ABE-IPSABE HOLDINGABE BOOKS
English Polski
On-line access

Bookstore

BasketYour basket
0.00 PLN
0 products
Bookshelf (0) 
Your bookshelf is empty
Applied Incident Response

Applied Incident Response

Authors
Publisher John Wiley & Sons Inc
Year 09/03/2020
Pages 464
Version paperback
Readership level Professional and scholarly
Language English
ISBN 9781119560265
Categories Computer networking & communications
$47.00 (with VAT)
208.95 PLN / €44.80 / £38.89
Qty:
Delivery to United States

check shipping prices
Product to order
Delivery 3-4 weeks
Add to bookshelf

Book description

Incident response is critical for the active defense of any network, and incident responders need up-to-date, immediately applicable techniques with which to engage the adversary. Applied Incident Response details effective ways to respond to advanced attacks against local and remote network resources, providing proven response techniques and a framework through which to apply them. As a starting point for new incident handlers, or as a technical reference for hardened IR veterans, this book details the latest techniques for responding to threats against your network, including:* Preparing your environment for effective incident response* Leveraging MITRE ATT&CK and threat intelligence for active network defense* Local and remote triage of systems using PowerShell, WMIC, and open-source tools* Acquiring RAM and disk images locally and remotely* Analyzing RAM with Volatility and Rekall* Deep-dive forensic analysis of system drives using open-source or commercial tools* Leveraging Security Onion and Elastic Stack for network security monitoring* Techniques for log analysis and aggregating high-value logs* Static and dynamic analysis of malware with YARA rules, FLARE VM, and Cuckoo Sandbox* Detecting and responding to lateral movement techniques, including pass-the-hash, pass-the-ticket, Kerberoasting, malicious use of PowerShell, and many more* Effective threat hunting techniques* Adversary emulation with Atomic Red Team* Improving preventive and detective controls

Applied Incident Response

Table of contents

Part I Prepare 1





Chapter 1 The Threat Landscape 3





Attacker Motivations 3





Intellectual Property Theft 4





Supply Chain Attack 4





Financial Fraud 4





Extortion 5





Espionage 5





Power 5





Hacktivism 6





Revenge 6





Attack Methods 6





DoS and DDoS 7





Worms 8





Ransomware 8





Phishing 9





Spear Phishing 9





Watering Hole Attacks 10





Web Attacks 10





Wireless Attacks 11





Sniffing and MitM 11





Crypto Mining 12





Password Attacks 12





Anatomy of an Attack 13





Reconnaissance 13





Exploitation 14





Expansion/Entrenchment 15





Exfiltration/Damage 16





Clean Up 16





The Modern Adversary 16





Credentials, the Keys to the Kingdom 17





Conclusion 20





Chapter 2 Incident Readiness 21





Preparing Your Process 21





Preparing Your People 27





Preparing Your Technology 30





Ensuring Adequate Visibility 33





Arming Your Responders 37





Business Continuity and Disaster Recovery 38





Deception Techniques 40





Conclusion 43





Part II Respond 45





Chapter 3 Remote Triage 47





Finding Evil 48





Rogue Connections 49





Unusual Processes 52





Unusual Ports 55





Unusual Services 56





Rogue Accounts 56





Unusual Files 58





Autostart Locations 59





Guarding Your Credentials 61





Understanding Interactive Logons 61





Incident Handling Precautions 63





RDP Restricted Admin Mode and Remote Credential Guard 64





Conclusion 65





Chapter 4 Remote Triage Tools 67





Windows Management Instrumentation Command-Line Utility 67





Understanding WMI and the WMIC Syntax 68





Forensically Sound Approaches 71





WMIC and WQL Elements 72





Example WMIC Commands 79





PowerShell 84





Basic PowerShell Cmdlets 87





PowerShell Remoting 91





Accessing WMI/MI/CIM with PowerShell 95





Incident Response Frameworks 98





Conclusion 100





Chapter 5 Acquiring Memory 103





Order of Volatility 103





Local Memory Collection 105





Preparing Storage Media 107





The Collection Process 109





Remote Memory Collection 117





WMIC for Remote Collection 119





PowerShell Remoting for Remote Collection 122





Agents for Remote Collection 125





Live Memory Analysis 128





Local Live Memory Analysis 129





Remote Live Memory Analysis 129





Conclusion 131





Chapter 6 Disk Imaging 133





Protecting the Integrity of Evidence 133





Dead-Box Imaging 137





Using a Hardware Write Blocker 139





Using a Bootable Linux Distribution 143





Live Imaging 149





Live Imaging Locally 149





Collecting a Live Image Remotely 154





Imaging Virtual Machines 155





Conclusion 160





Chapter 7 Network Security Monitoring 161





Security Onion 161





Architecture 162





Tools 165





Snort, Sguil, and Squert 166





Zeek (Formerly Bro) 172





Elastic Stack 182





Text-Based Log Analysis 194





Conclusion 197





Chapter 8 Event Log Analysis 199





Understanding Event Logs 199





Account-Related Events 207





Object Access 218





Auditing System Configuration Changes 221





Process Auditing 224





Auditing PowerShell Use 229





Using PowerShell to Query Event Logs 231





Conclusion 233





Chapter 9 Memory Analysis 235





The Importance of Baselines 236





Sources of Memory Data 242





Using Volatility and Rekall 244





Examining Processes 249





The pslist Plug-in 249





The pstree Plug-in 252





The dlllist Plug-in 255





The psxview Plug-in 256





The handles Plug-in 256





The malfi nd Plug-in 257





Examining Windows Services 259





Examining Network Activity 261





Detecting Anomalies 264





Practice Makes Perfect 273





Conclusion 274





Chapter 10 Malware Analysis 277





Online Analysis Services 277





Static Analysis 280





Dynamic Analysis 286





Manual Dynamic Analysis 287





Automated Malware Analysis 299





Evading Sandbox Detection 305





Reverse Engineering 306





Conclusion 309





Chapter 11 Disk Forensics 311





Forensics Tools 312





Time Stamp Analysis 314





Link Files and Jump Lists 319





Prefetch 321





System Resource Usage Monitor 322





Registry Analysis 324





Browser Activity 333





USN Journal 337





Volume Shadow Copies 338





Automated Triage 340





Linux/UNIX System Artifacts 342





Conclusion 344





Chapter 12 Lateral Movement Analysis 345





Server Message Block 345





Pass-the-Hash Attacks 351





Kerberos Attacks 353





Pass-the-Ticket and Overpass-the-Hash Attacks 354





Golden and Silver Tickets 361





Kerberoasting 363





PsExec 365





Scheduled Tasks 368





Service Controller 369





Remote Desktop Protocol 370





Windows Management Instrumentation 372





Windows Remote Management 373





PowerShell Remoting 374





SSH Tunnels and Other Pivots 376





Conclusion 378





Part III Refine 379





Chapter 13 Continuous Improvement 381





Document, Document, Document 381





Validating Mitigation Efforts 383





Building On Your Successes, and Learning from Your Mistakes 384





Improving Your Defenses 388





Privileged Accounts 389





Execution Controls 392





PowerShell 394





Segmentation and Isolation 396





Conclusion 397





Chapter 14 Proactive Activities 399





Threat Hunting 399





Adversary Emulation 409





Atomic Red Team 410





Caldera 415





Conclusion 416





Index 419

We also recommend books

Strony www Białystok Warszawa
801 777 223