Further Reading: Threat Detection and Hunting

Curated, annotated resources for going deeper. Each entry is tagged with the learning path it best serves — 🛡️ SOC, 🏗️ Engineer, 📋 GRC, 📜 Cert — and only Tier-1 (canonical/primary) and Tier-2 (attributed) sources are listed. A suggested reading order follows at the end.

Standards, frameworks & primary docs (Tier 1)

MITRE ATT&CK — attack.mitre.org. The living knowledge base of adversary tactics and techniques that this entire chapter maps detections against. Browse a few techniques (e.g., T1003 Credential Dumping, T1071 Application Layer Protocol) and read their "Detection" and "Data Sources" sections — that is the detection engineer's daily reference. 🛡️🏗️📜

MITRE ATT&CK Navigator — mitre-attack.github.io/attack-navigator. The free tool for building the coverage heatmaps from §22.6. Layer your detections onto the matrix and the blind spots become a picture. Essential for actually doing coverage mapping rather than just reading about it. 🛡️🏗️📋

The Sigma Project — github.com/SigmaHQ/sigma. The home of the portable detection format from §22.4, including the specification, thousands of community rules, and the sigma/pySigma tooling that compiles rules to each SIEM backend. Read real rules in the rules/ directory to learn the idioms; clone it to see detection-as-code in practice. 🛡️🏗️

YARA documentation — yara.readthedocs.io. The official guide to the file/memory pattern-matching language introduced at the end of §22.4. Skim "Writing YARA rules" to understand how strings + conditions classify malware by content rather than by hash. 🛡️🏗️

MITRE D3FEND — d3fend.mitre.org. ATT&CK's defensive counterpart: a knowledge graph of countermeasures mapped to the attacker techniques they address. Useful for thinking from "technique" to "the detection or control that answers it." 🏗️📋

NIST Cybersecurity Framework (CSF) 2.0 — DETECT function — nist.gov/cyberframework. The governance home for everything in this chapter: "continuous monitoring" and "adverse event analysis." Read the DETECT category to see how detection engineering and hunting fit a board-level framework. 📋📜

CISA Advisories & Alerts — cisa.gov/news-events/cybersecurity-advisories. The U.S. agency's joint advisories are the gold-standard operational intelligence from §22.3 — ATT&CK-mapped descriptions of active campaigns. This is exactly the kind of report Case Study 2 turns into detections; read one and try the "Your Turn" exercise on it. 🛡️📋

STIX / TAXII (OASIS) — oasis-open.org/committees/cti. The standards for describing and transporting machine-readable threat intelligence (§22.3). You don't need to author STIX by hand, but understanding the structure helps when your TIP ingests an advisory as STIX. 🏗️📋

Traffic Light Protocol (TLP) 2.0 — FIRST.org — first.org/tlp. The one-page standard for the handling markings (RED/AMBER/GREEN/CLEAR) that govern shared intelligence. Short, mandatory reading before you participate in any sharing community. 📋🛡️

Foundational ideas & talks (Tier 1 / Tier 2)

David J. Bianco, "The Pyramid of Pain" (blog post and subsequent talks; widely cited, ~2013). The original articulation of the model at the heart of §22.2. A short read that reframes how you value every indicator. Tier 1 for the idea; the canonical write-up lives on Bianco's "Enterprise Detection & Response" blog. 🛡️🏗️📜

Lockheed Martin, "Intelligence-Driven Computer Network Defense" (the Cyber Kill Chain paper) (Hutchins, Cloppert, Amin). The paper that introduced the kill-chain framing (revisited from Chapter 2) and, crucially, the intelligence-driven mindset that §22.3 builds on. Read it for the argument that intelligence should drive defense, not just inform it. 🛡️📋📜

Sqrrl / "A Framework for Cyber Threat Hunting" (industry white paper, widely circulated; Tier 2). An early, clear formalization of hypothesis-driven hunting and the "Hunting Maturity Model" — the source of much of the vocabulary in §22.5. Attribute as an industry framework; the specific maturity levels are widely reproduced. 🛡️

The DML (Detection Maturity Level) Model — Ryan Stillions (blog, Tier 2). A model for what level of abstraction your detections operate at (from atomic indicators up to goals and strategy), complementary to the pyramid of pain. Helps you reason about why TTP-level detection is more durable. 🛡️🏗️

Books (Tier 1)

Richard Bejtlich, The Practice of Network Security Monitoring (No Starch Press). The foundational text for the "collect data and go looking" philosophy underpinning both Chapter 10 and this one. Bejtlich's network-security-monitoring discipline is the intellectual ancestor of modern hunting. 🛡️🏗️

Chris Sanders & Jason Smith, Applied Network Security Monitoring (Syngress). A practical companion that walks through detection, collection, and analysis with real tooling — a strong bridge between this chapter and a working lab. 🛡️

Sumit Sehgal et al. / Intelligence-Driven Incident Response — Rebekah Brown & Scott Roberts (O'Reilly). The best single book on turning threat intelligence into operational defense — the §22.3 pipeline at book length, including the intelligence lifecycle and how it feeds detection and IR. 🛡️📋

Don Murdoch, Blue Team Handbook: SOC, SIEM, and Threat Hunting (self-published; widely used). A dense, practical field guide for SOC analysts that covers detection use cases, SIEM querying, and hunting playbooks — useful as a desk reference alongside this chapter. 🛡️📜

Chapple & Seidl, CompTIA Security+ Study Guide; Harris & Maymí, CISSP All-in-One Exam Guide (Sybex / McGraw-Hill). For the certification reader: both cover threat intelligence, IoCs, ATT&CK, hunting, and detection in their Security Operations material. Use them to drill the crosswalk in key-takeaways.md. 📜

Free online, labs & tools (Tier 1 / Tier 2)

Atomic Red Team (Red Canary) — github.com/redcanaryco/atomic-red-team. A library of small, safe, ATT&CK-mapped tests you can run in your own lab to generate the telemetry a detection should catch — the fastest way to test whether your Sigma rules actually fire. Use only on authorized systems. 🛡️🏗️

DetectionLab / open SIEM stacks (Elastic, Splunk free, Microsoft Sentinel trials) — build a home SIEM, ship Sysmon/EDR logs into it, and practice writing and compiling Sigma rules end to end. The "Try It in the Lab" callouts assume exactly this kind of sandbox. 🛡️🏗️

Sysmon (Microsoft Sysinternals) + the SwiftOnSecurity Sysmon config — github.com/SwiftOnSecurity/ sysmon-config. The endpoint telemetry source that most behavioral Windows detections (including the LSASS rule in Case Study 2) depend on. Deploying it is often the prerequisite that turns a red coverage cell green. 🏗️🛡️

The DFIR Report — thedfirreport.com (Tier 2). Detailed, freely published intrusion walk-throughs mapped to ATT&CK, often with detection guidance and sample queries. Excellent practice material: read a report, then engineer detections for its techniques. 🛡️

Suggested reading order

1. Start with the model: Bianco's Pyramid of Pain and the Lockheed kill-chain paper — they reframe everything else. (All paths.)
2. See the taxonomy: browse a handful of MITRE ATT&CK techniques and open the ATT&CK Navigator to build a tiny coverage layer. (SOC / Engineer / GRC.)
3. Learn the rule formats: read real rules in the Sigma repo; skim the YARA docs. (SOC / Engineer.)
4. Connect intel to detection: read one CISA advisory and Brown & Roberts' Intelligence-Driven Incident Response. (SOC / GRC.)
5. Practice in a lab: stand up a SIEM, deploy Sysmon, fire an Atomic Red Team test, and confirm your rule catches it. (SOC / Engineer.)
6. For the exam: drill the threat-intel/ATT&CK/hunting sections of the Security+ / CISSP guides against this chapter's key-takeaways.md crosswalk. (Cert.)