book

Blue Team Handbook: Incident Response

Name: Blue Team Handbook: Incident Response
Author: Don Murdoch
ISBN: 9798341661264

by Don Murdoch

February 2026

Intermediate to advanced

358 pages

10h 31m

English

O'Reilly Media, Inc.

Read now

Unlock full access

Preface
Who Should Read This BookWhy I Wrote This BookNavigating This BookConventions Used in This BookUsing Code ExamplesO’Reilly Online LearningHow to Contact UsAcknowledgments
1. Practical Incident Response Defined
The NIST Incident Response LifecycleThe SANS Incident Response LifecycleDynamic Incident Response and Intelligence LifecyclesTime Based SecurityLeveraging MITRE ATT&CK for Incident ResponsePrioritizing Data Collection Using ATT&CKThreat-Informed DefenseNeed a Place to Start?Adapting IR Lifecycles to Your OrganizationThe Changing Adversarial Landscape
2. The Six Phases of Modern Incident Response
Phase 1, Preparation: Know Thy Network and the Identities of Those Who Use ItPreparation: Tools and Techniques Survey and ChecklistPreparation: Visibility Tools and TechniquesPreparation: Command-Line AuditingPreparation: Data Breach Rules of the RoadPreparation: Policy and ProcedurePreparation: Enable Early Warning IndicatorsPhase 2, Identification: How Serious Is It?Phase 3, Containment: Stopping the AdversaryPhase 4, Eradication: Revert Adversary ActionsPhase 5, Recovery: Back Up and RunningPhase 6, Lessons Learned: Reporting and Follow-UpIncident-Driven Countermeasures
3. Incident Response Skills and Practices
Finding Metrics That MatterThe Golden Rules of IR MetricsIncident Response MetricsImproving InvestigationsUnderstanding the Alexiou PrincipleExternalizationControlling Your TheoriesAwareness of Confirmation BiasFollowing Scene Safe PracticesThe Incident Commander RoleIndicator of Attack Versus Indicator of CompromiseIoA ExamplesIoC ExamplesUsing the OODA LoopAssessing the Impact of a Cyber AttackAvoiding Analysis ParalysisEssential IR Business Process and PaperworkRegulatory ConsiderationsEd Skoudis’s Pentest Authorization Letter“Trap and Trace” Authorization LetterEnd User–Focused Data Collection Form(s)Chain of Custody and Evidence TopicsSuggestions for Organizing Evidence DataThe Traffic Light ProtocolComputer Security Incident Response PlanCSIRP Sample Table of ContentsIncident Response TemplatesPICERL Six-Phase Incident Response TemplateCommercial Incident Response TemplateCountermeasures and the SBAR FormatSecure IR CommunicationsUsing GnuPG for Free Encrypted EmailIncident Response and Forensics Are PartnersOrder of VolatilityTriage Forensics: 5% of the Data Tells Most of the StorySystem Forensics: Dig Deep and Dissect at a CostDerailing IR and DFIR: Mistakes to AvoidGoals and ObjectivesPackaged Cyber Threat Intelligence for IRBootable Linux Distributions and Blue Team PlatformsLinux with VMware Workstation
4. Understanding Adversary Tools and Tactics
The Attack Process, IR Tools, and IR PointsAdversary Campaign PatternsReconnaissance: Tools and TechniquesDNS Analysis ScriptsGoogle SearchingWeb-Based Recon SitesWeaponization: Building the Adversary ToolsetScanning: Tools and TechniquesExploitation: Tools and TechniquesMaintain Access: Tools and TechniquesData Relay and Backdoor Linux ToolsPassword Guessing
5. Windows Volatile Data Investigation
Normal Windows 11 ProcessesStep 1: Prepare the IR Collection EnvironmentStep 2: Collect Physical MemoryStep 3: Conduct Memory Analysis with VolatilityStep 4: Ask Process Indicator Analysis QuestionsStep 5: Collect Live System State DataStep 6: Conduct Windows Server-Side Collection and Open File SupportStep 7: Collect Disk Details and ImageStep 8: Collect Supplemental System InformationCommon Windows Directories Used for StartupWindows Scheduled TasksCommon Windows 32-Bit and 64-Bit Registry Auto-Start LocationsOther Windows Artifact InvestigationWindows Logfiles and LocationsWindows Suspicious Processes: Process ExplorerConfiguration OptionsSuspicious Process ReviewAutomated Collection on Windows with KAPEKAPE Quick StartKAPE and Missing BinariesDeepBlueCLI for WindowsRDBMS Incident ResponseMicrosoft SQL Server NotesFilesystem and Registry Notes
6. Linux Volatile Data System Investigation
PreparationLinux DistributionsCommand BackgroundGrep Quick StartFinding FilesStep 1: Prepare Storage for Data CollectionStep 2: Dump and Analyze Physical MemoryDumping and Capturing Memory to a Remote System Using NetcatUsing the Volatility 3 Command SetStep 3: Collect Live System State DataCapturing System StateStep 4: Investigate Linux Using lsofStep 5: Investigate Additional Linux ArtifactsGathering Filesystem InformationInvestigating File Sharing with NFS and SAMBACollecting LogsManaging and Investigating Linux Package FilesOther TopicsContainment with Linux Iptables Essentials: An ExampleUsing IptablesUsing NftRecovery: Firewall Assurance/Testing with HpingRecovery: Vulnerability Testing with OpenVAS
7. Windows Host Analysis with PowerShell
Investigating a Standalone Remote System with WinRMInvestigating Local Versus Remote SystemsUsing PSSession for 1:1 RemotingUsing Invoke-Command to Script Remote System InterrogationDirectory SharingCreating System and Date-Stamped FilesDetermining PowerShell VersionDocumenting Time Zone, Environment, System Date, and TimeMachine and OS InformationUser Accounts, Groups, and Current LoginsNetwork Configuration for IPv4 and IPv6Auto Start Extensibility PointsRunning ProcessesInstalled and Running ServicesInstalled CertificatesDrivers Installed and RunningFiles and DirectoriesShares and Currently Open Server-Side FilesWMI IndicatorsPhysical DrivesMapped DrivesRegistry ExportScheduled TasksActive Network ConnectionsCurrently Installed HotfixesInstalled ApplicationsWindows AppLockerFiles Changed Since . . .Searching for Alternate Data StreamsSearching for Files by ExtensionSearching for Files by SizeSearching for Hidden Files and Retrieve File TimesCollecting USB-Related InformationVolume Shadow Copy StateDNS CacheAnalyzing Windows Event LogsInvestigating Specific Event IDs in the Security LogUsing the Positional Method for Logins (Event ID 4624)Using the XML Overlay Method for Logins (Event ID 4624)Event ID 4688 and Command-Line AuditingExamining Sysmon Event Logs
8. Active Directory Analysis
Adversary Actions Start with ReconnaissanceKerberoastingAuthentication Server Response (AS-REP) RoastingPassword Spray AttacksUnconstrained Delegation Account AbuseCertificate Services (AD CS) CompromiseDCSync and Its Cousin, DCShadowGolden TicketEarly Warning Detection for AD Defense
9. Network-Based Analysis
Capturing Packet DataCapturing Local Packet DataMirroring on a Portable Switch in a Jump BagMirror/SPAN Enterprise Switch ConfigurationsNetwork TapsHypervisorsThe CloudNGFWs and TLS Packet ExportNetwork Device Collection and Analysis ProcessPerimeter Router Intrusion SignsPerimeter Firewall Intrusion SignsIntrusion Detection and Prevention LogsPerimeter VPN ConcentratorsScreened Services (DMZ) NetworkInterior Switch DevicesSuspect DNS NamesWebsite Investigation TechniquesReputation RiskNetwork Traffic Analysis TechniquesBerkeley Packet Filter and Capturing DataIdentifying Network InterfacesUsing Tshark to Capture ConnectionsUsing Pktmon for Wired ConnectionsProfiling PCAP with Tshark and CapinfosFinding the SYN and SYN/ACK PacketsExtracting Port/Pair CombinationsImplementing Application-Specific Analysis TechniquesSuspicious Traffic PatternsUnused Internal Address ActivityCertificatesUncommon Applications and Port NumbersSnort Rules: Darknet Example

10. Enterprise Detection and Response Capabilities
Sample Attack FlowEntry PointsAttack Visualization with the StoryLineTM ReportMitigation ActionsResponse ActionsHyperautomationOther Capabilities
A. Common TCP and UDP Ports
B. ICMP Types and Codes
C. Headers
Index
About the Author

Content preview from Blue Team Handbook: Incident Response

Chapter 6. Linux Volatile Data System Investigation

In the fields of observation, chance favors only the prepared mind.

Louis Pasteur

Luck favors the prepared.

Edna Mode

This chapter covers widely accepted processes and commands to run, in the approximate best order possible, for Unix and Linux systems. Remember that volatile data, such as memory, processes, and network ports, changes frequently. It may be wise to re-execute some of these commands throughout an incident, perhaps hourly. Command text output collected on a Linux system is not compatible with Windows because of carriage return line feed translation.

If you are going to review data on a Windows system, you can convert the data from Unix or Linux format to Windows format with the Unix/Linux dos2unix command.

As an incident responder, be aware of the major areas to investigate on a Linux system: network connections, processes, configuration files normally found in /etc, the filesystem, user home directories and the myriad .dot files in them, and /var/log contents.

Preparation

Several steps are involved in preparing to handle an incident on a Linux platform, as discussed in this section.

Linux Distributions

Linux itself refers to the kernel, not the packaged operating system and its supporting toolset. The distribution refers to the GUI, package management tool, log locations, and basic software loadout. Two main categories influence the skills needed to analyze a system: Debian-based distros, which include ...

Become an O’Reilly member and get unlimited access to this title plus top books and audiobooks from O’Reilly and nearly 200 top publishers, thousands of courses curated by job role, 150+ live events each month,
and much more.

Read now

Unlock full access

More than 5,000 organizations count on O’Reilly

O’Reilly covers everything we've got, with content to help us build a world-class technology community, upgrade the capabilities and competencies of our teams, and improve overall team performance as well as their engagement.

Julian F.

Head of Cybersecurity

I wanted to learn C and C++, but it didn't click for me until I picked up an O'Reilly book. When I went on the O’Reilly platform, I was astonished to find all the books there, plus live events and sandboxes so you could play around with the technology.

Addison B.

Field Engineer

I’ve been on the O’Reilly platform for more than eight years. I use a couple of learning platforms, but I'm on O'Reilly more than anybody else. When you're there, you start learning. I'm never disappointed.

Amir M.

Data Platform Tech Lead

I'm always learning. So when I got on to O'Reilly, I was like a kid in a candy store. There are playlists. There are answers. There's on-demand training. It's worth its weight in gold, in terms of what it allows me to do.

Mark W.

Embedded Software Engineer

Blue Team Handbook: SOC, SIEM, and Threat Hunting

Publisher Resources

ISBN: 9798341649767Errata Page

Cloud Computing

Data Engineering

Data Science

AI & ML

Programming Languages

Software Architecture

IT/Ops

Security

Design