Intelligence-Driven Incident Response. Outwitting the Adversary - Helion

ebook

Autor: Scott J Roberts, Rebekah Brown
ISBN: 978-14-919-3519-4
stron: 284, Format: ebook
Data wydania: 2017-08-21
Księgarnia: Helion

Cena książki: 186,15 zł (poprzednio: 216,45 zł)
Oszczędzasz: 14% (-30,30 zł)

Osoby, które kupiły tę książkę, wybierały także »

Using a well-conceived incident response plan in the aftermath of an online security breach enables your team to identify attackers and learn how they operate. But, only when you approach incident response with a cyber threat intelligence mindset will you truly understand the value of that information. With this practical guide, you’ll learn the fundamentals of intelligence analysis, as well as the best ways to incorporate these techniques into your incident response process.

Each method reinforces the other: threat intelligence supports and augments incident response, while incident response generates useful threat intelligence. This book helps incident managers, malware analysts, reverse engineers, digital forensics specialists, and intelligence analysts understand, implement, and benefit from this relationship.

In three parts, this in-depth book includes:

The fundamentals: get an introduction to cyber threat intelligence, the intelligence process, the incident-response process, and how they all work together
Practical application: walk through the intelligence-driven incident response (IDIR) process using the F3EAD process—Find, Fix Finish, Exploit, Analyze, and Disseminate
The way forward: explore big-picture aspects of IDIR that go beyond individual incident-response investigations, including intelligence team building

Osoby które kupowały "Intelligence-Driven Incident Response. Outwitting the Adversary", wybierały także:

Windows Media Center. Domowe centrum rozrywki 66,67 zł, (8,00 zł -88%)
Ruby on Rails. Ćwiczenia 18,75 zł, (3,00 zł -84%)
DevOps w praktyce. Kurs video. Jenkins, Ansible, Terraform i Docker 190,00 zł, (39,90 zł -79%)
Przywództwo w świecie VUCA. Jak być skutecznym liderem w niepewnym środowisku 58,64 zł, (12,90 zł -78%)
Scrum. O zwinnym zarządzaniu projektami. Wydanie II rozszerzone 58,64 zł, (12,90 zł -78%)

Spis treści

Intelligence-Driven Incident Response. Outwitting the Adversary eBook -- spis treści

Foreword
Preface
- Why We Wrote This Book
- Who This Book Is For
- How This Book Is Organized
- Conventions Used in This Book
- OReilly Safari
- How to Contact Us
- Acknowledgments
I. The Fundamentals
1. Introduction
- Intelligence as Part of Incident Response
  - History of Cyber Threat Intelligence
  - Modern Cyber Threat Intelligence
  - The Way Forward
- Incident Response as a Part of Intelligence
- What Is Intelligence-Driven Incident Response?
- Why Intelligence-Driven Incident Response?
  - Operation SMN
  - Operation Aurora
- Conclusion
2. Basics of Intelligence
- Data Versus Intelligence
- Sources and Methods
- Process Models
  - OODA
    - Observe
    - Orient
    - Decide
    - Act
  - Intelligence Cycle
    - Direction
    - Collection
    - Processing
    - Analysis
    - Dissemination
    - Feedback
  - Using the Intelligence Cycle
- Qualities of Good Intelligence
- Levels of Intelligence
  - Tactical Intelligence
  - Operational Intelligence
  - Strategic Intelligence
- Confidence Levels
- Conclusion
3. Basics of Incident Response
- Incident-Response Cycle
  - Preparation
  - Identification
  - Containment
  - Eradication
  - Recovery
  - Lessons Learned
- Kill Chain
  - Targeting
  - Reconnaissance
    - Hard data versus soft data
    - Active versus passive collection methods
  - Weaponization
    - Vulnerability hunting
    - Exploitability
    - Implant development
    - Testing
    - Infrastructure development
  - Delivery
  - Exploitation
  - Installation
    - System persistence
    - Network persistence
  - Command and Control
  - Actions on Objective
  - Example Kill Chain
- Diamond Model
  - Basic Model
  - Extending the Model
- Active Defense
  - Deny
  - Disrupt
  - Degrade
  - Deceive
  - Destroy
- F3EAD
  - Find
  - Fix
  - Finish
  - Exploit
  - Analyze
  - Disseminate
  - Using F3EAD
- Picking the Right Model
- Scenario: GLASS WIZARD
- Conclusion
II. Practical Application
4. Find
- Actor-Centric Targeting
  - Starting with Known Information
  - Useful Find Information
    - Indicators of compromise
    - Behavior
    - Using the kill chain
      - Scenario: building a kill chain
      - GLASS WIZARD kill chain
    - Goals
- Asset-Centric Targeting
  - Using Asset-Centric Targeting
- News-Centric Targeting
- Targeting Based on Third-Party Notification
- Prioritizing Targeting
  - Immediate Needs
  - Past Incidents
  - Criticality
- Organizing Targeting Activities
  - Hard Leads
  - Soft Leads
  - Grouping Related Leads
  - Lead Storage
- The Request for Information Process
- Conclusion
5. Fix
- Intrusion Detection
  - Network Alerting
    - Alerting on reconnaissance
    - Alerting on delivery
    - Alerting on command and control
      - Command and control via misuse of shared resources
      - No command-and-control malware
    - Alerting on actions over target
  - System Alerting
    - Alerting on exploitation
    - Alerting on installation
    - Alerting on actions over target
  - Fixing GLASS WIZARD
    - Network activity
      - System activity
- Intrusion Investigation
  - Network Analysis
    - Traffic analysis
      - Applying intelligence to traffic analysis
      - Gathering data from traffic analysis
    - Signature-based analysis
      - Applying intelligence to signature-based analysis
      - Gathering data from signature-based analysis
    - Full content analysis
      - Applying intelligence to full content analysis
      - Gathering data from full content analysis
    - Learning more
  - Live Response
  - Memory Analysis
  - Disk Analysis
    - Applying intelligence to disk analysis
    - Gathering data from disk analysis
  - Malware Analysis
    - Basic static analysis
    - Basic dynamic analysis
    - Advanced static analysis
    - Applying intelligence to malware analysis
    - Gathering data from malware analysis
    - Learning more about malware analysis
- Scoping
- Hunting
  - Developing Leads
  - Testing Leads
- Conclusion
6. Finish
- Finishing Is Not Hacking Back
- Stages of Finish
  - Mitigate
    - Mitigating delivery
    - Mitigating command and control
    - Mitigating actions over target
    - Mitigating GLASS WIZARD
  - Remediate
    - Remediating exploitation
    - Remediating installation
    - Remediating actions over target
    - Remediating GLASS WIZARD
  - Rearchitect
    - Rearchitecting GLASS WIZARD
- Taking Action
  - Deny
  - Disrupt
  - Degrade
  - Deceive
  - Destroy
- Organizing Incident Data
  - Tools for Tracking Actions
    - Personal notes
    - The Spreadsheet of Doom
    - Third-party, non-purpose-built solutions
  - Purpose-Built Tools
- Assessing the Damage
- Monitoring Life Cycle
- Conclusion
7. Exploit
- What to Exploit?
- Gathering Information
- Storing Threat Information
  - Data Standards and Formats for Indicators
    - OASIS SuiteCybOX/STIX/TAXII
    - MILE Working Group
    - OpenIOC
  - Data Standards and Formats for Strategic Information
    - VERIS
    - CAPEC
  - Managing Information
  - Threat-Intelligence Platforms
    - MISP
    - CRITs
    - YETI
    - Commercial solutions
  - Conclusion
8. Analyze
- The Fundamentals of Analysis
- What to Analyze?
- Conducting the Analysis
  - Enriching Your Data
    - Enrichment sources
      - WHOIS information
      - Passive DNS information
      - Malware information
      - Internal enrichment information
      - Information sharing
  - Developing Your Hypothesis
  - Evaluating Key Assumptions
    - Accounting for biases
      - Confirmation bias
      - Anchoring bias
      - Availability bias
      - Bandwagon effect
      - Mirroring
  - Judgment and Conclusions
- Analytic Processes and Methods
  - Structured Analysis
  - Target-Centric Analysis
  - Analysis of Competing Hypotheses
  - Graph Analysis
  - Contrarian Techniques
    - Devils advocate
    - What if analysis
    - Red team analysis
- Conclusion
9. Disseminate
- Intelligence Consumer Goals
- Audience
  - Executive/Leadership Consumer
  - Internal Technical Consumers
  - External Technical Consumers
  - Developing Consumer Personas
- Authors
- Actionability
- The Writing Process
  - Plan
  - Draft
    - Start with the direction statement
    - Start with facts
    - Start with an outline or bullet points
  - Edit
- Intelligence Product Formats
  - Short-Form Products
    - Event summary
    - Target package
    - Indicator-of-compromise report
  - Long-Form Products
    - Malware report
    - Campaign report
    - Intelligence estimate
  - The RFI Process
    - RFI request
    - RFI response
    - RFI flow example
      - RFI request
      - RFI Response
  - Automated Consumption Products
    - Unstructured/semistructured IOCs
      - GLASS WIZARD unstructured IOCs
    - Network signatures with Snort
      - GLASS WIZARD network signatures
    - Filesystem signatures with Yara
    - Automated IOC Formats
- Establishing a Rhythm
  - Distribution
  - Feedback
  - Regular Products
- Conclusion
III. The Way Forward
10. Strategic Intelligence
- What Is Strategic Intelligence?
  - Developing Target Models
    - Hierarchical models
    - Network models
    - Process models
    - Timelines
- The Strategic Intelligence Cycle
  - Setting Strategic Requirements
  - Collection
    - Geopolitical sources
    - Economic sources
    - Historical sources
    - Business sources
  - Analysis
    - Processes for strategic intelligence
      - SWOT analysis
      - Brainstorming
      - Murder boarding
  - Dissemination
- Conclusion
11. Building an Intelligence Program
- Are You Ready?
- Planning the Program
  - Defining Stakeholders
  - Defining Goals
    - Defining Success Criteria
    - Identifying Requirements and Constraints
    - Defining Metrics
- Stakeholder Personas
- Tactical Use Cases
  - SOC Support
  - Indicator Management
- Operational Use Cases
  - Campaign Tracking
- Strategic Use Cases
  - Architecture Support
  - Risk Assessment/Strategic Situational Awareness
- Strategic to Tactical or Tactical to Strategic?
- Hiring an Intelligence Team
- Demonstrating Intelligence Program Value
- Conclusion
A. Intelligence Products
- Short-Form Products
  - IOC Report: Hydraq Indicators
    - Summary
    - Notes
    - Related TTPs
    - References
  - Event Summary Report: GLASS WIZARD Spear Phishing EmailResume Campaign
    - Summary
    - Timeline
    - Impact
    - Recommendations
    - Ongoing Actions
    - References
  - Target Package: GLASS WIZARD
    - Summary
    - Tactics, Techniques, & Procedures
    - Victim Profile
    - Related References
- Long-Form Products: Hikit Malware
  - Summary
  - Basic Static Analysis
    - Interesting strings
    - Other relevant files or data
    - Basic Dynamic Analysis
    - Behavioral Characteristics
    - Delivery Mechanisms
    - Persistence Mechanisms
    - Spreading mechanisms
    - Exfiltration mechanisms
    - Command-and-control mechanisms
    - Dependencies
      - Supported operating systems
      - Required Files
    - Second Stage Downloads
    - Registry Keys
    - Detection
      - Network Indicators of Compromise
      - Filesystem indicators of compromise
    - Response Recommendations
      - Mitigation steps
      - Eradication steps
    - Related files
  - Requests for Intelligence: GLASS WIZARD
  - GLASS WIZARD RFI Response
Index