Book Image

Incident Response in the Age of Cloud

By : Dr. Erdal Ozkaya
Book Image

Incident Response in the Age of Cloud

By: Dr. Erdal Ozkaya

Overview of this book

Cybercriminals are always in search of new methods to infiltrate systems. Quickly responding to an incident will help organizations minimize losses, decrease vulnerabilities, and rebuild services and processes. In the wake of the COVID-19 pandemic, with most organizations gravitating towards remote working and cloud computing, this book uses frameworks such as MITRE ATT&CK® and the SANS IR model to assess security risks. The book begins by introducing you to the cybersecurity landscape and explaining why IR matters. You will understand the evolution of IR, current challenges, key metrics, and the composition of an IR team, along with an array of methods and tools used in an effective IR process. You will then learn how to apply these strategies, with discussions on incident alerting, handling, investigation, recovery, and reporting. Further, you will cover governing IR on multiple platforms and sharing cyber threat intelligence and the procedures involved in IR in the cloud. Finally, the book concludes with an “Ask the Experts” chapter wherein industry experts have provided their perspective on diverse topics in the IR sphere. By the end of this book, you should become proficient at building and applying IR strategies pre-emptively and confidently.

Related Content you might be interested in

Current Title:

Small book image
Incident Response in the Age of Cloud
Dr. Erdal Ozkaya
Feb, 2021 | 622 pages
Small book image
Cybersecurity: The Beginner's Guide
Erdal Ozkaya
May, 2019 | 396 pages
Small book image
Cybersecurity – Attack and Defense Strategies.
Erdal Ozkaya | Yuri Diogenes
Dec, 2019 | 634 pages
Small book image
Cybersecurity – Attack and Defense Strategies, 3rd edition
Yuri Diogenes | Erdal Ozkaya
Sep, 2022 | 570 pages
Table of Contents (18 chapters)
Preface
Preface
Who this book is for
What this book covers
To get the most out of this book
Get in touch
1
Getting Started with Incident Response
Getting Started with Incident Response
The cybersecurity threat landscape
What is incident response?
The importance of organizational incident response plans
GDPR and NIS regulations about incident response
Components of an incident response plan
Tips
Summary
Further reading
Free Chapter
2
Incident Response – Evolution and Current Challenges
Incident Response – Evolution and Current Challenges
The evolution of incident response
Challenges facing incident response
Why do we need incident response?
Tips
Summary
Further reading
3
How to Organize an Incident Response Team
How to Organize an Incident Response Team
What an IR team does
The composition of an IR team
Choosing the ideal response team
How the IR team should be supported
Where the IR team should be located
Building an IR strategy
Security operations and continuous monitoring
Tips
Summary
Further reading
4
Key Metrics for Incident Response
Key Metrics for Incident Response
Key incident response metrics
Understanding KPIs
Key metrics for a phishing attack
Incident response metrics in the cloud
Tips
Summary
Further reading
5
Methods and Tools of Incident Response Processes
Methods and Tools of Incident Response Processes
The OODA loop
IR playbooks
IR tactics in the cloud
IR tools for the cloud
Tips
Summary
Further reading
6
Incident Handling
Incident Handling
The NIST definition of a security incident
The incident response process
Handling an incident
Handling an incident in a phishing scenario
Hands-on phishing incident response
Tips
Summary
Further reading
7
Incident Investigation
Incident Investigation
Incident investigation essentials
Investigating a phishing attack
Analysis of emails
Investigation tools
Investigating user inboxes
Automatic and scheduled investigations
Summary
Further reading
8
Incident Reporting
Incident Reporting
Reporting to the IR team
Reporting to the SOC team
Reporting to third parties
Reporting to the media
Reporting to the cloud service provider
Phishing alerting and reporting
Reporting on mobile devices
Reporting with web email access
Reporting to a SOC team and third-party services using IOC feeds
Summary
Further reading
9
Incident Response on Multiple Platforms
Incident Response on Multiple Platforms
IR on computers
IR on mobile devices
IR on Active Directory
IR in the cloud
Summary
Further reading
10
Cyber Threat Intelligence Sharing
Cyber Threat Intelligence Sharing
Introducing threat intelligence
The importance of threat intelligence
How to share threat intelligence
Threat intelligence tools and platforms
Summary
Further reading
11
Incident Response in the Cloud
Incident Response in the Cloud
Cloud service models
Assessing IR in the cloud using the SANS IR model
Understanding cloud attacks using the MITRE cloud matrix
Top threats facing cloud systems
Implementing SOAR techniques and recommendations
IR in the cloud: developing a plan of action
Summary
Further reading
12
Building a Culture of Incident Readiness
Building a Culture of Incident Readiness
Threat hunting
Purple teaming
Artificial intelligence and incident response
IR readiness in the cloud
Summary
Further reading
13
Incident Response Best Practices
Incident Response Best Practices
Adopting proactive mobilization
Using a well-defined resolution process
Making an easy-to-implement IR plan
Using effective communication strategies
Breaking down information silos
Using a centralized approach
Testing IR plans
Assessing and reviewing the IR plan
Automating basic tasks
Using templates and playbooks
Carrying out post-incident reviews
Tips
Summary
Further reading
14
Incident Case Studies
Incident Case Studies
Dealing with a spear phishing attack with Keepnet Incident Responder
Performing digital forensics with Binalyze's IREC
Summary
15
Ask the Experts
Ask the Experts
Approaches to IR
IR in the cloud
Tools and techniques
Methods of attack
Why subscribe?
16
Other Books You May Enjoy
Other Books You May Enjoy
17
Index
Index

Why do we need incident response?

Incidents are on the increase and it has become apparent that if they are not contained properly, they can easily escalate into issues that can damage an organization. A reliable solution is to prepare adequately on how to address security incidents when they happen. IR enables organizations to take essential steps to address the ever-present threat of cyber threats.

Therefore, IR is a necessity in organizations today. Poor handling of incidents can lead to the escalation of manageable security events into catastrophes. As recent reports from security incidents have shown, IR helps organizations to mitigate attacks, minimize losses, and even prevent future security incidents.

To achieve the best outcomes from IR processes, the organization should ensure that it acts with speed immediately after a security event is detected. However, before executing the mitigative actions, the nature and extent of the security incident have to be determined. In the short term, the organization ought to focus on deploying resources to combat the active threat and return the organization to normalcy. This should be done in parallel with seeking assistance from law enforcement and third parties to assist with tracking down the cause. In the long term, IR activities can be focused on identifying the cause of the threat to find permanent fixes, improving the security tools used to ensure better detection and prevention, prosecuting the culpable parties, and addressing reputational damage.

Despite the reliance on conventional cybersecurity approaches that are heavily reliant on security tools, new threats can be best mitigated by people and processes. Hence, IR, which combines the efforts of security tools with people and processes, will often lead to more effective solutions. Organizations must, however, continually evaluate their IR plans and teams to ensure that their effectiveness improves over time. Nonetheless, the importance of IR in modern IT environments cannot be underestimated.

Previous Section
End of Section 4
Next Section