You're reading from Incident Response for Windows Adapt effective strategies for managing sophisticated cyberattacks targeting Windows systems

Product type Paperback

Published in Aug 2024

Publisher Packt

ISBN-13 9781804619322

Length 244 pages

Edition 1st Edition

Concepts

Cybersecurity

Authors (2):

Anatoly Tykushin

Svetlana Ostrovskaya

View More author details

Table of Contents (20) Chapters

Preface

1. Part 1: Understanding the Threat Landscape and Attack Life Cycle

2. Chapter 1: Introduction to the Threat Landscape FREE CHAPTER

3. Chapter 2: Understanding the Attack Life Cycle

4. Part 2: Incident Response Procedures and Endpoint Forensic Evidence Collection

5. Chapter 3: Phases of an Efficient Incident Response on Windows Infrastructure

6. Chapter 4: Endpoint Forensic Evidence Collection

7. Part 3: Incident Analysis and Threat Hunting on Windows Systems

8. Chapter 5: Gaining Access to the Network

9. Chapter 6: Establishing a Foothold

10. Chapter 7: Network and Key Assets Discovery

11. Chapter 8: Network Propagation

12. Chapter 9: Data Collection and Exfiltration

13. Chapter 10: Impact

14. Chapter 11: Threat Hunting and Analysis of TTPs

15. Part 4: Incident Investigation Management and Reporting

16. Chapter 12: Incident Containment, Eradication, and Recovery

17. Chapter 13: Incident Investigation Closure and Reporting

18. Index

Why subscribe?

19. Other Books You May Enjoy

Summary

This chapter provided a deep look into the pitfalls of preparing for incident responses. We defined the forensic evidence life cycle, which consists of data collection, review, and documentation, as well as chain of custody, analysis, preservation, and retention. The evidence sources were also aggregated into two categories: volatile and non-volatile. Each was described with detailed examples. For now, we didn’t dive into Windows forensic artifacts, their format, location, or nature, as this is a subject for upcoming chapters. Nevertheless, the challenges of their acquisition and their use cases were highlighted.

Here we also focused on the collection tools and defined criteria for choosing the proper one without focusing on the specific examples for the sake of relevance. This is because some tools are supported at the time of writing this book, but the situation may change over the years. Key metrics to choose the best fit for a forensic collector are compatibility, ease of use, proper documentation, minimized impact, customization features, CLI interface, and current support, as we discussed.

Then, we focused on other sources of forensic evidence outside of Windows systems: security controls. The incident responder must always consider the data retention period of the solution in order not to lose incident-relevant data.

Lastly, the aspect of scaling of forensic evidence collection was covered. We discussed the need to consider the data retention period of the security controls in order not to lose incident-relevant data, as well as the importance of preparing and testing the acquisition from multiple endpoints simultaneously prior to the real incident response.

In the next chapter, we will dive into forensic artifact parsing and analysis to investigate various phases of the attack based on the unified sophisticated cyberattack kill chain, as defined in Chapter 2.

The rest of the chapter is locked

You're reading from Incident Response for Windows Adapt effective strategies for managing sophisticated cyberattacks targeting Windows systems

Table of Contents (20) Chapters

Summary

Unlock this book and the full library FREE for 7 days

Authors (2)

Personalised recommendations for you