Search icon CANCEL
Arrow left icon
Explore Products
Best Sellers
New Releases
Books
Videos
Audiobooks
Learning Hub
Conferences
Free Learning
Arrow right icon
Incident Response with Threat Intelligence
Incident Response with Threat Intelligence

Incident Response with Threat Intelligence: Practical insights into developing an incident response capability through intelligence-based threat hunting

eBook
zł59.99 zł151.99
Paperback
zł189.99
Subscription
Free Trial

What do you get with a Packt Subscription?

Free for first 7 days. $19.99 p/m after that. Cancel any time!
Product feature icon Unlimited ad-free access to the largest independent learning library in tech. Access this title and thousands more!
Product feature icon 50+ new titles added per month, including many first-to-market concepts and exclusive early access to books as they are being written.
Product feature icon Innovative learning tools, including AI book assistants, code context explainers, and text-to-speech.
Product feature icon Thousands of reference materials covering every tech concept you need to stay up to date.
Subscribe now
View plans & pricing
Table of content icon View table of contents Preview book icon Preview Book

Incident Response with Threat Intelligence

Chapter 1: Threat Landscape and Cybersecurity Incidents

Cyber attacks against organizations worldwide, regardless of their size or geography, are growing in a sustained way, and every day we see more news about security breaches.

According to a study of the Identity Theft Resource Center, between January 1, 2005, and May 31, 2020, there were 11,762 recorded breaches, and just in the first half of 2020, about 36 billion records were exposed according to a report from the company Risk Based Security.

In the ninth annual study of the cost of cybercrime, elaborated by The Ponemon Institute and the firm Accenture, security breaches have increased by 67% in the last 5 years, and according to the security company, McAfee, in their report entitled The Hidden Costs of Cybercrime, the monetary loss was around 1 trillion dollars.

The significant impact that cyber attacks have on a world in which we increasingly rely on technology to do business, keep the industry running, or in terms of national security, and our daily activities, is clear. Unfortunately, many organizations are not prepared to deal with a security incident and, in many cases, react when it is too late.

There is a whole ecosystem around cyber attacks and it will depend on the motivation and skills of the attackers so that they can be realized. That is why it is important to understand that beyond a conventional risk assessment, it is necessary to know the potential threats to which the particular organization is exposed.

A proactive posture on cybersecurity involves focusing on monitoring and detection by betting everything on the front line of defense and developing an ability to identify and respond early to a cybersecurity incident by minimizing its impact.

In this chapter, we're going to cover the following topics.

  • The current threat landscape
  • The motivations behind cyber attacks
  • The emerging and future threats

Knowing the threat landscape

When a cybersecurity strategy is based solely on a defensive posture, without an understanding of current threats and the capabilities of adversaries to achieve their goals by evading security controls and avoiding detection, there is a risk of developing very limited capabilities that will rarely be efficient. It is the equivalent of being in a completely dark room, without being able to see anything, knowing that at some point, someone could try to hurt us, but without knowing the exact moment or the way in which this will happen. It's like walking blind without seeing the way.

The increase in the number of cyber attacks in the world on major sectors such as government, finance, manufacturing, health, education, critical infrastructures, small and medium-sized enterprises, and individuals, finally turned on the alert for strategies and investments needed to raise the level of protection and response of organizations to the possibility of becoming the next target.

In that sense, one of the biggest challenges for cybersecurity professionals is first to evolve and create protection and response strategies at the same speed with which new threats appear and then go one step further using threat intelligence information. The threat landscape is changing every day, cyber threats are evolving and becoming more dangerous, and the forms of protection that worked before may not be efficient enough today, which is why organizations need to develop the ability to adapt and switch from a reactive posture to a proactive attitude. Any regional or global context or situation can generate new risks and change the threat landscape drastically.

Is COVID-19 also a cyber-pandemic?

The COVID-19 outbreak completely changed the course of things and showed that countries around the world were not in a position to deal with it, and although scientific and technological advances enabled the development and manufacture of a vaccine in record time, the coordination and budgets required failed to solve the problem in the short term. This incident, in the same way as a cybersecurity incident, shows us once again the importance of being prepared and having a plan in case a threat materializes.

This global health crisis formed the perfect storm, many things changed in the workplace and at home, more people started using their digital devices, made online purchases, used financial apps instead of going to the bank, subscribed to streaming services, and took their classes online. The companies sent their employees and collaborators to work at home and, in some cases, asked them to use their own devices to do their job.

Cybercriminals and Advanced Persistent Threat (APT) groups know how to find and use the time and circumstances to launch their offensive campaigns and operations successfully, and this was an amazing opportunity for them.

In August 2020, Interpol published the report Cybercrime: COVID-19 Impact about the increase in cyber attacks, especially against individuals, companies, government, and healthcare infrastructure. According to this report, in the period January-April, the key cyber threats were phishing and scam fraud, accounting for 59% of incidents, malware and ransomware – 36%, malicious domains – 22%, and the dissemination of fake news – 14%. In all cases, the common factor was content or topics related to COVID-19. Meanwhile, according to the FBI, the number of complaints in relation to cyber attacks stood at 4,000 per day, roughly a 400% increase since the start of the pandemic:

Figure 1.1 – Distribution of the key COVID-19 inflicted cyber threats based on member countries' feedback (source: Interpol's Cybercrime COVID-19 Impact report)

Figure 1.1 – Distribution of the key COVID-19 inflicted cyber threats based on member countries' feedback (source: Interpol's Cybercrime COVID-19 Impact report)

In the words of Jürgen Stock, Secretary-General of INTERPOL, "Cybercriminals are developing and driving their attacks on people in an alarming way, and they also exploit the fear and uncertainty caused by the unstable social and economic situation created by COVID-19."

Cyber espionage against pharmaceutical companies

The urgency of developing a COVID-19 vaccine began a race against time in the pharmaceuticals industry. Unsurprisingly, these companies became a natural target of threat actors. Kaspersky discovered in late September 2020 that a group known as Lazarus had started a cyber espionage campaign against a pharmaceuticals company and a health ministry. Although different tactics, techniques, and procedures (TTPs) were used in both attacks, common elements were found that could attribute the attack to that group.

Cyber attacks targeting hospitals

Although some cybercriminal groups reported that they would not attack health organizations at the beginning of the pandemic, some of them did attack hospitals, including the Department of Health and Human Services.

In October 2020, the Department of Homeland Security (DHS) and the FBI issued an alert about an imminent threat of ransomware attacks on the U.S. healthcare system.

In the Czech Republic, a COVID-19 testing center hospital was compromised by a cyber attack, affecting its systems and disrupting the normal functioning of its operations, so that some urgent surgeries had to be postponed and several patients had to be sent to nearby hospitals.

Insecure home office

The need to adopt a home office model as a preventive measure to reduce the expansion of the pandemic surprised many organizations and their employees. According to the Kaspersky study How COVID-19 changed the way people worked, 46% of respondents said that had never worked from home before and 73% of workers did not receive security awareness training about the risks of working from home.

This scenario increased the demand for remote working applications and services such as video conferencing, collaboration, file sharing, and remote connection. Employees also began to perform a practice known as Shadow IT, which involves the use of unauthorized or company-evaluated applications; for example, 42% of respondents said that they were using their personal email accounts for work and 38% used personal instant messaging apps, making it a security problem because, according to Kaspersky's telemetry, there were 1.66 million Trojans detected related to such applications.

Additionally, IT teams had to adapt their infrastructure in some cases in an impromptu manner and without considering the security measures. For example, enabling remote connections directly to the company's servers from the internet opened a potential attack vector that was at once exploited by cybercriminals. According to Kaspersky, the number of brute-force attack attempts on the Remote Desktop Protocol (RDP) has soared significantly since the beginning of March 2020, reaching 3.3 billion attempts, compared to 969 million in the same period of the previous year.

Supply chain attacks

Supply chain attacks have been increasing in recent years. The main reason is that organizations have not considered these attacks within their threat modeling and cannot visualize them as a relevant attack surface.

The main risk of this threat is that it is difficult to detect. Usually, third-party services or tools are considered part of the company's ecosystem and are reliable, having a high trust level. Hence, the levels of security assessment and monitoring are more relaxed.

There are several cases related to supply chain attacks, including the compromise of the application CCleaner, which is a tool used by many companies around the world, or the attack known as ShadowHammer, where the ASUS live utility that comes pre-installed on that brand's computers and serves to update various components such as firmware, UEFI BIOS, drivers, and some applications, was compromised.

Without a doubt, however, one of the supply chain attacks that has had the most impact was the attack on the SolarWinds company discovered in December 2020. On December 8, the FireEye company revealed that they had been the victims of a cyber attack. The attackers had stolen tools that their Red Team teams used to conduct security assessments, and the attack vector was a SolarWinds tool installed in the company.

The attack's impact is unprecedented and affected even large technology companies such as Microsoft, Intel, Nvidia, Cisco, VMware, and at least 18,000 other companies worldwide and changed the threat level of this kind of attack for organizations.

Understanding the motivation behind cyber attacks

Each action taken by a threat actor has a motivation behind it, as it requires time, planning, and resources to launch offensive activities against a target.

This motivation can often be financial when it comes to cybercriminal groups. Still, there are scenarios when sponsored state threat actors or industry competitors look to gain a position of power or a competitive advantage over an adversary by spying and stealing information.

There are also groups of cyber-mercenaries who sell their services to the highest bidder and use their resources and skills to perform offensive actions. In this case, the motivation is mainly financial.

The ransomware that was not

In May 2017, the entire world was shocked when news broke that ransomware had disrupted the operations of several major companies in Spain, as well as the British health service. In a single day, more than 140,000 computers had been affected. It was the first time that malware of those features had self-replicated without control across networks:

Figure 1.2 – Ransom note left on an infected system (source: Wikipedia)

Figure 1.2 – Ransom note left on an infected system (source: Wikipedia)

This malware exploited a vulnerability known as EternalBlue related to a failure in the implementation of the Server Message Block (SMB) protocol labeled CVE-2017-0144, and particularly affected Microsoft Windows operating systems and could self-replicate without control and without the need for human interaction.

In the following days, this ransomware began to replicate around the world, becoming one of the most important threats of recent years. The most ironic thing is that by the time this ransomware appeared, there was already the patch that prevented the computers from being affected.

The world had not yet recovered from the impact caused by WannaCry when, the following month, a ransomware variant appeared that exploited the same vulnerability, but with different behavior, and with some similar aspects in terms of its code, to ransomware known as Petya, which had appeared just 1 year earlier:

Figure 1.3 – The ID shown in the ransom screen is only plain random data (source: Securelist.com)

Figure 1.3 – The ID shown in the ransom screen is only plain random data (source: Securelist.com)

A peculiarity of this ransomware discovered by my fellow researchers in Kaspersky's GReAT team, and which they called Petya/ExPetr, was that in the information encryption routines, the creators of the ransomware themselves could not recover the information again, even if the victims paid the ransom.

This is completely unconventional because the reason a threat actor develops ransomware is to get a ransom payment in exchange for handing the key over to the victims to retrieve the information encrypted by the malware, so the motivation behind this campaign was not financial, but was aimed at interrupting business operations of the affected companies.

Another interesting fact about this campaign is that according to the detection telemetries, the most affected victims were companies from Ukraine, Russia, and Eastern Europe:

Figure 1.4 – Petya/ExPetr infections by country (source: Securelist.com)

Figure 1.4 – Petya/ExPetr infections by country (source: Securelist.com)

As you can see in the preceding graph, this information is relevant and especially useful to find the specific targets to which a cyber attack was directed and supplies some elements to understand the possible motivations behind it.

Trick-or-treat

In May 2018, unknown threat actors, later linked to the Lazarus group, attacked a South American financial institution. This attack provoked damage by destroying information on 9,000 computers and 500 servers in several of its branches.

In their initial findings, investigators discovered that malware damaged the Master Boot Record (MBR) on the hard drive, preventing it from booting and showing the following message on the screen: non-System disk or disk error, replace and strike any key when ready.

Trend Micro conducted research on this malware, which was identified as a variant of KillDisk.

In the next hours, the real motive behind the attack would be discovered. Suspicious financial movements began to be detected. The attackers did not seek to disrupt the company's operation or remove information on computers, but to compromise the international transfer system known as SWIFT, which allowed the attackers to make fraudulent transfers of about $10 million to multiple accounts in Hong Kong.

Nothing is what it seems

But what do these cyber attacks have in common? Clearly, the attribution points to different threat actors and both operations were carried out in different contexts and places. The key elements here are distraction and deception.

In the first case, the threat actors used the ransomware as a front to make the affected companies believe that they were being attacked by such malware, when the real reason was to completely remove the information from their computers without the possibility that it could be recovered; that is, what the attackers were looking for was an interruption of the company's service and operations.

In the second case, the goal was the opposite. The threat actors had a purely financial interest, using malware that prevented computers from continuing to function normally while making money transfers from other computers undetected.

What were the threat actors looking for? Masking their attacks long enough to achieve their goals while confusing investigators to take longer to respond to these incidents.

But why is it so important for an incident response professional to try to find the true intent behind a cyber attack? This is quite simple. As we will see later, when an incident occurs, the nature of the attack must be identified according to the context, motivation, and key indicators to ascertain the type of attack, its characteristics, and scope. This can lead to several hypotheses and define the actions to take to contain the offensive actions and minimize the impact of the attack.

Emerging and future cyber threats

Technology is changing every day, so technological advances allow us to experience new ways of doing things, the way we work, the way we learn, and even the way we relate to other people. These modern technologies are developed to make them more usable and functional so that anyone without having too much technical knowledge can take advantage of them.

However, the architecture, design, and production of these technologies often does not consider the security part and many of the new devices you use daily are unsafe by design and exposed to potential cyber attacks.

Cyber attacks targeting IOT devices

Years ago, few people would have imagined that a simple light bulb, our smart TV, or our toilet could become an attack vector from malicious actors. According to Gartner, there will be 25 billion global Internet of Things (IoT) connections by 2025. The problem is that many devices are manufactured at a low cost to achieve greater market penetration, regardless of the threats to which these devices will be exposed.

Moreover, the risks are not just for home users; in enterprise environments, these devices could be connected within the same network infrastructure of computers and servers, raising the risk of compromising the organization's critical assets and information.

On October 21, 2016, DynDNS (Dynamic Network Services, Inc., a domain name system) was the target of an attack against the infrastructure of its systems. As a result, many Netflix, PayPal, and Twitter users, to name a few, could not access these services for hours.

The attackers provoked a Denial of Service (DoS) using a botnet known as Mirai, which turned millions of IoT devices into zombies that sent traffic in a coordinated manner against specific targets, which primarily affected the operational infrastructure in the United States. The estimated economic impact was $10 million:

Figure 1.5 – Live map of the massive DDoS attacks on Dyn's servers (https://twitter.com/flyingwithfish/status/789524594017308672?s=20)

Figure 1.5 – Live map of the massive DDoS attacks on Dyn's servers (https://twitter.com/flyingwithfish/status/789524594017308672?s=20)

In November of the same year, several DSL service users in Germany reported problems with their internet connection devices due to traffic saturation on TCP port 7547 by Mirai that affected their access to the network. In January 2018, a variant of the same botnet appeared, targeting the financial sector and affecting the availability of its services.

In that year alone, the percentage of botnet-related traffic for deletions on IoT devices was 78%, according to a NOKIA study. In 2019, Kaspersky detected around 100 million attacks targeting IoT devices using honeypots.

In July 2020, Trend Micro found that Mirai's botnet exploits the CVE-2020-5902 vulnerability on IoT devices, allowing it to search for Big-IP boxes for intrusion and deliver the malicious payload.

The digital evidence generated by these devices is essential to identifying promptly the origin of an attack and to be able to visualize its scope and impact.

Autonomous vehicles

More applications are being integrated with vehicles and can connect with users' mobile devices. These apps often supply access to social networks or payment apps, such as Apple Pay, Samsung Pay, or Google Pay users.

On the other hand, autonomous vehicle manufacturers integrate capabilities that reduce the number of accidents and improve transport infrastructure efficiency. Using the OBD II and CAN bus access points, someone can perform a remote diagnosis of a vehicle's operation or its location, carry out remote assistance, or obtain telemetry information collected from the vehicle.

These capabilities, however, open new attack surfaces, including the following:

  • System update firmware manipulation
  • Installing malware on the vehicle system
  • Interception of network communications
  • Exploiting software vulnerabilities

In 2013, security researchers Charlie Miller and Chris Valasek, along with journalist Andy Greenberg, showed how it was possible to hack a vehicle by taking control of the brakes or vehicle speed. In 2015, they met again, and on this occasion, they took control of a Jeep at 70 miles per hour using a zero-day exploit that allowed them to take control of the vehicle remotely over the internet.

These discovered vulnerabilities opened the door to new attack scenarios where sensitive user information can be compromised and even put human lives at risk.

In a short period following a traffic incident, and especially with the increase in the number of autonomous vehicles, it will be necessary to collect evidence from the vehicle's digital devices to investigate the details that will help to identify what caused the accident.

Drones

The global drone market will grow from $14 billion in 2018 to over $43 billion in 2024, with a compound annual growth rate (CAGR) of 20.5%. Their non-military use has shown potential for multiple fields, including engineering, architecture, and law enforcement.

Unfortunately, in many cases, their use is not regulated. In several situations, they have been involved in incidents that have jeopardized the operation of airports or the same plane, as was the case at Heathrow Airport in London, where flights were suspended, causing significant financial losses and inconvenience to passengers.

Other risks relate to organized crime in carrying out drug transfers across the border undetected or even attacking rival groups. Drones can also pose a risk to people's privacy, as a drone could record video, take pictures, or sniff conversations in the distance.

If a drone is used illegally, it is essential to collect the evidence necessary to carry out the investigation, using the appropriate procedures and tools.

Electronic voting machines

The use of digital devices in several countries' electoral processes around the world aims to ensure that the voter registration processes, as well as vote capture and counting, are efficient and reliable.

However, like all digital systems, there are attack surfaces on these systems that an attacker could use to compromise the results of an election and the reliability of the systems themselves. Security researchers have revealed that some voting systems could be vulnerable to distinct types of attacks.

In 2019, in the DefCon Voting Village, several security researchers analyzed more than 100 voting devices, some of them currently in use, and found that they were vulnerable to at least 1 type of attack.

Electoral processes are vital in ensuring not only democracy, but also political and social stability, so it is incredibly important to ensure its reliability and security.

In the event of a security incident occurring on a digital voting device in an election, the Digital Forensics and Incident Response (DFIR) professional's role would be key to quickly and effectively discovering what happened and avoiding further damage to the electoral process.

Cyber attacks on robots

Beyond science fiction, where movies or streaming series show an apocalyptic scenario with robots taking control of humanity, the reality is that robots are already everywhere, whether they are assembling components in a factory or performing high-precision surgeries.

However, the evolution of AI poses new security challenges. What if an attacker compromised a robot and could manipulate it?

There is a category of robots known as social robots; these robots' role is to interact with humans in different ways, such as assisting them or serving as a companion. According to a study by IDLab – imec, University of Ghent, Belgium, regarding the abuse of social robots for use as a means of persuasion or manipulation, they identified the following risks when they performed several proofs of concept:

  • Gaining access to protected areas
  • Extracting sensitive information
  • Influencing people to take actions that put them at risk

In 2018, researchers from the security company IOActive presented the first ransomware attack on robots at the Kaspersky Security Analyst Summit event. In the presentation, they talked about how it was possible to hack social robots known as Pepper and Nao, showing a proof-of-concept video where they modified the source code and made the robot ask for bitcoins (https://youtu.be/4djvZjme_-M).

Considering a robotic-oriented threat landscape, the same scenario could occur with other types of robots and affect a production line in a factory or even a medical surgery, putting people's lives at risk.

For this reason, it is important to identify attack surfaces that could pose a security risk through threat modeling. Currently, there are several related documents with threat modeling for specific models of robots or even for the most well-known robotic operating systems, such as ROS 2: https://design.ros2.org/articles/ros2_threat_model.html.

A specialized device called Black Box was created by the Alias Robotics company to capture information relevant to robots' activity (https://aliasrobotics.com/blackbox.php). In the event of a security incident, this information could be handy in responding and conducting forensic investigations.

The challenge of new technologies for DFIR professionals

Without a doubt, the future looks fascinating for professionals in the incident response field. However, there are many challenges along the way.

The dizzying and constant evolution of technology means that there are more and more digital devices. Although many of them use open and standard technologies, others integrate proprietary components that could make it more challenging to obtain evidence or conduct an investigation.

On the other hand, it is necessary to expand our knowledge into new specialized fields of DFIR and learn about the latest technologies.

Summary

In this chapter, we learned the importance of understanding the threat landscape, with the emergence of new threat actors and how the technical tactics and tools used in cyber attacks have evolved.

Studying the threat landscape is a constant and particularly important activity for an incident response professional and the lack of knowledge will make it more difficult to find the right indicators of compromise when you are responding to a cybersecurity incident.

We also learned how modern technologies bring new risks but also new challenges in responding to incidents.

In the next chapter, we will learn the basic concepts of DFIR, the importance of identifying forensic artifacts as evidence, and some of the most important incident response frameworks.

Further reading

Left arrow icon Right arrow icon
Download code icon Download Code

Description

With constantly evolving cyber threats, developing a cybersecurity incident response capability to identify and contain threats is indispensable for any organization regardless of its size. This book covers theoretical concepts and a variety of real-life scenarios that will help you to apply these concepts within your organization. Starting with the basics of incident response, the book introduces you to professional practices and advanced concepts for integrating threat hunting and threat intelligence procedures in the identification, contention, and eradication stages of the incident response cycle. As you progress through the chapters, you'll cover the different aspects of developing an incident response program. You'll learn the implementation and use of platforms such as TheHive and ELK and tools for evidence collection such as Velociraptor and KAPE before getting to grips with the integration of frameworks such as Cyber Kill Chain and MITRE ATT&CK for analysis and investigation. You'll also explore methodologies and tools for cyber threat hunting with Sigma and YARA rules. By the end of this book, you'll have learned everything you need to respond to cybersecurity incidents using threat intelligence.

Who is this book for?

If you are an information security professional or anyone who wants to learn the principles of incident management, first response, threat hunting, and threat intelligence using a variety of platforms and tools, this book is for you. Although not necessary, basic knowledge of Linux, Windows internals, and network protocols will be helpful.

What you will learn

  • Explore the fundamentals of incident response and incident management
  • Find out how to develop incident response capabilities
  • Understand the development of incident response plans and playbooks
  • Align incident response procedures with business continuity
  • Identify incident response requirements and orchestrate people, processes, and technologies
  • Discover methodologies and tools to integrate cyber threat intelligence and threat hunting into incident response

Product Details

Country selected
Publication date, Length, Edition, Language, ISBN-13
Publication date : Jun 24, 2022
Length: 468 pages
Edition : 1st
Language : English
ISBN-13 : 9781801072953
Languages :
Tools :

What do you get with a Packt Subscription?

Free for first 7 days. $19.99 p/m after that. Cancel any time!
Product feature icon Unlimited ad-free access to the largest independent learning library in tech. Access this title and thousands more!
Product feature icon 50+ new titles added per month, including many first-to-market concepts and exclusive early access to books as they are being written.
Product feature icon Innovative learning tools, including AI book assistants, code context explainers, and text-to-speech.
Product feature icon Thousands of reference materials covering every tech concept you need to stay up to date.
Subscribe now
View plans & pricing

Product Details

Publication date : Jun 24, 2022
Length: 468 pages
Edition : 1st
Language : English
ISBN-13 : 9781801072953
Languages :
Tools :

Packt Subscriptions

See our plans and pricing
Modal Close icon
$19.99 billed monthly
Feature tick icon Unlimited access to Packt's library of 7,000+ practical books and videos
Feature tick icon Constantly refreshed with 50+ new titles a month
Feature tick icon Exclusive Early access to books as they're written
Feature tick icon Solve problems while you work with advanced search and reference features
Feature tick icon Offline reading on the mobile app
Feature tick icon Simple pricing, no contract
$199.99 billed annually
Feature tick icon Unlimited access to Packt's library of 7,000+ practical books and videos
Feature tick icon Constantly refreshed with 50+ new titles a month
Feature tick icon Exclusive Early access to books as they're written
Feature tick icon Solve problems while you work with advanced search and reference features
Feature tick icon Offline reading on the mobile app
Feature tick icon Choose a DRM-free eBook or Video every month to keep
Feature tick icon PLUS own as many other DRM-free eBooks or Videos as you like for just zł20 each
Feature tick icon Exclusive print discounts
$279.99 billed in 18 months
Feature tick icon Unlimited access to Packt's library of 7,000+ practical books and videos
Feature tick icon Constantly refreshed with 50+ new titles a month
Feature tick icon Exclusive Early access to books as they're written
Feature tick icon Solve problems while you work with advanced search and reference features
Feature tick icon Offline reading on the mobile app
Feature tick icon Choose a DRM-free eBook or Video every month to keep
Feature tick icon PLUS own as many other DRM-free eBooks or Videos as you like for just zł20 each
Feature tick icon Exclusive print discounts

Frequently bought together


Stars icon
Total 577.97
Incident Response Techniques for Ransomware Attacks
zł197.99
Operationalizing Threat Intelligence
zł189.99
Incident Response with Threat Intelligence
zł189.99
Total 577.97 Stars icon

Table of Contents

19 Chapters
Section 1: The Fundamentals of Incident Response Chevron down icon Chevron up icon
Chapter 1: Threat Landscape and Cybersecurity Incidents Chevron down icon Chevron up icon
Chapter 2: Concepts of Digital Forensics and Incident Response Chevron down icon Chevron up icon
Chapter 3: Basics of the Incident Response and Triage Procedures Chevron down icon Chevron up icon
Chapter 4: Applying First Response Procedures Chevron down icon Chevron up icon
Section 2: Getting to Know the Adversaries Chevron down icon Chevron up icon
Chapter 5: Identifying and Profiling Threat Actors Chevron down icon Chevron up icon
Chapter 6: Understanding the Cyber Kill Chain and the MITRE ATT&CK Framework Chevron down icon Chevron up icon
Chapter 7: Using Cyber Threat Intelligence in Incident Response Chevron down icon Chevron up icon
Section 3: Designing and Implementing Incident Response in Organizations Chevron down icon Chevron up icon
Chapter 8: Building an Incident Response Capability Chevron down icon Chevron up icon
Chapter 9: Creating Incident Response Plans and Playbooks Chevron down icon Chevron up icon
Chapter 10: Implementing an Incident Management System Chevron down icon Chevron up icon
Chapter 11: Integrating SOAR Capabilities into Incident Response Chevron down icon Chevron up icon
Section 4: Improving Threat Detection in Incident Response Chevron down icon Chevron up icon
Chapter 12: Working with Analytics and Detection Engineering in Incident Response Chevron down icon Chevron up icon
Chapter 13: Creating and Deploying Detection Rules Chevron down icon Chevron up icon
Chapter 14: 
Hunting and Investigating Security Incidents Chevron down icon Chevron up icon
Other Books You May Enjoy Chevron down icon Chevron up icon

Customer reviews

Top Reviews
Rating distribution
Full star icon Full star icon Full star icon Full star icon Half star icon 4.7
(9 Ratings)
5 star 88.9%
4 star 0%
3 star 0%
2 star 11.1%
1 star 0%
Filter icon Filter
Top Reviews

Filter reviews by




Bismarck M. Animas Perez Aug 01, 2022
Full star icon Full star icon Full star icon Full star icon Full star icon 5
Since I opened the book and saw the structure of it I became amazed of the topics' sequence. Then I started reading the book and the content was excellent.I've been 20 years in Cybersec and 10 in IR and I learned a few tricks and got different ways to do things and got very excited to try all of it.Thnks to the author for the work he did!!!
Amazon Verified review Amazon
kelly archinal Nov 02, 2022
Full star icon Full star icon Full star icon Full star icon Full star icon 5
This book tackles one of the biggest struggles I see in the cybersecurity community: Taking well crafted and informative threat intel and merging it with the operations performed by the security analyst in a Security Operations Center. It also provides very helpful guides, tips, and tricks to set yourself up for success when approaching this problem. Thank you for putting this into print!
Amazon Verified review Amazon
variable Aug 29, 2022
Full star icon Full star icon Full star icon Full star icon Full star icon 5
I really liked that the book didn't just focus on IR or TI, but on how they supported each other. Excellent usage of models and analytical processes before, during, and after response operations.
Amazon Verified review Amazon
Irving Norehem Llamas Covarrubias Jul 29, 2022
Full star icon Full star icon Full star icon Full star icon Full star icon 5
Amazing! This book is the first eclectic work to present a multidisciplinary theory and practice regarding everything you need to know to respond to advanced cybersecurity incidents through threat hunting using threat intelligence.
Amazon Verified review Amazon
Juan Carlos Vázquez Sep 25, 2022
Full star icon Full star icon Full star icon Full star icon Full star icon 5
This is absolutely a "must read" for any cybersecurity practitioner that is starting to get involved around Incident Response activities and Threat Intelligence or inclusive for experimented DFIR professionals, that leverage in threat intel and other advanced concepts.Roberto, has dedicated much time in presenting an educative work based in his long experience, in which explains both basic and advanced terms, including practical examples and public references along all the content. I am convinced this book gives the guidance and clarity to understand many complex literature/reports that skip the foundation for the reader. I recommend this piece broadly for the cybersecurity industry.
Amazon Verified review Amazon
Get free access to Packt library with over 7500+ books and video courses for 7 days!
Start Free Trial

FAQs

What is included in a Packt subscription? Chevron down icon Chevron up icon

A subscription provides you with full access to view all Packt and licnesed content online, this includes exclusive access to Early Access titles. Depending on the tier chosen you can also earn credits and discounts to use for owning content

How can I cancel my subscription? Chevron down icon Chevron up icon

To cancel your subscription with us simply go to the account page - found in the top right of the page or at https://subscription.packtpub.com/my-account/subscription - From here you will see the ‘cancel subscription’ button in the grey box with your subscription information in.

What are credits? Chevron down icon Chevron up icon

Credits can be earned from reading 40 section of any title within the payment cycle - a month starting from the day of subscription payment. You also earn a Credit every month if you subscribe to our annual or 18 month plans. Credits can be used to buy books DRM free, the same way that you would pay for a book. Your credits can be found in the subscription homepage - subscription.packtpub.com - clicking on ‘the my’ library dropdown and selecting ‘credits’.

What happens if an Early Access Course is cancelled? Chevron down icon Chevron up icon

Projects are rarely cancelled, but sometimes it's unavoidable. If an Early Access course is cancelled or excessively delayed, you can exchange your purchase for another course. For further details, please contact us here.

Where can I send feedback about an Early Access title? Chevron down icon Chevron up icon

If you have any feedback about the product you're reading, or Early Access in general, then please fill out a contact form here and we'll make sure the feedback gets to the right team. 

Can I download the code files for Early Access titles? Chevron down icon Chevron up icon

We try to ensure that all books in Early Access have code available to use, download, and fork on GitHub. This helps us be more agile in the development of the book, and helps keep the often changing code base of new versions and new technologies as up to date as possible. Unfortunately, however, there will be rare cases when it is not possible for us to have downloadable code samples available until publication.

When we publish the book, the code files will also be available to download from the Packt website.

How accurate is the publication date? Chevron down icon Chevron up icon

The publication date is as accurate as we can be at any point in the project. Unfortunately, delays can happen. Often those delays are out of our control, such as changes to the technology code base or delays in the tech release. We do our best to give you an accurate estimate of the publication date at any given time, and as more chapters are delivered, the more accurate the delivery date will become.

How will I know when new chapters are ready? Chevron down icon Chevron up icon

We'll let you know every time there has been an update to a course that you've bought in Early Access. You'll get an email to let you know there has been a new chapter, or a change to a previous chapter. The new chapters are automatically added to your account, so you can also check back there any time you're ready and download or read them online.

I am a Packt subscriber, do I get Early Access? Chevron down icon Chevron up icon

Yes, all Early Access content is fully available through your subscription. You will need to have a paid for or active trial subscription in order to access all titles.

How is Early Access delivered? Chevron down icon Chevron up icon

Early Access is currently only available as a PDF or through our online reader. As we make changes or add new chapters, the files in your Packt account will be updated so you can download them again or view them online immediately.

How do I buy Early Access content? Chevron down icon Chevron up icon

Early Access is a way of us getting our content to you quicker, but the method of buying the Early Access course is still the same. Just find the course you want to buy, go through the check-out steps, and you’ll get a confirmation email from us with information and a link to the relevant Early Access courses.

What is Early Access? Chevron down icon Chevron up icon

Keeping up to date with the latest technology is difficult; new versions, new frameworks, new techniques. This feature gives you a head-start to our content, as it's being created. With Early Access you'll receive each chapter as it's written, and get regular updates throughout the product's development, as well as the final course as soon as it's ready.We created Early Access as a means of giving you the information you need, as soon as it's available. As we go through the process of developing a course, 99% of it can be ready but we can't publish until that last 1% falls in to place. Early Access helps to unlock the potential of our content early, to help you start your learning when you need it most. You not only get access to every chapter as it's delivered, edited, and updated, but you'll also get the finalized, DRM-free product to download in any format you want when it's published. As a member of Packt, you'll also be eligible for our exclusive offers, including a free course every day, and discounts on new and popular titles.