Andrew Pease Presents An Elastic Textbook

Technology moves at such a pace that a majority of our knowledge is learned through blogs and Youtube videos. Even a university student finds that courses they spent hours completing are soon obsolete. For this reason, it is incredibly difficult to write a full book on any topic in the industry, especially one with tutorials. That isn’t to say that one should not attempt to write books on topics such as Elastic Security, but that such books need to contain more than just technical information but make bold and important points that will age well. Andrew Pease accomplishes this very difficult task in his new book, Threat Hunting with the Elastic Stack.

The key to the book’s success is that it is literally a textbook on modern CTI(cyber threat intelligence) and threat hunting. It is my belief that this book will stand as the template for any future books on this topic. Compiled within the first three chapters are the core fundamentals of such important topics as the threat intelligence pipeline, MITRE ATT&CK, and how analysis leads to predicting adversary behavior. Nowhere else will you find such a brief but highly rich body of knowledge on these topics. All of the historical cases of analysis are explained and famous diagrams explained. The parts about ATT&CK are priceless because much of that material is relatively new, and thus has not been covered in many books yet.

The chapters on the theoretical and practical aspects of threat intelligence would have made for a notable publication, but the book does not stop there. The next accomplishment is a succinct tutorial on using Elastic for threat hunting. The most important of this section is the use of the Elastic Agent and Elastic Endpoint Security. It would have been easy for the author to simply use beat modules to bring in the data, and no one would have blamed him. The Elastic Agent is a relatively new feature appearing in beta at the end of last year. Its ability to be centrally managed using Fleet in the Kibana UI is one of the most game-changing features added to the stack. Only rivaled possibly by the introduction of the common schema and event query language. By including the Elastic Agent Pease has ensured that his tutorials will help readers move into the new paradigm of data ingest.

I actually have quite a history of learning from Andrew Pease. He was one of the creators of a platform known as Rock NSM. The Rock is an extraordinary network threat hunting tool that was developed by the Missouri National Guard Cyber Team. Rock NSM was the platform that provided me with my first real experience deploying an Elastic-based hunting stack and was instrumental in my first paid contracts on Upwork. Pease and his fellow team members created a tool that opened the door for serious hunting of adversaries to be undertaken. They also went on to found a company named Perch that provided training in these topics. Within the pages of the book, you can feel the passion that Pease has carried to all these endeavors, and it was this passion that was so inspiring early in my career.

This would not be a proper review without analyzing the book from a critical point of view. Unfortunately, those same lessons of network threat hunting that I first associated with Pease are not in the book. Though some correlation between network and endpoint data is done using Packebeat, this is no substitute for Zeek and Suricata. I had a chance to pose the question of where Pease felt the book might have been underwhelming, and funny enough he made the same point. Due to length constraints and the massive amount of information he shares, it was not possible to include these wider subjects. I implore Pease to consider writing a follow-up book on these topics.

I am quite involved in various Elastic Community forums and a common question is where should one start? Before I would point to various videos and/or blogs, but now there is a simple answer. Pease has written what can only be described as the definitive textbook on Elastic Security and Threat Hunting. I would not be surprised if it is not adopted across the spectrum of official courses and training on the topic. In fact, I would be disappointed if it was not included. I believe that the first section of the book makes it a good read for anyone in the field, and the tutorials may still provide useful information for a non-technical audience in that the explanations of why certain methods are used hold value. I cannot overstate the quality of this textbook and my recommendation is that all in the security field should read it.