Incident response has changed significantly over the past decade and since the second edition of this book. Ten years ago incident response was still considered a three to ten host or server problem. It was extraordinary to have several dozen or even several hundred machines in an enterprise compromised. If you set aside the mobile landscape, however, the attack surface (the number of places or applications that are vulnerable) has stayed more or less the same over time. This means either the attackers are compromising more systems or we as an industry are getting better at finding all the places they are. I believe both are true.
The attackers are much less interested in the traditional smash and grab. Today, they are more patient, spending months or even years in our networks doing reconnaissance. In my experience with incident response over the past decade, attackers often know the network as well as the IT department. This does not mean that the IT department is doing a bad job, but it does mean the attacker is now taking the same professional, methodical, patient approach.
So what has changed? We have had increasing (and more visible) adoption of cyber-attacks as a method for a variety of motives. These are the news stories on any given week. The attacker could be a nation state focusing on government contractors building the next-generation fighting platform or a cyber-criminal targeting tens of millions of credit cards and personally identifiable information. The attacker must plan and carefully consider how to move around the network in order to prevent detection and find exactly the things of value to steal.
As attack techniques evolved, I believe our approach has advanced and our detection tools have matured. Our detection has not only improved at the network level, but now there are far more tools that can give an incident responder visibility into the host enterprise-wide. Instead of looking at bits and bytes on a handful of systems, we are now taking an enterprise view of incident response.
Intrusions are not just an individual enterprise concern, but they have far-reaching global and economic impacts. The world of incident response changed on January 12, 2010. That is the date that Google’s SVP, Corporate Development, and Chief Legal Officer, David Drummond, announced to the world that Google had been hacked by China.1 This was an almost unprecedented announcement. Not only was it rare for a corporation to announce they had been breached (unless required by law), but Google was also naming a nation state with its announcement. Regardless of the intellectual property loss Google suffered, its stock opened down $21.16 from the previous day’s open or approximately 3.5 percent on January 13 because of the after-hours announcement. That was a loss in market capitalization of approximately one billion dollars. One could argue that this is purely a coincidence, but during the same period from the open on January 12, 2010 to the open on January 13, 2010, Baidu, a Chinese web search company, saw its opening price increase $48.59 or approximately 12.3 percent. Most telling was that Baidu’s volume of trades was up approximately 400 percent. I would argue that money was literally leaving Google to bet on Baidu.
This book should be a manual for every incident responder and security organization. Every aspect of our work is impacted by a breach. It has been my privilege to work with the authors over the past seven years. Together we built incident response techniques leveraging identification methods that come from the authors’ extensive careers investigating breaches. The book covers the entire lifecycle of incident response, and reading it reminded me why we made some of the process and tool decisions we made at Mandiant. It starts with preparation—the most important part. However, if you are unfortunate enough to find yourself in the middle of the compromise, the authors will guide you through the process of incident response, including data collection, data analysis, and remediation. Learn from the experience and mistakes of others and follow the reference links for the incident response tools and tricks of the trade. Few have seen the battles the authors have seen. I respect their expertise very much and have enjoyed working with each of them.
James R. Butler, II
Chief Researcher, Global Services and Cloud Solutions
FireEye, Inc.
James R. Butler has over 17 years of experience in operating system security. He is a recognized leader in attack and detection techniques and has focused in recent years on memory analysis research and virtual machine introspection. Prior to FireEye, Jamie was the Chief Researcher at Mandiant and formerly led its Endpoint Security Team on its enterprise product Mandiant Intelligent Response. Jamie is the co-author of the bestseller Rootkits: Subverting the Windows Kernel (Addison-Wesley, 2005). In addition, he has authored numerous articles for publication and is a frequent speaker at the foremost computer security conferences. Jamie serves as a Review Board member for Black Hat.
___________________
1 David Drummond, A new approach to China, January 12, 2010. http://googleblog.blogspot.sg/2010/01/new-approach-to-china.html.
..................Content has been hidden....................
You can't read the all page of ebook, please click here login for view all page.