Intelligence-Driven Incident Response. 2nd Edition Rebekah Brown, Scott J. Roberts

Intelligence-Driven Incident Response. 2nd Edition Rebekah Brown, Scott J. Roberts - okladka książki

Autorzy:: Rebekah Brown, Scott J. Roberts
Wydawnictwo:: O'Reilly Media (Z chęcią przeczytam książkę w języku polskim)
Ocena:: Bądź pierwszym, który oceni tę książkę
Stron:: 346
Dostępne formaty:: ePub

Mobi

Ebook

186,15 zł ~~219,00 zł~~ (-15%)

29,90 zł najniższa cena z 30 dni

Dodaj do koszyka lub Kup na prezent Kup 1-kliknięciem

Poleć tę książkę znajomemu Poleć tę książkę znajomemu!!

Przenieś na półkę

Do przechowalni

Zostało Ci na świąteczne zamówienie

opcje wysyłki »

Using a well-conceived incident response plan in the aftermath of an online security breach enables your team to identify attackers and learn how they operate. But only when you approach incident response with a cyber threat intelligence mindset will you truly understand the value of that information. In this updated second edition, you'll learn the fundamentals of intelligence analysis as well as the best ways to incorporate these techniques into your incident response process.

Each method reinforces the other: threat intelligence supports and augments incident response, while incident response generates useful threat intelligence. This practical guide helps incident managers, malware analysts, reverse engineers, digital forensics specialists, and intelligence analysts understand, implement, and benefit from this relationship.

In three parts, this in-depth book includes:

The fundamentals: Get an introduction to cyberthreat intelligence, the intelligence process, the incident response process, and how they all work together
Practical application: Walk through the intelligence-driven incident response (IDIR) process using the F3EAD process: Find, Fix, Finish, Exploit, Analyze, and Disseminate
The way forward: Explore big-picture aspects of IDIR that go beyond individual incident response investigations, including intelligence team building

Wybrane bestsellery

Ebooka "Intelligence-Driven Incident Response. 2nd Edition" przeczytasz na:

czytnikach Inkbook, Kindle, Pocketbook, Onyx Boox i innych
systemach Windows, MacOS i innych

systemach Windows, Android, iOS, HarmonyOS
na dowolnych urządzeniach i aplikacjach obsługujących formaty: PDF, EPub, Mobi

Masz pytania? Zajrzyj do zakładki Pomoc »

Oceny i opinie klientów: Intelligence-Driven Incident Response. 2nd Edition Rebekah Brown, Scott J. Roberts

(0)

Szczegóły książki

ISBN Ebooka:: 978-10-981-2064-1, 9781098120641
Data wydania ebooka :: 2023-06-13 Data wydania ebooka często jest dniem wprowadzenia tytułu do sprzedaży i może nie być równoznaczna z datą wydania książki papierowej. Dodatkowe informacje możesz znaleźć w darmowym fragmencie. Jeśli masz wątpliwości skontaktuj się z nami sklep@ebookpoint.pl.
Język publikacji:: angielski
Rozmiar pliku ePub:: 4.4MB
Rozmiar pliku Mobi:: 8.6MB

Zgłoś erratę

Kategorie

Kliknij, aby zgłosić błędnie przypisaną kategorię »

Informatyka » Biznes IT » Zarządzanie projektami IT

Dostępność produktu

Produkt nie został jeszcze oceniony pod kątem ułatwień dostępu lub nie podano żadnych informacji o ułatwieniach dostępu lub są one niewystarczające. Prawdopodobnie Wydawca/Dostawca jeszcze nie umożliwił dokonania walidacji produktu lub nie przekazał odpowiednich informacji na temat jego dostępności.

Spis treści książki

Foreword to the Second Edition
Foreword to the First Edition
Preface
- Why We Wrote This Book
- Who This Book Is For
- How This Book Is Organized
- Conventions Used in This Book
- OReilly Online Learning
- How to Contact Us
- Acknowledgments
I. The Fundamentals
1. Introduction
- Intelligence as Part of Incident Response
  - History of Cyber Threat Intelligence
    - The first intrusion
    - Destructive attacks
    - Moonlight Maze
  - Modern Cyber Threat Intelligence
  - The Way Forward
- Incident Response as a Part of Intelligence
- What Is Intelligence-Driven Incident Response?
- Why Intelligence-Driven Incident Response?
  - Operation SMN
  - SolarWinds
- Conclusion
2. Basics of Intelligence
- Intelligence and Research
- Data Versus Intelligence
- Sources and Methods
- Models
  - Using Models for Collaboration
  - Process Models
    - OODA
      - Observe
      - Orient
      - Decide
      - Act
    - Intelligence cycle
      - Direction
      - Collection
      - Processing
      - Analysis
      - Dissemination
      - Feedback
  - Using the Intelligence Cycle
- Qualities of Good Intelligence
  - Collection Method
  - Date of Collection
  - Context
  - Addressing Biases in Analysis
- Levels of Intelligence
  - Tactical Intelligence
  - Operational Intelligence
  - Strategic Intelligence
- Confidence Levels
- Conclusion
3. Basics of Incident Response
- Incident-Response Cycle
  - Preparation
  - Identification
  - Containment
  - Eradication
  - Recovery
  - Lessons Learned
- The Kill Chain
  - Targeting
  - Reconnaissance
    - Hard data versus soft data
    - Active versus passive collection methods
  - Weaponization
    - Vulnerability hunting
    - Exploitability
    - Implant development
    - Testing
    - Infrastructure development
      - Certificates
      - Servers
      - Domains
      - Email addresses
  - Delivery
  - Exploitation
  - Installation
    - System persistence
    - Network persistence
  - Command and Control
  - Actions on Objective
  - Example Kill Chain
- The Diamond Model
  - Basic Model
  - Extending the Model
- ATT&CK and D3FEND
  - ATT&CK
  - D3FEND
- Active Defense
  - Deny
  - Disrupt
  - Degrade
  - Deceive
  - Destroy
- F3EAD
  - Find
  - Fix
  - Finish
  - Exploit
  - Analyze
  - Disseminate
  - Using F3EAD
- Picking the Right Model
- Scenario: Road Runner
- Conclusion
II. Practical Application
4. Find
- Actor-Centric Targeting
  - Starting with Known Information
  - Useful Information During the Find Phase
    - Indicators of compromise
    - Behavior
  - Using the Kill Chain
    - Road Runner: Building an initial kill chain
    - Road Runner: Developing the kill chain
  - Goals
- Victim-Centric Targeting
  - Using Victim-Centric Targeting
    - Victim-infrastructure connection
    - Victim-capability connection
    - Victim-adversary connection
- Asset-Centric Targeting
  - Using Asset-Centric Targeting
- Capability-Centric Targeting
  - Using Capability-Centric Targeting
- Media-Centric Targeting
- Targeting Based on Third-Party Notification
- Prioritizing Targeting
  - Immediate Needs
  - Past Incidents
  - Criticality
- Organizing Targeting Activities
  - Hard Leads
  - Soft Leads
  - Grouping Related Leads
  - Lead Storage and Documentation
- The Request for Information Process
- Conclusion
5. Fix
- Intrusion Detection
  - Network Alerting
    - Alerting on reconnaissance
    - Alerting on delivery
      - Attachments
      - Links
      - Metadata
    - Alerting on command and control
      - Command and control via misuse of shared resources
      - No command-and-control malware
    - Alerting on impact
  - System Alerting
    - Alerting on exploitation
    - Alerting on installation
    - Alerting on impact
  - Fixing Road Runner
    - Network activity
- Intrusion Investigation
  - Network Analysis
    - Traffic analysis
      - Applying intelligence to traffic analysis
      - Gathering data from traffic analysis
    - Signature-based analysis
      - Applying intelligence to signature-based analysis
      - Gathering data from signature-based analysis
    - Full content analysis
      - Applying intelligence to full content analysis
      - Gathering data from full content analysis
    - Learning more
  - Live Response
  - Memory Analysis
  - Disk Analysis
    - Applying intelligence to disk analysis
    - Gathering data from disk analysis
  - Enterprise Detection and Response
  - Malware Analysis
    - Basic static analysis
      - File selectors: Yara
    - Basic dynamic analysis
    - Advanced static analysis
    - Applying intelligence to malware analysis
    - Gathering data from malware analysis
    - Learning more about malware analysis
- Scoping
- Hunting
  - Developing Hypotheses
  - Testing Hypotheses
- Conclusion
6. Finish
- Finishing Is Not Hacking Back
- Stages of Finish
  - Mitigate
    - Mitigating delivery
    - Mitigating command and control
    - Mitigating actions on objective
    - Mitigating Road Runner
  - Remediate
    - Remediating exploitation
    - Remediating installation
    - Remediating actions on objective
    - Remediating Road Runner
  - Rearchitect
    - Rearchitecting Road Runner
- Taking Action
  - Deny
  - Disrupt
  - Degrade
  - Deceive
  - Destroy
- Organizing Incident Data
  - Tools for Tracking Actions
    - Personal notes
    - The Spreadsheet of Doom
    - Third-party, non-purpose-built solutions
  - Purpose-Built Tools
- Assessing the Damage
- Monitoring Lifecycle
  - Creation
  - Testing
  - Deployment
  - Refinement
  - Retirement
- Conclusion
7. Exploit
- Tactical Versus Strategic OODA Loops
- What to Exploit
- Gathering Information
  - Information-Gathering Goals
  - Mining Previous Incidents
  - Gathering External Information (or, Conducting a Literature Review)
- Extracting and Storing Threat Data
  - Standards for Storing Threat Data
  - Data Standards and Formats for Indicators
    - OASIS suite (aka STIX/TAXII)
      - STIX 1
      - STIX 2.X
      - TAXII
    - MILE Working Group
    - OpenIOC
  - Data Standards and Formats for Strategic Information
    - ATT&CK
    - VERIS
    - CAPEC
  - Process for Extracting
    - Step 1: Identify your goals
    - Step 2: Identify your tools
    - Step 3: Identify the system or process you will use
    - Step 4: Launch and iterate
- Managing Information
  - Threat-Intelligence Platforms
    - MISP
    - CRITs
    - YETI
    - Commercial solutions
- Conclusion
8. Analyze
- The Fundamentals of Analysis
  - Dual Process Thinking
  - Deductive, Inductive, and Abductive Reasoning
    - Deductive reasoning
    - Inductive reasoning
    - Abductive reasoning
    - Whats the reasoning for talking about reasoning?
- Analytic Processes and Methods
  - Structured Analytic Techniques (SATs)
    - Key Assumptions Check
    - Analysis of Competing Hypotheses
    - Indicator generation, validation, and evaluation
      - Prepare an indicator list
      - Validate and evaluate indicators
    - Contrarian techniques
      - Devils advocate
      - What if analysis
      - Red team analysis
    - Futures Wheel
  - Target-Centric Analysis
- Conducting the Analysis
  - What to Analyze
  - Enriching Your Data
    - Enrichment sources
      - WHOIS information
      - Passive DNS information
      - Certificates
      - Malware information
    - Internal enrichment information
  - Leverage Information Sharing
  - Developing Your Hypothesis
  - Evaluating Key Assumptions
- Things That Will Screw You Up (aka Analytic Bias)
  - Accounting for Biases
    - Confirmation bias
    - Anchoring bias
    - Availability bias
    - Bandwagon effect
    - Mirroring
- Judgment and Conclusions
- Conclusion
9. Disseminate
- Intelligence Customer Goals
- Audience
  - Executive Leadership Customer
  - Internal Technical Customers
  - External Technical Customers
  - Developing Customer Personas
- Authors
- Actionability
- The Writing Process
  - Plan
  - Draft
    - Start with the thesis statement
    - Start with facts
    - Start with an outline or bullet points
  - Edit
- Intelligence Product Formats
  - Short-Form Products
    - Event summary
    - Target package
    - IOC report
  - Long-Form Products
    - Malware report
    - Campaign report
    - Intelligence estimate
  - The RFI Process
    - RFI request
    - RFI response
    - RFI flow example
      - RFI request
      - RFI response
  - Automated Consumption Products
    - Unstructured/semi-structured IOCs
      - Road Runner unstructured IOCs
    - Network signatures with Snort
      - Road Runner network signatures
    - Filesystem signatures with Yara
    - Automated IOC formats
- Establishing a Rhythm
  - Distribution
  - Feedback
  - Regular Products
- Conclusion
III. The Way Forward
10. Strategic Intelligence
- What Is Strategic Intelligence?
- The Role of Strategic Intelligence in Intelligence-Driven Incident Response
- Intelligence Beyond Incident Response
  - Red Teaming
  - Vulnerability Management
  - Architecture and Engineering
  - Privacy, Safety, and Physical Security
- Building a Frame with Strategic Intelligence
  - Models for Strategic Intelligence
    - Target models
      - Hierarchical models
      - Network models
      - Process models
      - Timelines
- The Strategic Intelligence Cycle
  - Setting Strategic Requirements
  - Collection
    - Geopolitical sources
    - Economic sources
    - Historical sources
    - Business sources
  - Analysis
    - Processes for analyzing strategic intelligence
      - SWOT analysis
      - Brainstorming
      - Scrub down
  - Dissemination
- Moving Toward Anticipatory Intelligence
- Conclusion
11. Building an Intelligence Program
- Are You Ready?
- Planning the Program
  - Defining Stakeholders
    - Incident-response team
    - Security operations center/team
    - Vulnerability management teams
    - Red teams/offensive engineers
    - Trust and safety teams
    - Chief information security officers
    - End users
  - Defining Goals
  - Defining Success Criteria
  - Identifying Requirements and Constraints
  - Think Strategically
  - Defining Metrics
- Stakeholder Personas
- Tactical Use Cases
  - SOC Support
    - Detection and alerting engineering
    - Triage
    - Situational awareness
  - Indicator Management
    - Threat-intelligence platform management
    - Third-party intelligence and feeds management
    - Updating indicators
- Operational Use Cases
  - Campaign Tracking
    - Identify the campaign focus
    - Identifying tools and tactics
    - Response support
- Strategic Use Cases
  - Architecture Support
    - Improve defensibility
    - Focus defenses on threats
  - Risk Assessment/Strategic Situational Awareness
- Strategic to Tactical or Tactical to Strategic?
  - Critical Information Needs
- The Intelligence Team
  - Building a Diverse Team
  - Team and Process Development
- Demonstrating Intelligence Program Value
- Conclusion
Index