You're reading from Digital Forensics and Incident Response Incident response tools and techniques for effective cyber threat response

Product type Paperback

Published in Dec 2022

Publisher Packt

ISBN-13 9781803238678

Length 532 pages

Edition 3rd Edition

Concepts

Forensics

Author (1):

Gerard Johansen

View More author details

Table of Contents (28) Chapters

Preface

1. Part 1: Foundations of Incident Response and Digital Forensics

2. Chapter 1: Understanding Incident Response FREE CHAPTER

3. Chapter 2: Managing Cyber Incidents

4. Chapter 3: Fundamentals of Digital Forensics

5. Chapter 4: Investigation Methodology

6. Part 2: Evidence Acquisition

7. Chapter 5: Collecting Network Evidence

8. Chapter 6: Acquiring Host-Based Evidence

9. Chapter 7: Remote Evidence Collection

10. Chapter 8: Forensic Imaging

11. Part 3: Evidence Analysis

12. Chapter 9: Analyzing Network Evidence

13. Chapter 10: Analyzing System Memory

14. Chapter 11: Analyzing System Storage

15. Chapter 12: Analyzing Log Files

16. Chapter 13: Writing the Incident Report

17. Part 4: Ransomware Incident Response

18. Chapter 14: Ransomware Preparation and Response

19. Chapter 15: Ransomware Investigations

20. Part 5: Threat Intelligence and Hunting

21. Chapter 16: Malware Analysis for Incident Response

22. Chapter 17: Leveraging Threat Intelligence

23. Chapter 18: Threat Hunting

24. Assessments

25. Index

Why subscribe?

26. Other Books You May Enjoy

Appendix

Testing the IR framework

So far, there have been a number of areas that have been addressed in terms of preparing for an incident. From an initial understanding of the process involved in IR, we moved through the creation of an IR plan and associated playbooks.

Once a capability has been created, it should be run through a table-top exercise to flush out any gaps or deficiencies. This exercise should include a high-level incident scenario that involves the entire team and one of the associated playbooks. A report that details the results of the table-top exercise and any gaps, corrections, or modifications should also be prepared and forwarded to senior leadership. Once leadership has been informed and acknowledges that the CSIRT is ready to deploy, it is now operational.

As the CSIRT becomes comfortable executing the plan under a structured scenario, they may want to try more complex testing measures. Another available option is the Red/Blue or Purple team exercise. This is where the CSIRT is tasked with responding to an authorized penetration test. Here, the team is able to execute against a live adversary and test the plans and playbooks. This significantly increases the value of the penetration test as it provides an insight into the security of the infrastructure as well as the ability of the organization to respond appropriately.

Regardless of the makeup of the team, another key component of CSIRT deployment is the inclusion of regular training. For CSIRT core members, specific training on emerging threats, forensic techniques, and tools should be ongoing. This can be facilitated through third-party training providers or, if available, in-house training. The technical support members of the CSIRT should receive regular training on techniques and tools available.

This is especially important if these members may be called upon during an incident to assist with evidence collection or remediation activities. Finally, other support members should be included in the annual test of the IR plan. Just as with an inaugural test, the organization should pick a high-level incident and work through it using a table-top exercise. Another option for the organization is to marry up the testing of their IR plan with a penetration test. If the organization is able to detect the presence of the penetration test, they have the ability to run through the first phases of the incident and craft a tabletop for the remaining portions.

One final component of the ongoing maintenance of an IR plan is a complete annual review. This annual review is conducted to ensure that any changes in personnel, constituency, or mission that may impact other components of the plan are addressed. In addition to a review of the plan, a complete review of the playbooks is conducted as well. As threats change, it may be necessary to change existing playbooks or add new ones. CSIRT personnel should also feel free to create a new playbook in the event of a new threat emerging. In this way, the CSIRT will be in a better position to address incidents that may impact their organization. Any major changes or additions should also trigger another table-top exercise to validate additional plans and playbooks.