Applied Incident Response

Incident response is critical for the active defense of any network, and incident responders need up-to-date, immediately applicable techniques with which to engage the adversary. Applied Incident Response details effective ways to respond to advanced attacks against local and remote network resources, providing proven response techniques and a framework through which to apply them. As a starting point for new incident handlers, or as a technical reference for hardened IR veterans, this book details the latest techniques for responding to threats against your network, including:

• Preparing your environment for effective incident response

• Leveraging MITRE ATT&CK and threat intelligence for active network defense

• Local and remote triage of systems using PowerShell, WMIC, and open-source tools

• Acquiring RAM and disk images locally and remotely

• Analyzing RAM with Volatility and Rekall

• Deep-dive forensic analysis of system drives using open-source or commercial tools

• Leveraging Security Onion and Elastic Stack for network security monitoring

• Techniques for log analysis and aggregating high-value logs

• Static and dynamic analysis of malware with YARA rules, FLARE VM, and Cuckoo Sandbox

• Detecting and responding to lateral movement techniques, including pass-the-hash, pass-the-ticket, Kerberoasting, malicious use of PowerShell, and many more

• Effective threat hunting techniques

• Adversary emulation with Atomic Red Team

• Improving preventive and detective controls

Auteur

Steve Anson is a SANS Certified Instructor and co-founder of leading IT security company Forward Defense. He has over 20 years of experience investigating cybercrime and network intrusion incidents. As a former US federal agent, Steve specialized in intrusion investigations for the FBI and DoD. He has taught incident response and digital forensics techniques to thousands of students around the world on behalf of the FBI Academy, US Department of State, and the SANS Institute. He has assisted governments in over 50 countries to improve their strategic and tactical response to computer-facilitated crimes and works with a range of multinational organizations to prevent, detect and respond to network security incidents.

Texte du rabat
DEFEND YOUR NETWORK WITH IMMEDIATELY APPLICABLE INCIDENT RESPONSE SKILLS Incident response is critical for the active defense of any network, and incident responders need up-to-date, actionable techniques with which to engage the adversary. Applied Incident Response details effective ways to respond to advanced attacks against local and remote network resources, providing proven response methods and a framework through which to implement them. Drawing on the author's experience investigating intrusions for the FBI, US Department of Defense (DoD), and many international organizations, this authoritative book covers the core skills needed for incident handling and active network defense, including triaging systems, acquiring memory, imaging disks, collecting network data, log analysis, memory forensics, disk forensics, network security monitoring, adversary emulation, threat hunting, and more. Examples focus on free and open-source tools, but introduce commercial alternatives as well. As a starting point for new incident handlers, or as a technical reference for hardened incident response veterans, this book details the latest techniques for responding to threats against your network, including:

• Preparing your environment for effective incident response
• Leveraging MITRE ATT&CK and threat intelligence for active network defense
• Local and remote triage of systems using PowerShell, WMIC, and open-source tools
• Acquiring RAM and disk images locally and remotely
• Analyzing RAM with Volatility and Rekall
• Deep-dive forensic analysis of system drives using open-source or commercial tools
• Leveraging Security Onion and Elastic Stack for network security monitoring
• Techniques for log analysis and aggregating high-value logs
• Static and dynamic analysis of malware with YARA rules, FLARE VM, and Cuckoo Sandbox
• Detecting and responding to lateral movement techniques, including pass-the-hash, pass-the-ticket, Kerberoasting, malicious use of PowerShell, and many more
• Effective threat hunting techniques
• Adversary emulation with Atomic Red Team
• Improving preventive and detective controls

Contenu
Part I Prepare 1

Chapter 1 The Threat Landscape 3

Attacker Motivations 3

Intellectual Property Theft 4

Supply Chain Attack 4

Financial Fraud 4

Extortion 5

Espionage 5

Power 5

Hacktivism 6

Revenge 6

Attack Methods 6

DoS and DDoS 7

Worms 8

Ransomware 8

Phishing 9

Spear Phishing 9

Watering Hole Attacks 10

Web Attacks 10

Wireless Attacks 11

Sniffing and MitM 11

Crypto Mining 12

Password Attacks 12

Anatomy of an Attack 13

Reconnaissance 13

Exploitation 14

Expansion/Entrenchment 15

Exfiltration/Damage 16

Clean Up 16

The Modern Adversary 16

Credentials, the Keys to the Kingdom 17

Conclusion 20

Chapter 2 Incident Readiness 21

Preparing Your Process 21

Preparing Your People 27

Preparing Your Technology 30

Ensuring Adequate Visibility 33

Arming Your Responders 37

Business Continuity and Disaster Recovery 38

Deception Techniques 40

Conclusion 43

Part II Respond 45

Chapter 3 Remote Triage 47

Finding Evil 48

Rogue Connections 49

Unusual Processes 52

Unusual Ports 55

Unusual Services 56

Rogue Accounts 56

Unusual Files 58

Autostart Locations 59

Guarding Your Credentials 61

Understanding Interactive Logons 61

Incident Handling Precautions 63

RDP Restricted Admin Mode and Remote Credential Guard 64

Conclusion 65

Chapter 4 Remote Triage Tools 67

Windows Management Instrumentation Command-Line Utility 67

Understanding WMI and the WMIC Syntax 68

Forensically Sound Approaches 71

WMIC and WQL Elements 72

Example WMIC Commands 79

PowerShell 84

Basic PowerShell Cmdlets 87

PowerShell Remoting 91

Accessing WMI/MI/CIM with PowerShell 95

Incident Response Frameworks 98

Conclusion 100

Chapter 5 Acquiring Memory 103

Order of Volatility 103

Local Memory Collection 105

Preparing Storage Media 107

The Collection Process 109

Remote Memory Collection 117

WMIC for Remote Collection 119

PowerShell Remoting for Remote Collection 122

Agents for Remote Collection 125

Live Memory Analysis 128

Local Live Memory Analysis 129

Remote Live Memory Analysis 129

Conclusion 131

Chapter 6 Disk Imaging 133

Protecting the Integrity of Evidence 133

Dead-Box Imaging 137

Using a Hardware Write Blocker 139

Using a Bootable Linux Distribution 143

Live Imaging 149

Live Imaging Locally 149

Collecting a Live Image Remotely 154

Imaging Virtual Machines 155

Conclusion 160

Chapter 7 Network Security Monitoring 161

Security Onion 161

Architecture 162

Tools 165

Snort, Sguil, and Squert 166

Zeek (Formerly Bro) 172

Elastic Stack 182

Text-Based Log Analysis 194

Conclusion 197

Chapter 8 Event Log Analysis 199

Understanding Event Logs 199

Account-Related Events 207

Object Access 218

Auditing System Configuration Changes 221

Process Auditing 224

Auditing PowerShell Use 229

Using PowerShell to Query Event Logs 231

Conclusion 233 **Chapter 9 Me...