book

Incident Response with Threat Intelligence

Name: Incident Response with Threat Intelligence
Author: Roberto Martinez
ISBN: 9781801072953

by Roberto Martinez

June 2022

Intermediate to advanced

468 pages

8h 50m

English

Packt Publishing

Read now

Unlock full access

Incident Response with Threat Intelligence
ContributorsAbout the authorAbout the reviewer
Preface
Who this book is forWhat this book coversTo get the most out of this bookDownload the example code filesConventions usedGet in touchShare Your Thoughts
Section 1: The Fundamentals of Incident Response
Chapter 1: Threat Landscape and Cybersecurity Incidents
Knowing the threat landscapeIs COVID-19 also a cyber-pandemic?Supply chain attacksUnderstanding the motivation behind cyber attacksThe ransomware that was notTrick-or-treatNothing is what it seemsEmerging and future cyber threatsCyber attacks targeting IOT devicesAutonomous vehiclesDrones Electronic voting machinesCyber attacks on robotsThe challenge of new technologies for DFIR professionalsSummaryFurther reading
Chapter 2: Concepts of Digital Forensics and Incident Response
Concepts of digital forensics and incident response (DFIR)Digital forensicsWhat is incident response? Difference between events and incidents Digital evidence and forensics artifactsLooking for artifacts and IoCsIoCs versus IoAsIncident response standards and frameworksNIST Computer Security Incident Handling GuideSANS incident response processNIST Guide to Integrating Forensic Techniques into Incident ResponseDefining an incident response postureSummaryFurther reading
Chapter 3: Basics of the Incident Response and Triage Procedures
Technical requirementsPrinciples of first responseFirst response guidelinesTriage – concept and proceduresFirst response procedures in different scenarios First response toolkitForensic image acquisition toolsArtifact collectorsSummaryFurther reading
Chapter 4: Applying First Response Procedures
Technical requirementsCase study – a data breach incidentAnalyzing the cybersecurity incidentSelecting the best strategyNext stepsFollowing first-response proceduresMemory acquisitionMemory capture and artifacts acquisition using KAPEDisk drive acquisition proceduresHard drive acquisition using a hardware duplicatorSummaryFurther reading
Section 2: Getting to Know the Adversaries
Chapter 5: Identifying and Profiling Threat Actors
Technical requirementsExploring the different types of threat actorsHacktivistsScript kiddiesInsidersCybercriminalsRansomware gangsAdvanced Persistent Threats (APT) groups Cyber-mercenariesResearching adversaries and threat actorsSTIX and TAXII standardsWorking with STIX objectsCreating threat actor and campaign profilesCreating threat actors' profiles using Visual Studio CodeSummaryFurther reading
Chapter 6: Understanding the Cyber Kill Chain and the MITRE ATT&CK Framework
Technical requirementsIntroducing the Cyber Kill Chain frameworkUnderstanding the MITRE ATT&CK frameworkUse cases for ATT&CKUsing the ATT&CK NavigatorDiscovering and containing malicious behaviorsSummaryFurther reading

Chapter 7: Using Cyber Threat Intelligence in Incident Response
Technical requirementsConfiguring the lab environmentThe Diamond Model of Intrusion AnalysisMapping ATT&CK TTPs from CTI reportsCase study – a weaponized documentResponding to the incidentUsing TRAM to map ATT&CK TTPsUsing Visual Studio Code to research ATT&CK techniques and create reportsIntegrating CTI into IR reportsSummaryFurther reading
Section 3: Designing and Implementing Incident Response in Organizations
Chapter 8: Building an Incident Response Capability
Technical requirementsTaking a proactive approach to incident responseThe incident response hierarchy of needsDeveloping organizational incident response capabilitiesIdentifying business requirements to create an incident response programEvaluating the incident response maturity levelBuilding an incident response programIncident response procedures and guidelinesIntegrating people, processes, and technology into the incident response process PeopleProcessTechnologyAligning the incident response plan, the business continuity plan, and the disaster recovery planIncident response plansBusiness continuity plan Disaster recovery plans SummaryFurther reading
Chapter 9: Creating Incident Response Plans and Playbooks
Technical requirementsCreating IRPsCreating IR playbooksIncident PlaybookPublic PlaybooksScenario – An ounce of prevention is worth a pound of cureTesting IRPs and playbooksSimulation of attacks to measure response programsSummaryFurther reading
Chapter 10: Implementing an Incident Management System
Technical requirementsUnderstanding the TheHive architectureSetting up TheHive and creating casesCreating and managing casesAdding and assigning tasksDocumenting MITRE ATT&CK TTPs in TheHiveIntegrating intelligence with CortexConfiguring the analyzersSummaryFurther reading
Chapter 11: Integrating SOAR Capabilities into Incident Response
Technical requirementsUnderstanding the principles and capabilities of SOARBenefits of SOAR-based IR Implementing a SOAR model A SOAR use case – identifying malicious communicationsPreparing for the detection labSecurity orchestration between TheHive and Velociraptor using n8n Configuring the connection permissions for the client collection toolsClient collection toolsEscalating incidents from detectionEmulating suspicious behaviorEscalating an alertAutomating the IR and investigation processesEmulating the attackCreating a hashes databaseSetting TheHive parameters in Velociraptor Creating workflows using n8n SummaryFurther reading
Section 4: Improving Threat Detection in Incident Response
Chapter 12: Working with Analytics and Detection Engineering in Incident Response
Technical requirementsConfiguring the detection labImplementing a threat hunting platformInstalling ELKIdentifying and containing threatsHunting for threats in incident responseImplementing principles of detection engineering in incident responseUsing MITRE CAR, Invoke-AtomicRedTeam, and testing analyticsMITRE CARInstalling Invoke-AtomicRedTeamTesting detections and huntingSummary
Chapter 13: Creating and Deploying Detection Rules
Technical requirementsConfiguring the detection labIntroduction to detection rulesDetecting malicious files using YARA rulesStructure of a YARA ruleCreating YARA rulesAnalyzing and identifying patterns in filesDownloading PeStudioUsing PeStudioDetecting potential threats using YARA rulesTesting the YARA ruleModifying a YARA rule to improve detectionDetecting malicious behavior using Sigma rulesCloning the repositoryCreating Sigma rulesCreating or analyzing detection engineeringConverting Sigma rulesUsing additional tools that use rules to scan for threatsSummaryFurther reading 
Chapter 14:  Hunting and Investigating Security Incidents
Technical requirementsResponding to a data breach incident Analyzing the cybersecurity incident Selecting the best strategyPreparing for the labCopying and importing evidence filesStarting the investigationOpening a new IR case Investigating the security incidentUsing Sigma rules to find a user creation eventSearching by the activity of devices involvedSummary
Why subscribe?
Other Books You May EnjoyPackt is searching for authors like youShare Your Thoughts

Overview

Master the art of incident response and fortify your organization's security posture by leveraging intelligence-based threat hunting. This comprehensive guide provides practical, actionable insights along with hands-on examples to develop, implement, and enhance incident response strategies tailored for contemporary cyber threats.

What this Book will help me do

Understand and implement the foundational aspects of incident response and management.
Develop tailored incident response plans and playbooks to streamline contingency operations.
Learn to use cutting-edge tools like TheHive, ELK, Velociraptor, and KAPE for incident response.
Integrate intelligence frameworks such as the Cyber Kill Chain and MITRE ATT&CK into your processes.
Leverage methodologies and tools like Sigma and YARA rules for effective threat hunting.

Author(s)

None Martinez brings their wealth of experience in the cybersecurity field to provide this incisive guide on incident response. With years of hands-on expertise and a passion for empowering professionals with practical skills, their approach to explaining concepts is thorough yet approachable. Readers are guided step-by-step to master tools and methods essential for contemporary cybersecurity challenges.

Who is it for?

This book is ideal for information security professionals aiming to enhance their skills in incident management and threat intelligence. It's suited to readers who want to proactively safeguard systems and understand practical implementations of incident response strategies. Basic familiarity with Linux, Windows internals, and network protocols is beneficial but not mandatory. Perfect for those looking to strengthen their knowledge base while gaining actionable expertise.

Become an O’Reilly member and get unlimited access to this title plus top books and audiobooks from O’Reilly and nearly 200 top publishers, thousands of courses curated by job role, 150+ live events each month,
and much more.

Read now

Unlock full access

More than 5,000 organizations count on O’Reilly

O’Reilly covers everything we've got, with content to help us build a world-class technology community, upgrade the capabilities and competencies of our teams, and improve overall team performance as well as their engagement.

Julian F.

Head of Cybersecurity

I wanted to learn C and C++, but it didn't click for me until I picked up an O'Reilly book. When I went on the O’Reilly platform, I was astonished to find all the books there, plus live events and sandboxes so you could play around with the technology.

Addison B.

Field Engineer

I’ve been on the O’Reilly platform for more than eight years. I use a couple of learning platforms, but I'm on O'Reilly more than anybody else. When you're there, you start learning. I'm never disappointed.

Amir M.

Data Platform Tech Lead

I'm always learning. So when I got on to O'Reilly, I was like a kid in a candy store. There are playlists. There are answers. There's on-demand training. It's worth its weight in gold, in terms of what it allows me to do.

Mark W.

Embedded Software Engineer

Publisher Resources

ISBN: 9781801072953

Cloud Computing

Data Engineering

Data Science

AI & ML

Programming Languages

Software Architecture

IT/Ops

Security

Design

Business

Soft Skills