Blue Team Handbook: Incident Response (ebook) Katowice

As cyberthreats grow and infrastructure evolves, organizations must prioritize effective, dynamic, and adaptable incident response. Following the success of the original edition, Blue Team Handbook: Incident Response has been updated to reflect todays evolving cybersecurity landscape. This trusted and widely used field guide for cybersecurity incident responders, SOC analysts, and defensive security professionals distills incident response essentials into a concise, field-ready format. Author Don Murdoch draws on decades of real-world experience in incident response and cybersecurity operations to provide actionable guidance and sample workflows you can immediately apply in your own work. Whether youre investigating an alert, analyzing suspicious traffic, or strengthening your organizations IR capability, youll find this field-tested edition an essential resource for hands-on practitioners. Understand how modern adversaries operate and recognize common indicators of compromise in networks Analyze network traffic with common tools to identify and investigate suspicious activity Execute structured incident response procedures and follow a clear response plan Conduct basic forensic analysis on both Windows and Linux systems Use proven methodologies and tools to carry out effective, dynamic incident response Spis treści: Preface Who Should Read This Book Why I Wrote This Book Navigating This Book Conventions Used in This Book Using Code Examples OReilly Online Learning How to Contact Us Acknowledgments 1. Practical Incident Response Defined The NIST Incident Response Lifecycle The SANS Incident Response Lifecycle Dynamic Incident Response and Intelligence Lifecycles Time Based Security Leveraging MITRE ATT&CK for Incident Response Prioritizing Data Collection Using ATT&CK Threat-Informed Defense Need a Place to Start? Adapting IR Lifecycles to Your Organization The Changing Adversarial Landscape 2. The Six Phases of Modern Incident Response Phase 1, Preparation: Know Thy Network and the Identities of Those Who Use It Preparation: Tools and Techniques Survey and Checklist Australias Strategies to Mitigate Cybersecurity Incidents Physical and data link layers Network and routing layers Application layer Preparation: Visibility Tools and Techniques Preparation: Command-Line Auditing Preparation: Data Breach Rules of the Road Preparation: Policy and Procedure Preparation: Enable Early Warning Indicators Phase 2, Identification: How Serious Is It? Phase 3, Containment: Stopping the Adversary Phase 4, Eradication: Revert Adversary Actions Phase 5, Recovery: Back Up and Running Phase 6, Lessons Learned: Reporting and Follow-Up Incident-Driven Countermeasures 3. Incident Response Skills and Practices Finding Metrics That Matter The Golden Rules of IR Metrics Incident Response Metrics Improving Investigations Understanding the Alexiou Principle Externalization Controlling Your Theories Awareness of Confirmation Bias Following Scene Safe Practices The Incident Commander Role Indicator of Attack Versus Indicator of Compromise IoA Examples IoC Examples Using the OODA Loop Assessing the Impact of a Cyber Attack Avoiding Analysis Paralysis Essential IR Business Process and Paperwork Regulatory Considerations Ed Skoudiss Pentest Authorization Letter Trap and Trace Authorization Letter End UserFocused Data Collection Form(s) Chain of Custody and Evidence Topics Suggestions for Organizing Evidence Data The Traffic Light Protocol Computer Security Incident Response Plan CSIRP Sample Table of Contents Incident Response Templates PICERL Six-Phase Incident Response Template Commercial Incident Response Template Countermeasures and the SBAR Format Secure IR Communications Using GnuPG for Free Encrypted Email Incident Response and Forensics Are Partners Order of Volatility Triage Forensics: 5% of the Data Tells Most of the Story System Forensics: Dig Deep and Dissect at a Cost Derailing IR and DFIR: Mistakes to Avoid Goals and Objectives Packaged Cyber Threat Intelligence for IR Bootable Linux Distributions and Blue Team Platforms Linux with VMware Workstation 4. Understanding Adversary Tools and Tactics The Attack Process, IR Tools, and IR Points Adversary Campaign Patterns Reconnaissance: Tools and Techniques DNS Analysis Scripts Google Searching Web-Based Recon Sites Weaponization: Building the Adversary Toolset Scanning: Tools and Techniques Nmap scanning Nmap scripting engine scripts IPv6 networks Masscan for IPv4 Windows counter loops Web/CGI scanning tools Exploitation: Tools and Techniques Maintain Access: Tools and Techniques Access over the wire Rootkits LOLBins User accounts ASEPs and registry-based persistence Filesystem persistence Scheduled tasks Logon scripts Data Relay and Backdoor Linux Tools Netcat Netcat data transfer techniques Netcat backdoor techniques Linux netcat backdoor technique without the -e option Netcat relay setup on Linux Cryptcat Password Guessing John the Ripper on Linux (Kali) 5. Windows Volatile Data Investigation Normal Windows 11 Processes Step 1: Prepare the IR Collection Environment Option 1: Collect volatile data to a local USB drive Option 2: Collect volatile data to a network share Option 3: Upload to a web server Step 2: Collect Physical Memory WinPMem usage (Windows 7+) VMware ESX memory dump Step 3: Conduct Memory Analysis with Volatility Volatility v2.6.1 Volatility v3 Step 4: Ask Process Indicator Analysis Questions Step 5: Collect Live System State Data Step 6: Conduct Windows Server-Side Collection and Open File Support Step 7: Collect Disk Details and Image NTFS Filesystem Times (v3.01) Using FTK Imager to create a triage image Using FTK Imager to create a logical volume image Step 8: Collect Supplemental System Information WFAS firewall default settings WFAS order of rule processing Common Windows Directories Used for Startup Windows Scheduled Tasks Common Windows 32-Bit and 64-Bit Registry Auto-Start Locations Other Windows Artifact Investigation Windows Logfiles and Locations Windows Suspicious Processes: Process Explorer Configuration Options Suspicious Process Review Automated Collection on Windows with KAPE KAPE Quick Start KAPE and Missing Binaries DeepBlueCLI for Windows RDBMS Incident Response Microsoft SQL Server Notes Filesystem and Registry Notes 6. Linux Volatile Data System Investigation Preparation Linux Distributions Command Background Grep Quick Start Finding Files Step 1: Prepare Storage for Data Collection Step 2: Dump and Analyze Physical Memory Dumping and Capturing Memory to a Remote System Using Netcat Using the Volatility 3 Command Set Step 3: Collect Live System State Data Capturing System State User accounts SSH service and details Network activity Sudo configuration and activity Process details System services and cron Step 4: Investigate Linux Using lsof Step 5: Investigate Additional Linux Artifacts Gathering Filesystem Information Investigating File Sharing with NFS and SAMBA Collecting Logs Managing and Investigating Linux Package Files Other Topics Containment with Linux Iptables Essentials: An Example Using Iptables Using Nft Recovery: Firewall Assurance/Testing with Hping Recovery: Vulnerability Testing with OpenVAS 7. Windows Host Analysis with PowerShell Investigating a Standalone Remote System with WinRM Investigating Local Versus Remote Systems Using PSSession for 1:1 Remoting Using Invoke-Command to Script Remote System Interrogation Directory Sharing Creating System and Date-Stamped Files Determining PowerShell Version Documenting Time Zone, Environment, System Date, and Time Machine and OS Information User Accounts, Groups, and Current Logins Network Configuration for IPv4 and IPv6 Auto Start Extensibility Points Running Processes Installed and Running Services Installed Certificates Drivers Installed and Running Files and Directories Shares and Currently Open Server-Side Files WMI Indicators Physical Drives Mapped Drives Registry Export Scheduled Tasks Active Network Connections Currently Installed Hotfixes Installed Applications Windows AppLocker Files Changed Since . . . Searching for Alternate Data Streams Searching for Files by Extension Searching for Files by Size Searching for Hidden Files and Retrieve File Times Collecting USB-Related Information Volume Shadow Copy State DNS Cache Analyzing Windows Event Logs Investigating Specific Event IDs in the Security Log Using the Positional Method for Logins (Event ID 4624) Using the XML Overlay Method for Logins (Event ID 4624) Event ID 4688 and Command-Line Auditing Examining Sysmon Event Logs 8. Active Directory Analysis Adversary Actions Start with Reconnaissance Kerberoasting Authentication Server Response (AS-REP) Roasting Password Spray Attacks Unconstrained Delegation Account Abuse Certificate Services (AD CS) Compromise DCSync and Its Cousin, DCShadow Golden Ticket Early Warning Detection for AD Defense 9. Network-Based Analysis Capturing Packet Data Capturing Local Packet Data Mirroring on a Portable Switch in a Jump Bag Mirror/SPAN Enterprise Switch Configurations Network Taps Hypervisors The Cloud NGFWs and TLS Packet Export Network Device Collection and Analysis Process Perimeter Router Intrusion Signs Perimeter Firewall Intrusion Signs Intrusion Detection and Prevention Logs Perimeter VPN Concentrators Screened Services (DMZ) Network Interior Switch Devices Suspect DNS Names Website Investigation Techniques Reputation Risk Network Traffic Analysis Techniques Berkeley Packet Filter and Capturing Data Identifying Network Interfaces Using Tshark to Capture Connections Using Pktmon for Wired Connections Profiling PCAP with Tshark and Capinfos Finding the SYN and SYN/ACK Packets Extracting Port/Pair Combinations Implementing Application-Specific Analysis Techniques HTTP GET requests HTTP redirection within Wireshark HTTP GET and RESPONSE Certificate details DNS traffic Email traffic MAC address manipulation Top talkers Suspicious Traffic Patterns Unused Internal Address Activity Certificates Uncommon Applications and Port Numbers Snort Rules: Darknet Example 10. Enterprise Detection and Response Capabilities Sample Attack Flow Entry Points Attack Visualization with the StoryLineTM Report Mitigation Actions Response Actions Hyperautomation Other Capabilities A. Common TCP and UDP Ports B. ICMP Types and Codes C. Headers Index