Digital Forensics and Incident Response Incident Response Tools and Techniques for Effective Cyber Threat Response
Build your organization's cyber defense system by effectively applying digital forensics, incident management, and investigation techniques to real-world cyber threats. An understanding of how digital forensics integrates with the overall response to cybersecurity incidents is key to securing y...
| Otros Autores: | |
|---|---|
| Formato: | Libro electrónico |
| Idioma: | Inglés |
| Publicado: |
Birmingham, England :
Packt Publishing Ltd
[2022]
|
| Edición: | Third edition |
| Materias: | |
| Ver en Biblioteca Universitat Ramon Llull: | https://discovery.url.edu/permalink/34CSUC_URL/1im36ta/alma991009711813906719 |
Tabla de Contenidos:
- Cover
- Title Page
- Copyright
- Contributors
- Table of Contents
- Preface
- Part 1: Foundations of Incident Response and Digital Forensics
- Chapter 1: Understanding Incident Response
- The IR process
- The role of digital forensics
- The IR framework
- The IR charter
- CSIRT team
- The IR plan
- Incident classification
- The IR playbook/handbook
- Escalation process
- Testing the IR framework
- Summary
- Questions
- Further reading
- Chapter 2: Managing Cyber Incidents
- Engaging the incident response team
- CSIRT engagement models
- Investigating incidents
- The CSIRT war room
- Communications
- Rotating staff
- SOAR
- Incorporating crisis communications
- Internal communications
- External communications
- Public notification
- Incorporating containment strategies
- Getting back to normal - eradication, recovery, and post-incident activity
- Summary
- Questions
- Further reading
- Chapter 3: Fundamentals of Digital Forensics
- An overview of forensic science
- Locard's exchange principle
- Legal issues in digital forensics
- Law and regulations
- Rules of evidence
- Forensic procedures in incident response
- A brief history of digital forensics
- The digital forensics process
- The digital forensics lab
- Summary
- Questions
- Further reading
- Chapter 4: Investigation Methodology
- An intrusion analysis case study: The Cuckoo's Egg
- Types of incident investigation analysis
- Functional digital forensic investigation methodology
- Identification and scoping
- Collecting evidence
- The initial event analysis
- The preliminary correlation
- Event normalization
- Event deconfliction
- The second correlation
- The timeline
- Kill chain analysis
- Reporting
- The cyber kill chain
- The diamond model of intrusion analysis
- Diamond model axioms.
- A combined diamond model and kill chain intrusion analysis
- Attribution
- Summary
- Questions
- Part 2: Evidence Acquisition
- Chapter 5: Collecting Network Evidence
- An overview of network evidence
- Preparation
- A network diagram
- Configuration
- Firewalls and proxy logs
- Firewalls
- Web application firewalls
- Web proxy servers
- NetFlow
- Packet capture
- tcpdump
- WinPcap and RawCap
- Wireshark
- Evidence collection
- Summary
- Questions
- Further reading
- Chapter 6: Acquiring Host-Based Evidence
- Preparation
- Order of volatility
- Evidence acquisition
- Evidence collection procedures
- Acquiring volatile memory
- FTK Imager
- WinPmem
- RAM Capturer
- Virtual systems
- Acquiring non-volatile evidence
- FTK obtaining protected files
- The CyLR response tool
- Kroll Artifact Parser and Extractor
- Summary
- Questions
- Further reading
- Chapter 7: Remote Evidence Collection
- Enterprise incident response challenges
- Endpoint detection and response
- Velociraptor overview and deployment
- Velociraptor server
- Velociraptor Windows collector
- Velociraptor scenarios
- Velociraptor evidence collection
- CyLR
- WinPmem
- Summary
- Questions
- Chapter 8: Forensic Imaging
- Understanding forensic imaging
- Image versus copy
- Logical versus physical volumes
- Types of image files
- SSD versus HDD
- Tools for imaging
- Preparing a staging drive
- Using write blockers
- Imaging techniques
- Dead imaging
- Live imaging
- Virtual systems
- Linux imaging
- Summary
- Questions
- Further reading
- Part 3: Evidence Analysis
- Chapter 9: Analyzing Network Evidence
- Network evidence overview
- Analyzing firewall and proxy logs
- SIEM tools
- The Elastic Stack
- Analyzing NetFlow
- Analyzing packet captures
- Command-line tools
- Real Intelligence Threat Analytics.
- NetworkMiner
- Arkime
- Wireshark
- Summary
- Questions
- Further reading
- Chapter 10: Analyzing System Memory
- Memory analysis overview
- Memory analysis methodology
- SANS six-part methodology
- Network connections methodology
- Memory analysis tools
- Memory analysis with Volatility
- Volatility Workbench
- Memory analysis with Strings
- Installing Strings
- Common Strings searches
- Summary
- Questions
- Further reading
- Chapter 11: Analyzing System Storage
- Forensic platforms
- Autopsy
- Installing Autopsy
- Starting a case
- Adding evidence
- Navigating Autopsy
- Examining a case
- Master File Table analysis
- Prefetch analysis
- Registry analysis
- Summary
- Questions
- Further reading
- Chapter 12: Analyzing Log Files
- Logs and log management
- Working with SIEMs
- Splunk
- Elastic Stack
- Security Onion
- Windows Logs
- Windows Event Logs
- Analyzing Windows Event Logs
- Acquisition
- Triage
- Detailed Event Log analysis
- Summary
- Questions
- Further reading
- Chapter 13: Writing the Incident Report
- Documentation overview
- What to document
- Types of documentation
- Sources
- Audience
- Executive summary
- Incident investigation report
- Forensic report
- Preparing the incident and forensic report
- Note-taking
- Report language
- Summary
- Questions
- Further reading
- Part 4: Ransomware Incident Response
- Chapter 14: Ransomware Preparation and Response
- History of ransomware
- CryptoLocker
- CryptoWall
- CTB-Locker
- TeslaCrypt
- SamSam
- Locky
- WannaCry
- Ryuk
- Conti ransomware case study
- Background
- Operational disclosure
- Tactics and techniques
- Exfiltration
- Impact
- Proper ransomware preparation
- Ransomware resiliency
- Prepping the CSIRT
- Eradication and recovery
- Containment
- Eradication
- Recovery
- Summary
- Questions.
- Further reading
- Chapter 15: Ransomware Investigations
- Ransomware initial access and execution
- Initial access
- Execution
- Discovering credential access and theft
- ProcDump
- Mimikatz
- Investigating post-exploitation frameworks
- Command and Control
- Security Onion
- RITA
- Arkime
- Investigating lateral movement techniques
- Summary
- Questions
- Further reading
- Part 5: Threat Intelligence and Hunting
- Chapter 16: Malware Analysis for Incident Response
- Malware analysis overview
- Malware classification
- Setting up a malware sandbox
- Local sandbox
- Cloud sandbox
- Static analysis
- Static properties analysis
- Dynamic analysis
- Process Explorer
- Process Spawn Control
- Automated analysis
- ClamAV
- YARA
- YarGen
- Summary
- Questions
- Further reading
- Chapter 17: Leveraging Threat Intelligence
- Threat intelligence overview
- Threat intelligence types
- The Pyramid of Pain
- The threat intelligence methodology
- Sourcing threat intelligence
- Internally developed sources
- Commercial sourcing
- Open source intelligence
- The MITRE ATT&
- CK framework
- Working with IOCs and IOAs
- Threat intelligence and incident response
- Autopsy
- Maltego
- YARA and Loki
- Summary
- Questions
- Further reading
- Chapter 18: Threat Hunting
- Threat hunting overview
- Threat hunt cycle
- Threat hunt reporting
- Threat hunting maturity model
- Crafting a hypothesis
- MITRE ATT&
- CK
- Planning a hunt
- Digital forensic techniques for threat hunting
- EDR for threat hunting
- Summary
- Questions
- Further reading
- Appendix
- Assessments
- Index
- About Packt
- Other Books You May Enjoy.
