Incident Response in the Age of Cloud

Incident Response in the Age of Cloud

by Dr. Erdal Ozkaya
Released February 2021
Publisher(s): Packt Publishing
ISBN: 9781800569218

Read it now on the O’Reilly learning platform with a 10-day free trial.

O’Reilly members get unlimited access to books, live events, courses curated by job role, and more from O’Reilly and nearly 200 top publishers.

Start your free trial

Book description

Learn to identify security incidents and build a series of best practices to stop cyber attacks before they create serious consequences

Key Features

  • Discover Incident Response (IR), from its evolution to implementation
  • Understand cybersecurity essentials and IR best practices through real-world phishing incident scenarios
  • Explore the current challenges in IR through the perspectives of leading experts

Book Description

Cybercriminals are always in search of new methods to infiltrate systems. Quickly responding to an incident will help organizations minimize losses, decrease vulnerabilities, and rebuild services and processes.

In the wake of the COVID-19 pandemic, with most organizations gravitating towards remote working and cloud computing, this book uses frameworks such as MITRE ATT&CK® and the SANS IR model to assess security risks.

The book begins by introducing you to the cybersecurity landscape and explaining why IR matters. You will understand the evolution of IR, current challenges, key metrics, and the composition of an IR team, along with an array of methods and tools used in an effective IR process. You will then learn how to apply these strategies, with discussions on incident alerting, handling, investigation, recovery, and reporting.

Further, you will cover governing IR on multiple platforms and sharing cyber threat intelligence and the procedures involved in IR in the cloud. Finally, the book concludes with an “Ask the Experts” chapter wherein industry experts have provided their perspective on diverse topics in the IR sphere.

By the end of this book, you should become proficient at building and applying IR strategies pre-emptively and confidently.

What you will learn

  • Understand IR and its significance
  • Organize an IR team
  • Explore best practices for managing attack situations with your IR team
  • Form, organize, and operate a product security team to deal with product vulnerabilities and assess their severity
  • Organize all the entities involved in product security response
  • Respond to security vulnerabilities using tools developed by Keepnet Labs and Binalyze
  • Adapt all the above learnings for the cloud

Who this book is for

This book is aimed at first-time incident responders, cybersecurity enthusiasts who want to get into IR, and anyone who is responsible for maintaining business security. It will also interest CIOs, CISOs, and members of IR, SOC, and CSIRT teams. However, IR is not just about information technology or security teams, and anyone with a legal, HR, media, or other active business role would benefit from this book.

The book assumes you have some admin experience. No prior DFIR experience is required. Some infosec knowledge will be a plus but isn't mandatory.

Table of contents

  1. Preface
    1. Who this book is for
    2. What this book covers
    3. To get the most out of this book
    4. Get in touch
  2. Getting Started with Incident Response
    1. The cybersecurity threat landscape
      1. Cybersecurity and COVID-19
      2. Understanding the attack surface
    2. What is incident response?
      1. What is an incident?
      2. The orchestrators of cybersecurity incidents
        1. The people
        2. The services
        3. The tools
      3. Common factors in recent incidents
        1. Lack of resources
        2. Lack of skills
        3. Security as an afterthought
        4. Weak applications
        5. Weak networks
        6. System complexity
        7. Lack of visibility
        8. Failure to learn from past mistakes
        9. Cloud security assumptions
    3. The importance of organizational incident response plans
      1. Protecting data
      2. Protecting reputation and customer trust
      3. Protecting revenue
    4. GDPR and NIS regulations about incident response
      1. GDPR regulations
      2. NIS regulations
    5. Components of an incident response plan
      1. Step 1: Preparation
      2. Step 2: Identification
      3. Step 3: Containment
      4. Step 4: Eradication
      5. Step 5: Recovery
      6. Step 6: Reporting
    6. Tips
    7. Summary
    8. Further reading
  3. Incident Response – Evolution and Current Challenges
    1. The evolution of incident response
      1. The history of data breaches
      2. Modern cybersecurity evolution
    2. Challenges facing incident response
      1. Protecting the company brand
      2. Preventing future breaches
      3. Preparing for attacks
        1. Developing cyber resilience
      4. Assessing security safeguards
      5. Aiding investigations and legal prosecutions
      6. Bringing the organization together during crises
      7. Ensuring the integration of security initiatives
      8. Improving the overall security stature of the organization
    3. Why do we need incident response?
    4. Tips
    5. Summary
    6. Further reading
  4. How to Organize an Incident Response Team
    1. What an IR team does
    2. The composition of an IR team
      1. Team lead
      2. IT auditor
      3. Communications personnel
      4. Legal representative
      5. Technical personnel
      6. Human resources
      7. Public relations
      8. Financial auditor
      9. Management liaison
    3. Choosing the ideal response team
      1. Availability
      2. Integrity
      3. Team spirit
      4. Innovativeness
    4. How the IR team should be supported
    5. Where the IR team should be located
    6. Building an IR strategy
      1. Reactive security
        1. Monitoring
        2. Response
        3. Disaster recovery
        4. Forensic investigations
      2. Proactive security
      3. Operational security
        1. What is operational security?
        2. How is operational security implemented?
      4. The significance of the three security pillars
    7. Security operations and continuous monitoring
      1. Captive SOC
      2. Co-managed SOC
      3. Fully managed SOC
      4. Threat intelligence systems
      5. Digital forensics and real-time IR with SIEM
    8. Tips
    9. Summary
    10. Further reading
  5. Key Metrics for Incident Response
    1. Key incident response metrics
      1. Prevalence metrics
        1. Ticket volume
        2. Total number of incidents
        3. Number of incidents over time
        4. Incidents involving known problems
        5. Incidents resolved remotely
        6. Incidents with no known resolution
        7. Incidents per department
      2. Effectiveness metrics
        1. Escalation rate
        2. Customer satisfaction
        3. Post-incident reviews
        4. Alerts created
        5. Service level indicator
        6. First-touch resolution rate
        7. Reopen rate
        8. Cost per ticket
        9. Number of active tickets
        10. Incidents by type
        11. Recategorized incidents
        12. Incidents initiated by direct contact
      3. Time-based metrics
        1. Mean time to acknowledge
        2. Average incident response time
        3. Mean time to resolution
        4. Amount of uptime
        5. Amount of downtime
        6. Timeline
        7. Percentage of incidents resolved in a defined timeframe
        8. Time spent on-call
        9. Average time between incidents
        10. Mean time between failures
        11. Mean time to detect
    2. Understanding KPIs
    3. Key metrics for a phishing attack
      1. Prevalence metrics
        1. Total number of incidents
        2. Average time between incidents
        3. Number of incidents over time
        4. Incidents per department
      2. Effectiveness metrics
        1. Escalation rate
        2. Mean time to acknowledge
        3. Mean time to resolution
      3. Time-based metrics
        1. Timeline
    4. Incident response metrics in the cloud
    5. Tips
    6. Summary
    7. Further reading
  6. Methods and Tools of Incident Response Processes
    1. The OODA loop
      1. Observe
        1. Tools and tactics
        2. Questions to ask
        3. Key takeaways
      2. Orient
        1. Tools and tactics
        2. Questions to ask
        3. Key takeaways
      3. Decide
        1. Tactics
        2. Questions to ask
        3. Key takeaways
      4. Act
        1. Tools and tactics
        2. Questions to ask
        3. Key takeaways
    2. IR playbooks
      1. The playbook lifecycle
    3. IR tactics in the cloud
      1. What to do before you move to the cloud
      2. What to do during an incident
    4. IR tools for the cloud
      1. GRR Rapid Response
      2. Malware Information Sharing Platform
      3. TheHive
      4. Apache Metron
      5. OwlH
    5. Tips
    6. Summary
    7. Further reading
  7. Incident Handling
    1. The NIST definition of a security incident
    2. The incident response process
      1. Creating an incident response process
      2. Incident response team
      3. Incident lifecycle
    3. Handling an incident
      1. Scoping an incident
      2. Collecting key artifacts
      3. Containing incidents with IDS
      4. Real-world scenario
      5. Documenting the lessons learned
    4. Handling an incident in a phishing scenario
      1. Identification
      2. Triage
      3. Investigation
      4. Remediation
      5. Recovery
      6. Avoidance of future incidents
    5. Hands-on phishing incident response
      1. Containing confirmed malicious emails
        1. Keepnet Incident Responder
        2. Office 365 Advanced Threat Protection
        3. Google Workspace investigation tool
      2. Generating Snort rules
      3. Generating YARA rules
      4. Keepnet Labs REST API
    6. Tips
    7. Summary
    8. Further reading
  8. Incident Investigation
    1. Incident investigation essentials
      1. Identification
        1. Suspicious processes
        2. Processes running from suspicious locations
        3. Suspicious directories
        4. Suspicious users
        5. Suspicious logs
      2. Data collection
        1. Volatile data collection
        2. Collecting memory dumps
        3. Collecting hard disk data
    2. Investigating a phishing attack
      1. Log retrieval and review
      2. Identification of the tools that detected the attack
      3. Identification of the affected systems and networks
      4. Identification of users affected by the attack
      5. Identification of systems at risk
      6. Identification of the business processes affected by the attack
      7. Evidence collection
    3. Analysis of emails
    4. Investigation tools
      1. Microsoft Threat Explorer
      2. Google Workspace security investigation tool
      3. Keepnet Incident Responder
    5. Investigating user inboxes
      1. Using Microsoft Threat Explorer
      2. Google Workspace security investigation tool
      3. Keepnet Incident Responder
    6. Automatic and scheduled investigations
      1. Microsoft automated investigation and response in Office 365
      2. Google Workspace investigation tool
      3. KIR automatic investigation
    7. Summary
    8. Further reading
  9. Incident Reporting
    1. Reporting to the IR team
      1. Description of the incident
      2. Cause of the incident
      3. Mitigation measures taken
      4. Future IR recommendations
    2. Reporting to the SOC team
      1. Description of the incident
      2. Cause of the incident
      3. Follow-up recommendations
    3. Reporting to third parties
      1. Description of the incident
      2. Cause of the incident
      3. Mitigation measures taken
      4. Short-term and long-term business impacts
    4. Reporting to the media
      1. Description of the incident
      2. Cause of the incident
      3. Mitigation measures taken
      4. Impacts on business
    5. Reporting to the cloud service provider
    6. Phishing alerting and reporting
      1. Significance of reporting phishing activity
      2. When to report suspicious activity
      3. How can an end user report a suspicious email?
    7. Reporting on mobile devices
    8. Reporting with web email access
      1. Reporting with Outlook
      2. Reporting with Gmail
      3. Reporting with Yahoo
      4. Reporting with Keepnet Phishing Reporter
    9. Reporting to a SOC team and third-party services using IOC feeds
      1. Getting reports from IOC feeds
      2. Data share APIs for SOC teams
    10. Summary
    11. Further reading
  10. Incident Response on Multiple Platforms
    1. IR on computers
      1. Preparation
      2. Identification
      3. Data collection
      4. Containment
      5. Eradication
      6. Recovery
      7. Reporting
    2. IR on mobile devices
      1. Identification
      2. Containment
      3. Eradication
      4. Recovery
      5. Lessons learned
    3. IR on Active Directory
      1. Types of Active Directory incidents
        1. Handling user account changes
        2. Handling password resets
        3. Handling security group changes
        4. Numerous logons by the same user account on multiple endpoints
        5. Group policy changes
      2. Common Active Directory vulnerabilities
      3. Identifying an attack on Active Directory
        1. Understanding Windows startup
      4. Preventing domain compromise on Active Directory
    4. IR in the cloud
      1. Microsoft Azure
      2. Amazon Cloud
        1. Copying data in Linux for investigation
      3. Google Cloud
      4. Choosing the right IR partner
    5. Summary
    6. Further reading
  11. Cyber Threat Intelligence Sharing
    1. Introducing threat intelligence
    2. The importance of threat intelligence
    3. How to share threat intelligence
      1. Cyber threat intelligence sharing lifecycle
      2. Automating threat intelligence collecting, sharing, and analysis
    4. Threat intelligence tools and platforms
      1. The Malware Information Sharing Platform
        1. How does it work?
      2. Keepnet's Threat Intelligence Sharing Community
        1. How does it work?
        2. Incident response with Keepnet's TISC
      3. Open source tools for threat intelligence
        1. OPSWAT MetaDefender Cloud API
        2. FraudGuard
      4. Threat intelligence feeds
        1. Ransomware Tracker
        2. Automated Indicator Sharing
        3. VirusTotal
        4. Talos Intelligence
        5. The Harvester
        6. Azure Sentinel
      5. Leveraging Azure Sentinel to investigate suspicious activity
      6. The Comodo Threat Intelligence Lab
    5. Summary
    6. Further reading
  12. Incident Response in the Cloud
    1. Cloud service models
    2. Assessing IR in the cloud using the SANS IR model
      1. Preparation
      2. Identification
      3. Containment
      4. Eradication
      5. Recovery
      6. Reporting
    3. Understanding cloud attacks using the MITRE cloud matrix
      1. Initial access
        1. Drive-by compromises
        2. The exploitation of a public-facing application
        3. Spear phishing links
        4. Insider threats
        5. Existing accounts
      2. Persistence
        1. Account manipulation
        2. Creating new accounts
        3. Implanting images
        4. Start up applications
      3. Privilege escalation
      4. Defense evasion
      5. Credential access
      6. Discovery
        1. Cloud service dashboards
        2. Cloud service discovery
        3. Account and remote host discovery
        4. Shared drives
      7. Lateral movement
      8. Collection
      9. Exfiltration
      10. Impact
    4. Top threats facing cloud systems
      1. Insecure APIs
      2. Account hijacking
      3. Insider threats
      4. Data breaches
      5. DDoS attacks
      6. Exploits
      7. Vulnerabilities
    5. Implementing SOAR techniques and recommendations
    6. IR in the cloud: developing a plan of action
      1. Updating your IR process to include the cloud
    7. Summary
    8. Further reading
  13. Building a Culture of Incident Readiness
    1. Threat hunting
      1. Threat hunting framework
        1. Implementing a threat hunting framework
      2. Threat hunting tools and techniques
        1. Security monitoring tools
        2. SIEM solutions
        3. Security Operations Center
        4. Managed Detection and Response
        5. Analytics tools
      3. The threat hunting process
        1. Preparation
        2. Creating a hypothesis
        3. Hunting
        4. Response
        5. Prevention
    2. Purple teaming
      1. The MITRE ATT&CK framework
      2. Synthetic war-gaming
    3. Artificial intelligence and incident response
      1. Threat hunting
      2. Threat anticipation
      3. Incident handling
      4. Incident analysis
    4. IR readiness in the cloud
    5. Summary
    6. Further reading
  14. Incident Response Best Practices
    1. Adopting proactive mobilization
    2. Using a well-defined resolution process
    3. Making an easy-to-implement IR plan
    4. Using effective communication strategies
    5. Breaking down information silos
    6. Using a centralized approach
    7. Testing IR plans
    8. Assessing and reviewing the IR plan
    9. Automating basic tasks
    10. Using templates and playbooks
    11. Carrying out post-incident reviews
    12. Tips
    13. Summary
    14. Further reading
  15. Incident Case Studies
    1. Dealing with a spear phishing attack with Keepnet Incident Responder
      1. Installing on Office 365 or Exchange
      2. The importance of user attentiveness
      3. Technical analysis of malicious software
      4. Dealing with a threat in multiple inboxes
      5. Automated incident response feature
    2. Performing digital forensics with Binalyze's IREC
      1. Using IREC's practical features
      2. Interacting with IREC using the CLI
      3. Binalyze AIR
    3. Summary
  16. Ask the Experts
    1. Approaches to IR
      1. Orin Thomas – Cloud security requires an updated mindset
      2. Tyler Wrightson – Know thy enemy
        1. Level of skill
        2. Attacker TTPs
        3. Motives or agenda
        4. What next?
      3. George Balafoutis – The acronym that should be in every CISO's vocabulary
      4. Yilmaz Degirmenci – Cybersecurity visibility analysis: a soldier's perspective
    2. IR in the cloud
      1. Brian Svidergol – Incident response fundamentals
      2. Mark Simos – The cloud transformation journey
        1. What is changing about IR in the cloud age?
        2. What does a major transformation involve?
        3. What are the key lessons learned from other organizations?
      3. Hala ElGhawi – Cloud incident management and response
        1. Choosing a cloud provider
        2. The IR lifecycle
        3. How cloud deployment impacts IR
      4. Ahmed Nabil – Incident response in the cloud
        1. Cloud incident response aspects
        2. Incident response process
        3. Cloud incident response framework
        4. Automated incident response in the Microsoft 365 cloud
        5. Incident response cloud best practices
    3. Tools and techniques
      1. Emre Tinaztepe – The case: a modern approach to DFIR
        1. Where to look
        2. Dead-box forensics: Use it, but not as the first thing!
        3. Prioritize your actions based on the case
        4. Correlating and timelining
      2. Raif Sarica and Şükrü Durmaz – Remote incident response with DFIR
        1. Implementing DFIR
        2. Case study
        3. Using Binalyze tools
        4. Using other tools
      3. Santos Martinez – Protecting corporate data on mobile devices
        1. What is the most common use of a mobile device?
        2. What is Zero Trust networking?
        3. How do we protect our company data on a mobile device?
        4. Using Microsoft Endpoint Manager
      4. Ozan Veranyurt – Artificial intelligence in incident response
        1. Phases of incident response
        2. The challenges of artificial intelligence for incident response
        3. Conclusion
    4. Methods of attack
      1. Gokhan Yuceler – Analyzing a target-oriented attack
        1. Technical Details
        2. Conclusion
      2. Grzegorz Tworek – Windows object permissions as a backdoor
      3. Summary
    5. Why subscribe?
  17. Other Books You May Enjoy
  18. Index

Product information

  • Title: Incident Response in the Age of Cloud
  • Author(s): Dr. Erdal Ozkaya
  • Release date: February 2021
  • Publisher(s): Packt Publishing
  • ISBN: 9781800569218