What this book covers
Chapter 1, Understanding Incident Response, covers how an understanding of the foundational elements of incident response is critical to any information security team. Without an understanding of how to address the phases of incident response, individual personnel and organizations will not be able to craft an efficient and effective response to security incidents. This chapter will focus on the critical aspects of incident response that will provide you with that solid foundation.
Chapter 2, Managing Cyber Incidents, explores the pressing issue of how to execute the planning and preparation in an actual incident, as Chapter 1 provided the foundation of incident response. Drawing on critical incident management techniques, you will be guided through the critical components of managing a cyber security incident from the beginning where the incident is detected through the remediation and recovery that brings the organization’s IT system back to operation.
Chapter 3, Fundamentals of Digital Forensics, focuses heavily on proper evidence-handling procedures. A significant portion of the response to an incident is the ability to properly acquire, analyze, and report on that analysis. Digital forensics, like any forensic discipline, requires a solid understanding of the technical, legal, and operational requirements. A lack of this understanding, such as proper evidence handling can cause evidence to become tainted or otherwise unusable.
Chapter 4, Investigation Methodology, presents a sound investigation methodology and intrusion analysis framework to ensure that intrusions and other cyber attacks are properly investigated. Digital forensics and incident response is the overall process for an organization to properly address a cyber attack. The digital forensics investigation methodology is a systematic way to investigate cyber attacks that integrates into the overall incident response process.
Chapter 5, Collecting Network Evidence, explains that the first step in digital forensics is data acquisition. One major source of data is contained within network traffic. With today’s complex networks, various devices can send detailed information about connections, sessions, and in some cases, complete reconstructions of files sent over network connections. Properly acquiring this evidence can provide valuable data points to reconstruct an incident.
Chapter 6, Acquiring Host-Based Evidence, guides you through how to acquire host evidence in a forensically sound manner. Incidents rarely involve an attack against only network hardware. Adversaries routinely attack hosts to establish a foothold, stage further tools for attacks, and finally, move to other systems. When they do this, they will often leave traces through log files, code in memory, or other traces.
Chapter 7, Remote Evidence Collection, presents a solution and scenarios to demonstrate the capabilities of remote forensic evidence collection. The focus of the previous chapters has been on localized evidence collection. While this approach is forensically sound, the challenge is that it does not scale for large enterprises where hundreds or possibly thousands of endpoints may be in-scope of an incident. This requires the deployment of specialized tools and techniques to gather and search for evidence across the enterprise.
Chapter 8, Forensic Imaging, guides you through how to acquire and verify a forensic image of either a logical drive or partition or, in some cases, the entire physical drive. While there is a good deal of evidence acquired through the previous chapter, there often come incidents where a complete examination of the filesystem and associated storage is needed.
Chapter 9, Analyzing Network Evidence, focuses on the analysis of digital evidence, having addressed the acquisition of network evidence in a previous chapter. The primary focus will be on reconstructing data found in packet captures as well as the analysis of Command and Control traffic. Finally, taking this data and correlating it with other log files to determine the potential root cause will be addressed.
Chapter 10, Analyzing System Memory, examines the various aspects of analyzing system memory with an eye on identifying the root cause. There is a maxim in digital forensics that states, “Malware can hide but it has to run.” While a bit simplistic, it does point to one key facet of digital forensics – that is, the memory on a compromised system contains a good deal of evidence. This is also becoming more of a concern as memory-only malware and other exploits gain a foothold.
Chapter 11, Analyzing System Storage, allows you to take the evidence collected in the previous chapter, extract the pertinent data, and analyze it with the intent of determining the root cause of the compromise. Much like memory, there is often a good deal of evidence to be analyzed on the system’s storage.
Chapter 12, Analyzing Log Files, guides you through analyzing logs using a variety of open source tools. The Windows operating system has several separate log files that log a variety of activities on the Windows system. This includes events such as logons, PowerShell use, and events associated with executing processes. These log sources are invaluable as a source of evidence.
Chapter 13, Writing the Incident Report, shows the critical elements of an incident report. Reporting the findings of the analysis of data and the sequence of events is a critical component of incident response. This chapter covers the various audiences that need to be addressed, how to prepare the technical reports, and how to properly debrief the stakeholders of an organization.
Chapter 14, Ransomware Preparation and Response, provides an overview of ransomware and the necessary steps to prepare for such an incident. Over the last few years, ransomware has become the number one threat to organizations. The relative ease of carrying out such attacks is dwarfed by the impact such attacks have on an organization. Properly preparing and handling such incidents is critical to bring operations back to normal to minimize downtime.
Chapter 15, Ransomware Investigations, takes the material from Chapter 14 and further builds on your understanding of ransomware by focusing on specific investigation steps. This will be a technical deep dive into the tools and techniques that are commonly leveraged by ransomware threat actors with a focus on initial access, credential theft, lateral movement, and command and control.
Chapter 16, Malware Analysis for Incident Response, guides you through various techniques to examine malicious code and leverage malware data in an incident. When examining incidents, especially those in the last 5 years, most of them involve malware as an initial attack to gain access to a system. While many malware variants are well known, there is also the potential for new malicious code to be found on systems involved in an incident.
Chapter 17, Leveraging Threat Intelligence, explores threat intelligence and how you can leverage this data prior to and during an incident. In the last decade, data and intelligence about threat actors, their methods, and the signs of their attacks have become more available to organizations outside of the government. While this information can be leveraged, many organizations do not have the necessary skills or knowledge to leverage threat intelligence properly.
Chapter 18, Threat Hunting, guides you through the practice of threat hunting, the methodology, and finally, how to integrate many of the skills presented in the previous chapters in a proactive manner. Threat hunting, the practice of using digital forensic techniques in a proactive manner to identify previously unidentified threats, is a practice that is currently gaining traction in many organizations.