In October 2013, the Ponemon Institute released a study on the cost of cybercrime in 2013. Among the organizations polled, the average time to resolve an incident was 32 days, and the average cost to resolve an incident was just over US$1 million. That was up from an average of 24 days and just under US$600,000 the year before. The measurable cost to the affected organization is only the beginning because the impact of what criminals do with stolen information is difficult to quantify and is often delayed or never discovered.
Laws and industry regulations attempt to improve computer security by creating standards to follow and penalties for noncompliance. Although those efforts may be helpful in some cases, they also turn computer security into a checkbox. When that happens, most organizations will do the minimum required to put the check in the box.
The best way to improve computer security is to arm crime solvers like you with the most effective tools, techniques, and knowledge possible. This book is our attempt to do that. In this new edition, we’ve done our best to convey everything we’ve learned over the past ten years. We hope that you find it to be a valuable resource.
Who Should Read This Book
This book discusses topics that are valuable for anyone involved in the incident response (IR) process. From the CIO to IR team lead, to the person collecting logs from a web server, we cover both technical and nontechnical aspects of incident response. Today, effective incident response requires more than just IT and security staff—legal, human resources, public relations, marketing, and other business functions are needed. This book contains guidance for anyone who needs to:
• Understand the IR process
• Build and equip an IR team for success
• Enhance an infrastructure or organization to facilitate the IR process
• Collect and handle evidence
• Analyze Windows or OS X evidence
• Triage malware
• Write better reports
How Is This Book Organized?
We organized this book into six parts, beginning with preparatory topics and finishing with incident resolution. In between, we discuss incident concepts, data collection, and analysis. Throughout the book, we did our best to “future-proof” the content. We provide specifics about performing incident response tasks, but we also cover the fundamental concepts so that you are able to make better decisions as technology and the incident response landscape changes. Those fundamentals should not change much over time, and we hope this edition proves to be useful for years to come.
Part I: Preparing for the Inevitable Incident
In this part, our goal is to provide you with high-level incident response perspective and guidance that are useful to build an IR team and prepare for incident response. We begin by sharing our experiences from two real-world incidents. Then we discuss incident response management, including defining the IR process, investigation lifecycle, remediation, information tracking, and what you need to build a successful IR team. Finally, we cover steps you can take to prepare your infrastructure, your organization, and the IR team.
Part II: Incident Detection and Characterization
The actions you take when you first detect an incident will have great consequence on the outcome of the investigation. Part II covers investigative tips and techniques that contribute to a successful incident response. We discuss checklists, case notes, development of leads, creating indicators of compromise, and determining the scope of the incident.
Part III: Data Collection
Each incident you work on will require the collection and preservation of information. In this part, we discuss collecting data from both running and offline systems, the network, and from enterprise services. Data sources include memory, hard drives, network packet captures, and log files.
Part IV: Data Analysis
After you collect data, the next step is to perform analysis. In this part, we discuss general analysis approaches and then dive into specific operating systems. We cover Microsoft Windows and Apple OS X. We also include a chapter on malware triage, primarily focusing on the Windows platform. Lastly, we discuss report writing and provide a sample report template.
Part V: Remediation
Remediation is the end goal of any incident response—returning the organization back to a normal state. In this part, we introduce remediation concepts, including a seven-step remediation process. Then we apply those concepts to one of the real-world scenarios from Chapter 1 as part of a remediation case study.
Part VI: Appendixes
We included a number of questions at the end of each chapter of the book to help reinforce the concepts we presented and allow you to take on some exercises on your own. We provide answers to those questions in Appendix A. In Appendix B, we include a number of checklists and forms that we reference throughout the book. Both appendixes are not part of the printed book, but are available online at the book’s website, ir3e.com.
Resources
Because technology and websites change often, we’ve created an online resource you can use to obtain updated or corrected links to information we included in this book. Our website, ir3e.com, will contain the updated links in addition to other resources, such as the forms and checklists from Appendix B. If you would like to contact us with suggestions, updated information, or other comments, please send us an e-mail at [email protected].
..................Content has been hidden....................
You can't read the all page of ebook, please click here login for view all page.