Threat Hunting with Elastic
Stack - In-depth Book Review
Threat Hunting with Elastic Stack is a solid book and I’d recommend reading it
Introduction
I just finished reading Andrew Pease’s Threat Hunting with Elastic Stack. There’s a lot to like and I’d recommend snatching a copy if you currently use the Elastic Stack and want to learn how to use it for threat hunting. In fact, it’s the best resource I’ve found on using the Security App in Kibana (formerly known as Elastic SIEM). Here’s a quick look at what I liked and what I think could have made the book even better.
NOTE: The reason that I’ll start to publish book reviews is that the vast majority of book reviews I’ve run into are, in my opinion, superficial and reviewers typically either praise or criticize a book without going into specifics that help other readers make get the most of the book and determine what else they need to look into to understand the topic more thoroughly.
What I Liked
As mentioned in the introduction, I enjoyed reading the book. Some the reasons include:
- the book starts off with a short but useful summary of various threat hunting related models and frameworks including: MITRE ATT&CK, the Cyber Kill Chain, the Pyramid of Pain and the Diamond Model (which is unique for mapping APT groups). While this isn’t ground breaking, it is a nicer refresher if you are already familiar with these frameworks and for those not familiar, it provides a concise summary
- while the book does start with a primer on threat hunting from a theoretical perspective covering, the rest of the books is largely hands on including:
- setting up your own threat hunting lab
- deep diving into leveraging the Security App (SIEM) for threat hunting
- providing a solid introduction to using Kibana for searching and visualizations. The Elastic Stack is a broad topic but the author does a fine job in covering the essentials needed for threat hunting
- when developing detection rules, the author shows you how to move up the Pyramid of Pain to improve your detection while making it more expensive for adversaries to adapt to your detection
- the author nicely illustrates the difference between data (what most “threat intel feeds” are) and actionable intel
- the author provided “Code in Action” videos to accompany the book. Although they don’t cover everything mentioned in the book, they are useful if you are more of a visual leaner
- the book was released in mid-2021 and therefore, for the most part, up-to-date (Elastic keeps updating their UI very frequently)
- the author touches on using Elastic Agent and Fleet, which are the future of Beats
- at the end of each chapter, an External Resources section provides the user with additional reading material
What’s Missing
While the book has a lot going for it, there were a few areas I felt were missing or could be improved. It would be great if these could be incorporated into future versions of the book to make the book even more useful. Even if they aren’t, hopefully they can help readers of this review to cover the missing areas. To make it more digestible, I’ll break them down into the following sections:
- lab-related improvements
- rule-related improvements
- alert-related improvements
- other improvements
Lab-Related Improvements
Some comments related to the lab portion of the book:
- two chapters (out of 12) are dedicated to setting up our test environment. The author covers how to set things up step by step. While useful, I would have preferred it if the author introduced users to Vagrant and provided a vagrant box that readers could simply download and use. Understanding and using Vagrant (including building your own boxes once you have configured your endpoint visibility) is a must for any security professional setting up labs and I was surprised that the author failed to even mention it as an option. Given that we detonate malware on our victim machine, resetting the machine to a pristine state is vital after each setup in addition to simulating a larger environment. Vagrant excels at both of these
- on the victim machine used to detonate the malware sample(s), the author has users install Winlogbeat (+ sysmon), Elastic Agent (with Endpoint Security) and Packetbeat without going into details on what each will provide. While Winlogbeat + sysmon are straight-forward, why do we have both the Endpoint Security Agent’s network-sniffing capabilities in addition to Packetbeat? Wouldn’t the Endpoint Security Agent suffice for our threat hunting operations (process + network connection details)?
- I felt the book could have used a dedicated section on what capabilities the Endpoint Security integration provides for a SOC and for threat hunting and what its weaknesses are in terms of visibility
- while the author deployed Agent Tesla as an example of an intrusion, the author doesn’t provide you with a link to a sample so you can follow along. Instead, you’re basically forced to find one yourself and you’ll end with different views across the Security App (as the behavior of newer strains is different). At the very least, I think it would have been beneficial if the author shared a snapshot of his indices to allow readers to import them and follow along
Rule-Related Improvements
In the detection and rule-writing sections of the book:
- I would have liked a more in-depth coverage of writing EQL queries, especially as this is a key differentiator in threat hunting that you don’t get from traditional querying methods. I felt that the topic didn’t get as much coverage as it deserved
- I expected some type of coverage of the default Elastic Pre-Built Rules that we enabled. Which rules are recommended? Which are still experimental? How do they map to MITRE’s ATT&CK PPTs? What areas are still insufficient? What other rule sets can I import? Should I compliment them with Sigma rules or as they sufficient and if so, which Sigma rules would give me the most bang for the buck (there are over 1700 Sigma rules)?
- I was surprised that the author didn’t mention data enrichment of logs at ingestion time. By not doing so, you miss a lot of DNS-related threat intel. It would have been great to add a section on data enrichment via Logstash to detect DGAs and baby domains. Although you can get DGA detection using the Machine Learning component, this requires an additional license
- another area that would have been used for IP enrichment at log time including Tor, VPS, and other data. This is achievable through the use of a combination of custom MMDBs and Logstash
- I felt that there wasn’t enough network-logging coverage. While Packetbeat is used and is useful, there was very little mention of Zeek
Alert-Related Improvements
As for the alert-related section, I have the following comments:
- one of the areas I felt was lacking was on the side of actual production use. For example, the Elastic Stack Free/Basic tier only allows you to view alerts that you define in Security App within Kibana or write them to an index. While this is useful, it isn’t very practical in real production use. Your options are basically to update your license or look at alternate solutions. I would have liked the author to at least go into detail on integrating this with a simple script to poll the index used to store the alerts and send it out to Slack, email, etc or better yet, illustrate how to use ElastAlert to do so. This would have made this section a lot more practical for production use
- the author didn’t highlight that indicator-based alerts timeout if you don’t explicitly change the default Indicator index query. In the example shown, the author does modify this but doesn’t tell you why which will leave you scratching your head when you try to write you own rules and try determining why they keep failing and timing out
Other Improvements
There are a number of additional areas I felt could be improved including:
- while the Security App does have some case management capabilities, a discussion of integrating it with more mature case management solutions such as the Hive would have been beneficial
- at least one of the threat intel feeds used (Anomali) was basically useless as Anomali hasn’t update them in years. At first, I wondered why it wasn’t working until I noticed that by default, the module rule only picks up intel that was added in the past 400 hours. Given that the feed hasn’t been updated for over a year, it didn’t ingest any IOCs
- I think it would have been useful if the author provided more details on ECS and the most important fields, how to make your custom applications ECS-compliant, etc.
Finally, it would have been great if the author had added a small section on how applicable the above is for other Elastic-based solutions such as Graylog and OpenSearch.
Conclusion
As I mentioned in the introduction, I’d recommend the book. Although my list of improvements is longer than my list of What I Liked, my list of recommendations / improvements is aimed at both the author and readers so that readers know what additional areas they may want to investigate to make the most of using Elastic Stack for threat hunting.