\u003eScanning Network Services 467\u003c\/p\u003e \u003cp\u003eDiscovering Permission Groups 467\u003c\/p\u003e \u003cp\u003eDiscovering Software 468\u003c\/p\u003e \u003cp\u003eDiscovering System Information 468\u003c\/p\u003e \u003cp\u003eDiscovering System Network Connections 469\u003c\/p\u003e \u003cp\u003eLateral Movement 469\u003c\/p\u003e \u003cp\u003eInternal Spear Phishing 469\u003c\/p\u003e \u003cp\u003eUsing Alternate Authentication Material 470\u003c\/p\u003e \u003cp\u003eCollection 471\u003c\/p\u003e \u003cp\u003eCollecting Data from a Cloud Storage Object 471\u003c\/p\u003e \u003cp\u003eCollecting Data from Information Repositories 471\u003c\/p\u003e \u003cp\u003eCollecting Staged Data 472\u003c\/p\u003e \u003cp\u003eCollecting Email 473\u003c\/p\u003e \u003cp\u003eData Exfiltration 474\u003c\/p\u003e \u003cp\u003eDetecting Exfiltration 474\u003c\/p\u003e \u003cp\u003eImpact 475\u003c\/p\u003e \u003cp\u003eDefacement 475\u003c\/p\u003e \u003cp\u003eEndpoint Denial of Service 475\u003c\/p\u003e \u003cp\u003eResource Hijacking 477\u003c\/p\u003e \u003cp\u003e\u003cb\u003eAppendix H Glossary 479\u003c\/b\u003e\u003c\/p\u003e \u003cp\u003eIndex 489\u003c\/p\u003e","brand":"John Wiley \u0026 Sons Inc","offers":[{"title":"Default Title","offer_id":49407158092119,"sku":"9781119804062","price":30.39,"currency_code":"GBP","in_stock":true}],"thumbnail_url":"\/\/cdn.shopify.com\/s\/files\/1\/0817\/1739\/5799\/files\/9781119804062.jpg?v=1730498373","url":"https:\/\/bookcurl.com\/products\/threat-hunting-in-the-cloud-9781119804062","provider":"Book Curl","version":"1.0","type":"link"}