{"product_id":"applied-incident-response-isbn-9781119560265","title":"Applied Incident Response","description":"\u003cp\u003eIncident response is critical for the active defense of any network, and incident responders need up-to-date, immediately applicable techniques with which to engage the adversary.  \u003ci\u003eApplied Incident Response\u003c\/i\u003e details effective ways to respond to advanced attacks against local and remote network resources, providing proven response techniques and a framework through which to apply them.  As a starting point for new incident handlers, or as a technical reference for hardened IR veterans, this book details the latest techniques for responding to threats against your network, including:\u003c\/p\u003e \u003cul\u003e \u003cli\u003ePreparing your environment for effective incident response\u003c\/li\u003e \u003cli\u003eLeveraging MITRE ATT\u0026amp;CK and threat intelligence for active network defense\u003c\/li\u003e \u003cli\u003eLocal and remote triage of systems using PowerShell, WMIC, and open-source tools\u003c\/li\u003e \u003cli\u003eAcquiring RAM and disk images locally and remotely\u003c\/li\u003e \u003cli\u003eAnalyzing RAM with Volatility and Rekall\u003c\/li\u003e \u003cli\u003eDeep-dive forensic analysis of system drives using open-source or commercial tools\u003c\/li\u003e \u003cli\u003eLeveraging Security Onion and Elastic Stack for network security monitoring\u003c\/li\u003e \u003cli\u003eTechniques for log analysis and aggregating high-value logs\u003c\/li\u003e \u003cli\u003eStatic and dynamic analysis of malware with YARA rules, FLARE VM, and Cuckoo Sandbox\u003c\/li\u003e \u003cli\u003eDetecting and responding to lateral movement techniques, including pass-the-hash, pass-the-ticket, Kerberoasting, malicious use of PowerShell, and many more\u003c\/li\u003e \u003cli\u003eEffective threat hunting techniques\u003c\/li\u003e \u003cli\u003eAdversary emulation with Atomic Red Team\u003c\/li\u003e \u003cli\u003eImproving preventive and detective controls\u003c\/li\u003e \u003c\/ul\u003e \u003cp\u003e\u003cb\u003ePart I Prepare 1\u003c\/b\u003e\u003c\/p\u003e \u003cp\u003e\u003cb\u003eChapter 1 The Threat Landscape 3\u003c\/b\u003e\u003c\/p\u003e \u003cp\u003eAttacker Motivations 3\u003c\/p\u003e \u003cp\u003eIntellectual Property Theft 4\u003c\/p\u003e \u003cp\u003eSupply Chain Attack 4\u003c\/p\u003e \u003cp\u003eFinancial Fraud 4\u003c\/p\u003e \u003cp\u003eExtortion 5\u003c\/p\u003e \u003cp\u003eEspionage 5\u003c\/p\u003e \u003cp\u003ePower 5\u003c\/p\u003e \u003cp\u003eHacktivism 6\u003c\/p\u003e \u003cp\u003eRevenge 6\u003c\/p\u003e \u003cp\u003eAttack Methods 6\u003c\/p\u003e \u003cp\u003eDoS and DDoS 7\u003c\/p\u003e \u003cp\u003eWorms 8\u003c\/p\u003e \u003cp\u003eRansomware 8\u003c\/p\u003e \u003cp\u003ePhishing 9\u003c\/p\u003e \u003cp\u003eSpear Phishing 9\u003c\/p\u003e \u003cp\u003eWatering Hole Attacks 10\u003c\/p\u003e \u003cp\u003eWeb Attacks 10\u003c\/p\u003e \u003cp\u003eWireless Attacks 11\u003c\/p\u003e \u003cp\u003eSniffing and MitM 11\u003c\/p\u003e \u003cp\u003eCrypto Mining 12\u003c\/p\u003e \u003cp\u003ePassword Attacks 12\u003c\/p\u003e \u003cp\u003eAnatomy of an Attack 13\u003c\/p\u003e \u003cp\u003eReconnaissance 13\u003c\/p\u003e \u003cp\u003eExploitation 14\u003c\/p\u003e \u003cp\u003eExpansion\/Entrenchment 15\u003c\/p\u003e \u003cp\u003eExfiltration\/Damage 16\u003c\/p\u003e \u003cp\u003eClean Up 16\u003c\/p\u003e \u003cp\u003eThe Modern Adversary 16\u003c\/p\u003e \u003cp\u003eCredentials, the Keys to the Kingdom 17\u003c\/p\u003e \u003cp\u003eConclusion 20\u003c\/p\u003e \u003cp\u003e\u003cb\u003eChapter 2 Incident Readiness 21\u003c\/b\u003e\u003c\/p\u003e \u003cp\u003ePreparing Your Process 21\u003c\/p\u003e \u003cp\u003ePreparing Your People 27\u003c\/p\u003e \u003cp\u003ePreparing Your Technology 30\u003c\/p\u003e \u003cp\u003eEnsuring Adequate Visibility 33\u003c\/p\u003e \u003cp\u003eArming Your Responders 37\u003c\/p\u003e \u003cp\u003eBusiness Continuity and Disaster Recovery 38\u003c\/p\u003e \u003cp\u003eDeception Techniques 40\u003c\/p\u003e \u003cp\u003eConclusion 43\u003c\/p\u003e \u003cp\u003e\u003cb\u003ePart II Respond 45\u003c\/b\u003e\u003c\/p\u003e \u003cp\u003e\u003cb\u003eChapter 3 Remote Triage 47\u003c\/b\u003e\u003c\/p\u003e \u003cp\u003eFinding Evil 48\u003c\/p\u003e \u003cp\u003eRogue Connections 49\u003c\/p\u003e \u003cp\u003eUnusual Processes 52\u003c\/p\u003e \u003cp\u003eUnusual Ports 55\u003c\/p\u003e \u003cp\u003eUnusual Services 56\u003c\/p\u003e \u003cp\u003eRogue Accounts 56\u003c\/p\u003e \u003cp\u003eUnusual Files 58\u003c\/p\u003e \u003cp\u003eAutostart Locations 59\u003c\/p\u003e \u003cp\u003eGuarding Your Credentials 61\u003c\/p\u003e \u003cp\u003eUnderstanding Interactive Logons 61\u003c\/p\u003e \u003cp\u003eIncident Handling Precautions 63\u003c\/p\u003e \u003cp\u003eRDP Restricted Admin Mode and Remote Credential Guard 64\u003c\/p\u003e \u003cp\u003eConclusion 65\u003c\/p\u003e \u003cp\u003e\u003cb\u003eChapter 4 Remote Triage Tools 67\u003c\/b\u003e\u003c\/p\u003e \u003cp\u003eWindows Management Instrumentation Command-Line Utility 67\u003c\/p\u003e \u003cp\u003eUnderstanding WMI and the WMIC Syntax 68\u003c\/p\u003e \u003cp\u003eForensically Sound Approaches 71\u003c\/p\u003e \u003cp\u003eWMIC and WQL Elements 72\u003c\/p\u003e \u003cp\u003eExample WMIC Commands 79\u003c\/p\u003e \u003cp\u003ePowerShell 84\u003c\/p\u003e \u003cp\u003eBasic PowerShell Cmdlets 87\u003c\/p\u003e \u003cp\u003ePowerShell Remoting 91\u003c\/p\u003e \u003cp\u003eAccessing WMI\/MI\/CIM with PowerShell 95\u003c\/p\u003e \u003cp\u003eIncident Response Frameworks 98\u003c\/p\u003e \u003cp\u003eConclusion 100\u003c\/p\u003e \u003cp\u003e\u003cb\u003eChapter 5 Acquiring Memory 103\u003c\/b\u003e\u003c\/p\u003e \u003cp\u003eOrder of Volatility 103\u003c\/p\u003e \u003cp\u003eLocal Memory Collection 105\u003c\/p\u003e \u003cp\u003ePreparing Storage Media 107\u003c\/p\u003e \u003cp\u003eThe Collection Process 109\u003c\/p\u003e \u003cp\u003eRemote Memory Collection 117\u003c\/p\u003e \u003cp\u003eWMIC for Remote Collection 119\u003c\/p\u003e \u003cp\u003ePowerShell Remoting for Remote Collection 122\u003c\/p\u003e \u003cp\u003eAgents for Remote Collection 125\u003c\/p\u003e \u003cp\u003eLive Memory Analysis 128\u003c\/p\u003e \u003cp\u003eLocal Live Memory Analysis 129\u003c\/p\u003e \u003cp\u003eRemote Live Memory Analysis 129\u003c\/p\u003e \u003cp\u003eConclusion 131\u003c\/p\u003e \u003cp\u003e\u003cb\u003eChapter 6 Disk Imaging 133\u003c\/b\u003e\u003c\/p\u003e \u003cp\u003eProtecting the Integrity of Evidence 133\u003c\/p\u003e \u003cp\u003eDead-Box Imaging 137\u003c\/p\u003e \u003cp\u003eUsing a Hardware Write Blocker 139\u003c\/p\u003e \u003cp\u003eUsing a Bootable Linux Distribution 143\u003c\/p\u003e \u003cp\u003eLive Imaging 149\u003c\/p\u003e \u003cp\u003eLive Imaging Locally 149\u003c\/p\u003e \u003cp\u003eCollecting a Live Image Remotely 154\u003c\/p\u003e \u003cp\u003eImaging Virtual Machines 155\u003c\/p\u003e \u003cp\u003eConclusion 160\u003c\/p\u003e \u003cp\u003e\u003cb\u003eChapter 7 Network Security Monitoring 161\u003c\/b\u003e\u003c\/p\u003e \u003cp\u003eSecurity Onion 161\u003c\/p\u003e \u003cp\u003eArchitecture 162\u003c\/p\u003e \u003cp\u003eTools 165\u003c\/p\u003e \u003cp\u003eSnort, Sguil, and Squert 166\u003c\/p\u003e \u003cp\u003eZeek (Formerly Bro) 172\u003c\/p\u003e \u003cp\u003eElastic Stack 182\u003c\/p\u003e \u003cp\u003eText-Based Log Analysis 194\u003c\/p\u003e \u003cp\u003eConclusion 197\u003c\/p\u003e \u003cp\u003e\u003cb\u003eChapter 8 Event Log Analysis 199\u003c\/b\u003e\u003c\/p\u003e \u003cp\u003eUnderstanding Event Logs 199\u003c\/p\u003e \u003cp\u003eAccount-Related Events 207\u003c\/p\u003e \u003cp\u003eObject Access 218\u003c\/p\u003e \u003cp\u003eAuditing System Configuration Changes 221\u003c\/p\u003e \u003cp\u003eProcess Auditing 224\u003c\/p\u003e \u003cp\u003eAuditing PowerShell Use 229\u003c\/p\u003e \u003cp\u003eUsing PowerShell to Query Event Logs 231\u003c\/p\u003e \u003cp\u003eConclusion 233\u003c\/p\u003e \u003cp\u003e\u003cb\u003eChapter 9 Memory Analysis 235\u003c\/b\u003e\u003c\/p\u003e \u003cp\u003eThe Importance of Baselines 236\u003c\/p\u003e \u003cp\u003eSources of Memory Data 242\u003c\/p\u003e \u003cp\u003eUsing Volatility and Rekall 244\u003c\/p\u003e \u003cp\u003eExamining Processes 249\u003c\/p\u003e \u003cp\u003eThe \u003ci\u003epslist \u003c\/i\u003ePlug-in 249\u003c\/p\u003e \u003cp\u003eThe \u003ci\u003epstree \u003c\/i\u003ePlug-in 252\u003c\/p\u003e \u003cp\u003eThe \u003ci\u003edlllist \u003c\/i\u003ePlug-in 255\u003c\/p\u003e \u003cp\u003eThe \u003ci\u003epsxview \u003c\/i\u003ePlug-in 256\u003c\/p\u003e \u003cp\u003eThe \u003ci\u003ehandles \u003c\/i\u003ePlug-in 256\u003c\/p\u003e \u003cp\u003eThe \u003ci\u003emalfi nd \u003c\/i\u003ePlug-in 257\u003c\/p\u003e \u003cp\u003eExamining Windows Services 259\u003c\/p\u003e \u003cp\u003eExamining Network Activity 261\u003c\/p\u003e \u003cp\u003eDetecting Anomalies 264\u003c\/p\u003e \u003cp\u003ePractice Makes Perfect 273\u003c\/p\u003e \u003cp\u003eConclusion 274\u003c\/p\u003e \u003cp\u003e\u003cb\u003eChapter 10 Malware Analysis 277\u003c\/b\u003e\u003c\/p\u003e \u003cp\u003eOnline Analysis Services 277\u003c\/p\u003e \u003cp\u003eStatic Analysis 280\u003c\/p\u003e \u003cp\u003eDynamic Analysis 286\u003c\/p\u003e \u003cp\u003eManual Dynamic Analysis 287\u003c\/p\u003e \u003cp\u003eAutomated Malware Analysis 299\u003c\/p\u003e \u003cp\u003eEvading Sandbox Detection 305\u003c\/p\u003e \u003cp\u003eReverse Engineering 306\u003c\/p\u003e \u003cp\u003eConclusion 309\u003c\/p\u003e \u003cp\u003e\u003cb\u003eChapter 11 Disk Forensics 311\u003c\/b\u003e\u003c\/p\u003e \u003cp\u003eForensics Tools 312\u003c\/p\u003e \u003cp\u003eTime Stamp Analysis 314\u003c\/p\u003e \u003cp\u003eLink Files and Jump Lists 319\u003c\/p\u003e \u003cp\u003ePrefetch 321\u003c\/p\u003e \u003cp\u003eSystem Resource Usage Monitor 322\u003c\/p\u003e \u003cp\u003eRegistry Analysis 324\u003c\/p\u003e \u003cp\u003eBrowser Activity 333\u003c\/p\u003e \u003cp\u003eUSN Journal 337\u003c\/p\u003e \u003cp\u003eVolume Shadow Copies 338\u003c\/p\u003e \u003cp\u003eAutomated Triage 340\u003c\/p\u003e \u003cp\u003eLinux\u003cb\u003e\/\u003c\/b\u003eUNIX System Artifacts 342\u003c\/p\u003e \u003cp\u003eConclusion 344\u003c\/p\u003e \u003cp\u003e\u003cb\u003eChapter 12 Lateral Movement Analysis 345\u003c\/b\u003e\u003c\/p\u003e \u003cp\u003eServer Message Block 345\u003c\/p\u003e \u003cp\u003ePass-the-Hash Attacks 351\u003c\/p\u003e \u003cp\u003eKerberos Attacks 353\u003c\/p\u003e \u003cp\u003ePass-the-Ticket and Overpass-the-Hash Attacks 354\u003c\/p\u003e \u003cp\u003eGolden and Silver Tickets 361\u003c\/p\u003e \u003cp\u003eKerberoasting 363\u003c\/p\u003e \u003cp\u003ePsExec 365\u003c\/p\u003e \u003cp\u003eScheduled Tasks 368\u003c\/p\u003e \u003cp\u003eService Controller 369\u003c\/p\u003e \u003cp\u003eRemote Desktop Protocol 370\u003c\/p\u003e \u003cp\u003eWindows Management Instrumentation 372\u003c\/p\u003e \u003cp\u003eWindows Remote Management 373\u003c\/p\u003e \u003cp\u003ePowerShell Remoting 374\u003c\/p\u003e \u003cp\u003eSSH Tunnels and Other Pivots 376\u003c\/p\u003e \u003cp\u003eConclusion 378\u003c\/p\u003e \u003cp\u003e\u003cb\u003ePart III Refine 379\u003c\/b\u003e\u003c\/p\u003e \u003cp\u003e\u003cb\u003eChapter 13 Continuous Improvement 381\u003c\/b\u003e\u003c\/p\u003e \u003cp\u003eDocument, Document, Document 381\u003c\/p\u003e \u003cp\u003eValidating Mitigation Efforts 383\u003c\/p\u003e \u003cp\u003eBuilding On Your Successes, and Learning from Your Mistakes 384\u003c\/p\u003e \u003cp\u003eImproving Your Defenses 388\u003c\/p\u003e \u003cp\u003ePrivileged Accounts 389\u003c\/p\u003e \u003cp\u003eExecution Controls 392\u003c\/p\u003e \u003cp\u003ePowerShell 394\u003c\/p\u003e \u003cp\u003eSegmentation and Isolation 396\u003c\/p\u003e \u003cp\u003eConclusion 397\u003c\/p\u003e \u003cp\u003e\u003cb\u003eChapter 14 Proactive Activities 399\u003c\/b\u003e\u003c\/p\u003e \u003cp\u003eThreat Hunting 399\u003c\/p\u003e \u003cp\u003eAdversary Emulation 409\u003c\/p\u003e \u003cp\u003eAtomic Red Team 410\u003c\/p\u003e \u003cp\u003eCaldera 415\u003c\/p\u003e \u003cp\u003eConclusion 416\u003c\/p\u003e \u003cp\u003eIndex 419\u003c\/p\u003e  \u003cp\u003e\u003cb\u003eSteve Anson\u003c\/b\u003e is a SANS Certified Instructor and co-founder of leading IT security company Forward Defense. He has over 20 years of experience investigating cybercrime and network intrusion incidents. As a former US federal agent, Steve specialized in intrusion investigations for the FBI and DoD. He has taught incident response and digital forensics techniques to thousands of students around the world on behalf of the FBI Academy, US Department of State, and the SANS Institute. He has assisted governments in over 50 countries to improve their strategic and tactical response to computer-facilitated crimes and works with a range of multinational organizations to prevent, detect and respond to network security incidents.   \u003c\/p\u003e\u003cp\u003e\u003cb\u003eDEFEND YOUR NETWORK WITH IMMEDIATELY APPLICABLE INCIDENT RESPONSE SKILLS\u003c\/b\u003e \u003c\/p\u003e\u003cp\u003eIncident response is critical for the active defense of any network, and incident responders need up-to-date, actionable techniques with which to engage the adversary\u003ci\u003e. Applied Incident Response\u003c\/i\u003e details effective ways to respond to advanced attacks against local and remote network resources, providing proven response methods and a framework through which to implement them. Drawing on the author's experience investigating intrusions for the FBI, US Department of Defense (DoD), and many international organizations, this authoritative book covers the core skills needed for incident handling and active network defense, including triaging systems, acquiring memory, imaging disks, collecting network data, log analysis, memory forensics, disk forensics, network security monitoring, adversary emulation, threat hunting, and more. Examples focus on free and open-source tools, but introduce commercial alternatives as well. \u003c\/p\u003e\u003cp\u003eAs a starting point for new incident handlers, or as a technical reference for hardened incident response veterans, this book details the latest techniques for responding to threats against your network, including: \u003c\/p\u003e\u003cul\u003e \u003cli\u003ePreparing your environment for effective incident response\u003c\/li\u003e \u003cli\u003eLeveraging MITRE ATT\u0026amp;CK and threat intelligence for active network defense\u003c\/li\u003e \u003cli\u003eLocal and remote triage of systems using PowerShell, WMIC, and open-source tools\u003c\/li\u003e \u003cli\u003eAcquiring RAM and disk images locally and remotely\u003c\/li\u003e \u003cli\u003eAnalyzing RAM with Volatility and Rekall\u003c\/li\u003e \u003cli\u003eDeep-dive forensic analysis of system drives using open-source or commercial tools\u003c\/li\u003e \u003cli\u003eLeveraging Security Onion and Elastic Stack for network security monitoring\u003c\/li\u003e \u003cli\u003eTechniques for log analysis and aggregating high-value logs\u003c\/li\u003e \u003cli\u003eStatic and dynamic analysis of malware with YARA rules, FLARE VM, and Cuckoo Sandbox\u003c\/li\u003e \u003cli\u003eDetecting and responding to lateral movement techniques, including pass-the-hash, pass-the-ticket, Kerberoasting, malicious use of PowerShell, and many more\u003c\/li\u003e \u003cli\u003eEffective threat hunting techniques\u003c\/li\u003e \u003cli\u003eAdversary emulation with Atomic Red Team\u003c\/li\u003e \u003cli\u003eImproving preventive and detective controls\u003c\/li\u003e \u003c\/ul\u003e","brand":"Wiley","offers":[{"title":"Default Title","offer_id":47988751237349,"sku":"NP9781119560265","price":47.0,"currency_code":"USD","in_stock":false}],"thumbnail_url":"\/\/cdn.shopify.com\/s\/files\/1\/1842\/7735\/files\/9781119560265.jpg?v=1761781447","url":"https:\/\/k12savings.com\/products\/applied-incident-response-isbn-9781119560265","provider":"K12savings","version":"1.0","type":"link"}