Search in book...
Toggle Font Controls
Create new playlist

Name your new playlist

Playlist description (optional)
Sign In

Email address

Password

Forgot Password?

or

Continue with Facebook

Continue with Google
Sign Up

Full Name

Email address

Confirm Email Address

Password

or

Continue with Facebook

Continue with Google

Preface

Incident response is fundamental and necessary for organizations' cybersecurity, regardless of their size. This book provides helpful information to professionals who work in large companies with a certain level of maturity in incident response and those who work in small or medium-sized companies, where there are no areas dedicated to this field.

I wrote this book with a broad approach that converges diverse disciplines, such as threat intelligence, threat hunting, and detection engineering. The different chapters show how the orchestration of these activities using the appropriate technologies can improve the capacity to respond to security incidents that can impact organizations.

There are four sections in this book. The first section covers the basic concepts of incident response, the first response procedures, and the tools to collect the artifacts from different devices.

In the second section, we will analyze the distinct types of threat actors from a broad perspective, considering their motivations and capabilities, under the principle that the best form of defense strategy is taking advantage of the knowledge of adversaries.

The third section covers the main aspects of implementing an incident response program, including the incident response plan and actionable playbooks based on different scenarios. This section also covers the technologies that support incident management and the integration of monitoring, detection, and investigation systems.

Finally, the fourth section covers critical aspects related to a proactive detection posture in the search and detection of attack indicators that speed up a threat's response and containment times to minimize its impact and thus prevent adversaries from achieving their objective.

Who this book is for

This book is for those hungry to learn and passionate about sharing knowledge and who want to start or develop their skills in the exciting field of incident response. Whether you are a beginner or have experience in this area, you can find helpful information for the incident response practice.

What this book covers

Chapter 1, Threat Landscape and Cybersecurity Incidents, covers the context of cyber threats today and how they evolve and can become a risk to the organization's security.

Chapter 2, Concepts of Digital Forensics and Incident Response, covers incident response and digital forensics investigation fundamentals and best practices.

Chapter 3, Basics of the Incident Response and Triage Procedures, teaches you about forensics artifact identification and triage procedures.

Chapter 4, Applying First Response Procedures, teaches you how to perform first response procedures and collect digital evidence in a practical way.

Chapter 5, Identifying and Profiling Threat Actors, teaches you how to profile specific threats and identify the adversaries that may cause risk to your organization.

Chapter 6, Understanding the Cyber Kill Chain and the MITRE ATT&CK Frameworks, covers two of the most relevant frameworks to map adversaries' behaviors, tactics, and procedures.

Chapter 7, Using Cyber Threat Intelligence in Incident Response, shows you how to use threat intelligence information to identify malicious behavior in a cybersecurity incident.

Chapter 8, Building an Incident Response Capability, covers the alignment of different aspects of responding to security breaches, such as business continuity, disaster recovery, and incident response.

Chapter 9, Creating Incident Response Plans and Playbooks, shows you how to create incident response plans and playbooks for different attack scenarios.

Chapter 10, Implementing an Incident Management System, teaches you how to implement and configure an incident response management system, create investigation cases, and search artifact information on threat intelligence sources.

Chapter 11, Integrating SOAR Capabilities into Incident Response, teaches you how to integrate multiple systems to automate the processes of monitoring, alerting, creating cases, and investigating security incidents.

Chapter 12, Working with Analytics and Detection Engineering in Incident Response, covers the fundamentals of detection engineering and how you can use it to improve your monitoring or incident response detection capacity.

Chapter 13, Creating and Deploying Detection Rules, covers the fundamentals of the Yara and Sigma tools and shows you how to create rules to detect compromise and malicious behavior indicators.

Chapter 14, Hunting and Investigating Security Incidents, is where you will apply the concepts learned in the book in a practical scenario where you will hunt for threats and investigate a security breach.

To get the most out of this book

Having a basic knowledge of Linux and Windows operating systems, network protocols, and the management of virtualized environments in VMware will be very useful while using this book.

All the practical exercises in the book were designed to work on virtualization environments using VMware Workstation Player (free for personal use), so I recommend you download and use the latest version available.

The minimum hardware requirements are as follows:

4 cores
16–32 GB RAM
120 GB of free storage space

There are many excellent technologies available to improve the capacity to detect threats and efficiently respond to security incidents. However, I mainly included open source or free tools in this book instead of commercial tools to make them accessible to everyone, so you can focus on applying the knowledge and concepts that I share in the different chapters.

I invite you to explore and learn about other tools and thus have a broader frame of reference when deciding on a particular one.

All the tools mentioned in the chapters can be used within virtualized environments.

If you are using the digital version of this book, we advise you to type the code yourself or access the code from the book's GitHub repository (a link is available in the next section). Doing so will help you avoid any potential errors related to the copying and pasting of code.

Download the example code files

You can download the virtual machines, lab files, and additional resources from the book's GitHub repository: https://github.com/PacktPublishing/Incident-Response-with-Threat-Intelligence. If there's an update to the code, it will be updated in the GitHub repository.

You can use the password, [P4cktIRBook!], to access the link for downloading the virtual machines for this book.

Download the color images

We also provide a PDF file that has color images of the screenshots and diagrams used in this book. You can download it here: https://static.packt-cdn.com/downloads/9781801072953_ColorImages.pdf.

Conventions used

There are a number of text conventions used throughout this book.

Code in text: Indicates code words in text, database table names, folder names, filenames, file extensions, pathnames, dummy URLs, user input, and Twitter handles. Here is an example: "To start using this virtual pre-installed version of TheHive, you need to import the downloaded .ova file using VMware Workstation Player."

A block of code is set as follows:

detection:

selection1:

EventID: 1

selection2:

Image|contains:

When we wish to draw your attention to a particular part of a code block, the relevant lines or items are set in bold:

import "pe"

rule procdump_tool {

meta:

description = "Simple YARA rule to detect the presence of Sysinternals Procdump"

version = "1.0"

Any command-line input or output is written as follows:

sudo so-status

Bold: Indicates a new term, an important word, or words that you see onscreen. For instance, words in menus or dialog boxes appear in bold. Here is an example: "On TheHive's main dashboard, click on the New Organization button."

Tips or Important Notes

Appear like this.

Get in touch

Feedback from our readers is always welcome.

General feedback: If you have questions about any aspect of this book, email us at [email protected] and mention the book title in the subject of your message.

Errata: Although we have taken every care to ensure the accuracy of our content, mistakes do happen. If you have found a mistake in this book, we would be grateful if you would report this to us. Please visit www.packtpub.com/support/errata and fill in the form.

Piracy: If you come across any illegal copies of our works in any form on the internet, we would be grateful if you would provide us with the location address or website name. Please contact us at [email protected] with a link to the material.

If you are interested in becoming an author: If there is a topic that you have expertise in and you are interested in either writing or contributing to a book, please visit authors.packtpub.com.

Share Your Thoughts

Once you've read Incident Response with Threat Intelligence, we'd love to hear your thoughts! Please click here to go straight to the Amazon review page for this book and share your feedback.

Your review is important to us and the tech community and will help us make sure we're delivering excellent quality content.

..................Content has been hidden....................

You can't read the all page of ebook, please click here login for view all page.

Table of Contents for Preface

Create new playlist

Sign In

Sign Up