Search icon CANCEL
Subscription
0
Cart icon
Your Cart (0 item)
Close icon
You have no products in your basket yet
Save more on your purchases now! discount-offer-chevron-icon
Savings automatically calculated. No voucher code required.
Arrow left icon
Explore Products
Best Sellers
New Releases
Books
Videos
Audiobooks
Learning Hub
Conferences
Free Learning
Arrow right icon
Cybersecurity – Attack and Defense Strategies, 3rd edition
Cybersecurity – Attack and Defense Strategies, 3rd edition

Cybersecurity – Attack and Defense Strategies, 3rd edition: Improve your security posture to mitigate risks and prevent attackers from infiltrating your system , Third Edition

Arrow left icon
Profile Icon Yuri Diogenes Profile Icon Dr. Erdal Ozkaya
Arrow right icon
€18.99 per month
Full star icon Full star icon Full star icon Full star icon Half star icon 4.9 (42 Ratings)
Paperback Sep 2022 570 pages 3rd Edition
eBook
€17.99 €25.99
Paperback
€31.99
Subscription
Free Trial
Renews at €18.99p/m
Arrow left icon
Profile Icon Yuri Diogenes Profile Icon Dr. Erdal Ozkaya
Arrow right icon
€18.99 per month
Full star icon Full star icon Full star icon Full star icon Half star icon 4.9 (42 Ratings)
Paperback Sep 2022 570 pages 3rd Edition
eBook
€17.99 €25.99
Paperback
€31.99
Subscription
Free Trial
Renews at €18.99p/m
eBook
€17.99 €25.99
Paperback
€31.99
Subscription
Free Trial
Renews at €18.99p/m

What do you get with a Packt Subscription?

Free for first 7 days. $19.99 p/m after that. Cancel any time!
Product feature icon Unlimited ad-free access to the largest independent learning library in tech. Access this title and thousands more!
Product feature icon 50+ new titles added per month, including many first-to-market concepts and exclusive early access to books as they are being written.
Product feature icon Innovative learning tools, including AI book assistants, code context explainers, and text-to-speech.
Product feature icon Thousands of reference materials covering every tech concept you need to stay up to date.
Subscribe now
View plans & pricing
Table of content icon View table of contents Preview book icon Preview Book

Cybersecurity – Attack and Defense Strategies, 3rd edition

Incident Response Process

In the last chapter, you learned about the three pillars that sustain your security posture, and two of them (detection and response) are directly correlated with the incident response (IR) process. To enhance the foundation of your security posture, you need to have a solid incident response process. This process will dictate how to handle security incidents and rapidly respond to them. Many companies do have an incident response process in place, but they fail to constantly review it to incorporate lessons learned from previous incidents, and on top of that, many are not prepared to handle security incidents in a cloud environment.

In this chapter, we’re going to be covering the following topics:

  • The incident response process
  • Handling an incident
  • Post-incident activity
  • Considerations regarding IR in the cloud

First, we will cover the incident response process.

The incident response process

There are many industry standards, recommendations, and best practices that can help you to create your own incident response. You can still use those as a reference to make sure you cover all the relevant phases for your type of business. The one that we are going to use as a reference in this book is the computer security incident response (CSIR)—publication 800-61R2 from NIST. Regardless of the one you select to use as a reference, make sure to adapt it to your own business requirements. Most of the time, in security, the concept of “one size fits all” doesn’t apply; the intent is always to leverage well-known standards and best practices and apply them to your own context. It is important to retain the flexibility to accommodate your business needs in order to provide a better experience when operationalizing it.

While flexibility is key for adapting incident responses to suit individual needs and requirements, it is still invaluable to understand the commonalities between different responses. There are a number of reasons to have an IR process in place, and there are certain steps that will help with both creating an incident response process and putting together an effective incident response team. Additionally, every incident has an incident life cycle, which can be examined to better understand why the incident has occurred, and how to prevent similar issues in the future. We will discuss each of these in more depth to give you a deeper understanding of how to form your own incident response.

Reasons to have an IR process in place

Before we dive into more details about the process itself, it is important to be aware of the terminology that is used, and what the final goal is when using IR as part of enhancing your security posture. Let’s use a fictitious company to illustrate why this is important.

The following diagram has a timeline of events. These events lead the help desk to escalate the issue and start the incident response process:

Timeline  Description automatically generated

Figure 2.1: Events timeline leading to escalation and the beginning of the incident response process

The following table has some considerations about each step in this scenario:

Step

Description

Security considerations

1

While the diagram says that the system was working properly, it is important to learn from this event.

What is considered normal? Do you have a baseline that can give you evidence that the system was running properly? Are you sure there is no evidence of compromise before the email?

2

Phishing emails are still one of the most common methods used by cybercriminals to entice users to click on a link that leads to a malicious/compromised site.

While technical security controls must be in place to detect and filter these types of attacks, users must be taught how to identify a phishing email.

3

Many of the traditional sensors (IDS/IPS) used nowadays are not able to identify infiltration and lateral movement.

To enhance your security posture, you will need to improve your technical security controls and reduce the gap between infection and detection.

4

This is already part of the collateral damage done by this attack. Credentials were compromised, and the user was having trouble authenticating. This sometimes happens because the attackers already changed the user’s password.

There should be technical security controls in place that enable IT to reset the user’s password and, at the same time, enforce multifactor authentication.

5

Not every single incident is security-related; it is important for the help desk to perform their initial troubleshooting to isolate the issue.

If the technical security controls in place (step 3) were able to identify the attack, or at least provide some evidence of suspicious activity, the help desk wouldn’t have to troubleshoot the issue—it could just directly follow the incident response process.

6

At this point in time, the help desk is doing what it is supposed to do, collecting evidence that the system was compromised and escalating the issue.

The help desk should obtain as much information as possible about the suspicious activity to justify the reason why they believe that this is a security-related incident.

7

At this point, the IR process takes over and follows its own path, which may vary according to the company, industry segment, and standard.

It is important to document every single step of the process and, after the incident is resolved, incorporate the lessons learned with the aim of enhancing the overall security posture.

Table 2.1: Security considerations for different steps in an events timeline

While there is much room for improvement in the previous scenario, there is something that exists in this fictitious company that many other companies around the world are missing: the incident response itself. If it were not for the incident response process in place, support professionals would exhaust their troubleshooting efforts by focusing on infrastructure-related issues. Companies that have a good security posture would have an incident response process in place.

They would also ensure that the following guidelines are adhered to:

  • All IT personnel should be trained to know how to handle a security incident.
  • All users should be trained to know the core fundamentals of security in order to perform their job more safely, which will help avoid getting infected.
  • There should be integration between their help desk system and the incident response team for data sharing.

This scenario could have some variations that could introduce different challenges to overcome. One variation would be if no indicator of compromise (IoC) was found in step 6. In this case, the help desk could easily continue troubleshooting the issue. What if at some point “things” started to work normally again? Is this even possible? Yes, it is! When an IoC is not found it doesn’t mean the environment is clean; now you need to switch gears and start looking for an indicator of attack (IoA), which involves looking for evidence that can show the intent of an attacker. When investigating a case, you may find many IoAs, which may or may not lead to an IoC. The point is, understanding the IoA will lead you to better understand how an attack was executed, and how you can protect against it.

When an attacker infiltrates the network, they usually want to stay invisible, moving laterally from one host to another, compromising multiple systems, and trying to escalate privileges by compromising an account with administrative-level privileges. That’s the reason why it is so important to have good sensors not only in the network but also in the host itself. With good sensors in place, you would be able to not only detect the attack quickly but also identify potential scenarios that could lead to an imminent threat of violation.

In addition to all the factors that were just mentioned, some companies will soon realize that they must have an incident response process in place to be compliant with regulations that are applicable to the industry in which they belong. For example, the Federal Information Security Management Act (FISMA) of 2002 requires federal agencies to have procedures in place to detect, report, and respond to a security incident.

Creating an incident response process

Although the incident response process will vary according to the company and its needs, there are some fundamental aspects of it that will be the same across different industries.

The following diagram shows the foundational areas of the incident response process:

Graphical user interface, application  Description automatically generated

Figure 2.2: The incident response process and its foundational areas of Objective, Scope, Definition/Terminology, Roles and responsibilities, and Priorities/Severity Level

The first step to create your incident response process is to establish the objective—in other words, to answer the question: what’s the purpose of this process? While this might appear redundant as the name seems to be self-explanatory, it is important that you are very clear as to the purpose of the process so that everyone is aware of what this process is trying to accomplish.

Once you have the objective defined, you need to work on the scope. Again, you start this by answering a question, which in this case is: To whom does this process apply?

Although the incident response process usually has a company-wide scope, it can also have a departmental scope in some scenarios. For this reason, it is important that you define whether this is a company-wide process or not.

Each company may have a different perception of a security incident; therefore, it is imperative that you have a definition of what constitutes a security incident, with examples for reference.

Along with the definition, companies must create their own glossary with definitions of the terminology used. Different industries will have different sets of terminologies, and if these terminologies are relevant to a security incident, they must be documented.

In an incident response process, the roles and responsibilities are critical. Without the proper level of authority, the entire process is at risk. The importance of the level of authority in an incident response is evident when you consider the question: Who has the authority to confiscate a computer in order to perform further investigation? By defining the users or groups that have this level of authority, you are ensuring that the entire company is aware of this, and if an incident occurs, they will not question the group that is enforcing the policy.

Another important question to answer is regarding the severity of an incident. What defines a critical incident? The criticality will lead to resource distribution, which brings another question: How are you going to distribute your manpower when an incident occurs? Should you allocate more resources to incident “A” or to incident “B”? Why? These are only some examples of questions that should be answered in order to define the priorities and severity level. To determine the priorities and severity level, you will need to also take into consideration the following aspects of the business:

  • Functional impact of the incident on the business: The importance of the affected system for the business will have a direct effect on the incident’s priority. All stakeholders for the affected system should be aware of the issue and will have their input in the determination of priorities.
  • Type of information affected by the incident: Every time you deal with personally identifiable information (PII), your incident will have high priority; therefore, this is one of the first elements to verify during an incident. Another factor that can influence the severity is the type of data that was compromised based on the compliance standard your company is using. For example, if your company needs to be HIPAA compliant, you would need to raise the severity level if the data compromised was governed by the HIPAA standards.
  • Recoverability: After the initial assessment, it is possible to give an estimate of how long it will take to recover from an incident. Depending on the amount of time to recover, combined with the criticality of the system, this could drive the priority of the incident to high severity.

In addition to these fundamental areas, an incident response process also needs to define how it will interact with third parties, partners, and customers.

For example, if an incident occurs and during the investigation process it is identified that a customer’s PII was leaked, how will the company communicate this to the media? In the incident response process, communication with the media should be aligned with the company’s security policy for data disclosure. The legal department should also be involved prior to the press release to ensure that there is no legal issue with the statement. Procedures to engage law enforcement must also be documented in the incident response process. When documenting this, take into consideration the physical location—where the incident took place, where the server is located (if appropriate), and the state. By collecting this information, it will be easier to identify the jurisdiction and avoid conflicts.

Incident response team

Now that you have the fundamental areas covered, you need to put the incident response team together. The format of the team will vary according to the company size, budget, and purpose. A large company may want to use a distributed model, where there are multiple incident response teams with each one having specific attributes and responsibilities. This model can be very useful for organizations that are geo-dispersed, with computing resources located in multiple areas. Other companies may want to centralize the entire incident response team in a single entity. This team will handle incidents regardless of the location. After choosing the model that will be used, the company will start recruiting employees to be part of the team.

The incident response process requires personnel with technically broad knowledge while also requiring deep knowledge in some other areas. The challenge is to find people with depth and breadth in this area, which sometimes leads to the conclusion that you need to hire external people to fill some positions, or even outsource part of the incident response team to a different company.

The budget for the incident response team must also cover continuous improvement via education, and the acquisition of proper tools, software, and hardware. As new threats arise, security professionals working with incident response must be ready and trained to respond well. Many companies fail to keep their workforce up to date, which may expose the company to risk. When outsourcing the incident response process, make sure the company that you are hiring is accountable for constantly training their employees in this field.

If you plan to outsource your incident response operations, make sure you have a well-defined service-level agreement (SLA) that meets the severity levels that were established previously. During this phase, you should also define the team coverage, assuming the need for 24-hour operations.

In this phase you will define:

  • Shifts: How many shifts will be necessary for 24-hour coverage?
  • Team allocation: Based on these shifts, who is going to work on each shift, including full-time employees and contractors?
  • On-call process: It is recommended that you have on-call rotation for technical and management roles in case the issue needs to be escalated.

Defining these areas during this phase is particularly useful as it will allow you to more clearly see the work that the team needs to cover, and thus allocate time and resources accordingly.

Incident life cycle

Every incident that starts must have an end, and what happens in between the beginning and the end are different phases that will determine the outcome of the response process. This is an ongoing process that we call the incident life cycle. What we have described so far can be considered the preparation phase. However, this phase is broader than that—it also has the partial implementation of security controls that were created based on the initial risk assessment (this was supposedly done even before creating the incident response process).

Also included in the preparation phase is the implementation of other security controls, such as:

  • Endpoint protection
  • Malware protection
  • Network security

The preparation phase is not static, and you can see in the following diagram that this phase will receive input from post-incident activity. The post-incident activity is critical to improve the level of preparation for future attacks, because here is where you will perform a postmortem analysis to understand the root cause and see how you can improve your defense to avoid the same type of attack happening in the future. The other phases of the life cycle and how they interact are also shown in this diagram:

Diagram  Description automatically generated

Figure 2.3: Phases of the incident life cycle

The detection and containment phases could have multiple interactions within the same incident. Once the loop is over, you will move on to the post-incident activity phase. The sections that follow will cover these last three phases in more detail.

Handling an incident

Handling an incident in the context of the IR life cycle includes the detection and containment phases.

In order to detect a threat, your detection system must be aware of the attack vectors, and since the threat landscape changes so rapidly, the detection system must be able to dynamically learn more about new threats and new behaviors and trigger an alert if suspicious activity is encountered.

While many attacks will be automatically detected by the detection system, the end user has an important role in identifying and reporting the issue if they find suspicious activity.

For this reason, the end user should also be aware of the different types of attacks and learn how to manually create an incident ticket to address such behaviors. This is something that should be part of the security awareness training.

Even with users being diligent by closely watching for suspicious activities, and with sensors configured to send alerts when an attempt to compromise is detected, the most challenging part of an IR process is still the accuracy of detecting what is truly a security incident.

Oftentimes, you will need to manually gather information from different sources to see if the alert that you received really reflects an attempt to exploit a vulnerability in the system. Keep in mind that data gathering must be done in compliance with the company’s policy. In scenarios where you need to bring the data to a court of law, you need to guarantee the data’s integrity.

The following diagram shows an example where the combination and correlation of multiple logs is necessary in order to identify the attacker’s ultimate intent:

Diagram  Description automatically generated

Figure 2.4: The necessity of multiple logs in identifying an attacker’s ultimate intent

In this example, we have many IoCs, and when we put all the pieces together, we can validate the attack. Keep in mind that depending on the level of information that you are collecting in each one of those phases, and how conclusive it is, you may not have evidence of compromise, but you will have evidence of an attack, which is the IoA for this case.

The following table explains the diagram in more detail, assuming that there is enough evidence to determine that the system was compromised:

Step

Log

Attack/Operation

1

Endpoint protection and operating system logs can help determine the IoC

Phishing email

2

Endpoint protection and operating system logs can help determine the IoC

Lateral movement followed by privilege escalation

3

Server logs and network captures can help determine the IoC

Unauthorized or malicious processes could read or modify the data

4

Assuming there is a firewall in between the cloud and on-premises resources, the firewall log and the network capture can help determine the IoC

Data extraction and submission to command and control

Table 2.2: Logs used to identify the attacks/operations of a threat actor

As you can see, there are many security controls in place that can help to determine the indication of compromise. However, putting them all together in an attack timeline and cross-referencing the data can be even more powerful.

This brings back a topic that we discussed in the previous chapter: that detection is becoming one of the most important security controls for a company. Sensors that are located across the network (on-premises and in the cloud) will play a big role in identifying suspicious activity and raising alerts. A growing trend in cybersecurity is the leveraging of security intelligence and advanced analytics to detect threats more quickly and reduce false positives. This can save time and enhance the overall accuracy.

Ideally, the monitoring system will be integrated with the sensors to allow you to visualize all events on a single dashboard. This might not be the case if you are using different platforms that don’t allow interaction between one another.

In a scenario like the one presented in Figure 2.4, the integration between the detection and monitoring system can help to connect the dots of multiple malicious actions that were performed in order to achieve the final mission—data extraction and submission to command and control.

Once the incident is detected and confirmed as a true positive, you need to either collect more data or analyze what you already have. If this is an ongoing issue, where the attack is taking place at that exact moment, you need to obtain live data from the attack and rapidly provide remediation to stop the attack. For this reason, detection and analysis are sometimes done almost in parallel to save time, and this time is then used to rapidly respond.

The biggest problem arises when you don’t have enough evidence that there is a security incident taking place, and you need to keep capturing data in order to validate its veracity. Sometimes the incident is not detected by the detection system. Perhaps it is reported by an end user, but they can’t reproduce the issue at that exact moment. There is no tangible data to analyze, and the issue is not happening at the time you arrive. In scenarios like this, you will need to set up the environment to capture data, and instruct the user to contact support when the issue is actually happening.

You can’t determine what’s abnormal if you don’t know what’s normal. In other words, if a user opens a new incident saying that the server’s performance is slow, you must know all the variables before you jump to a conclusion. To know if the server is slow, you must first know what’s considered to be a normal speed. This also applies to networks, appliances, and other devices. In order to establish this understanding, make sure you have the following in place:

  • System profile
  • Network profile/baseline
  • Log-retention policy
  • Clock synchronization across all systems

Based on this, you will be able to establish what’s normal across all systems and networks. This will be very useful when an incident occurs, and you need to determine what’s normal before starting to troubleshoot the issue from a security perspective.

Incident handling checklist

Many times, the “simple” makes a big difference when it comes time to determine what to do now and what to do next. That’s why having a simple checklist to go through is very important to keep everyone on the same page. The list below is not definitive; it is only a suggestion that you can use as a foundation to build your own checklist:

  1. Determine if an incident has actually occurred and start the investigation:

    1.1 Analyze the data and potential indicators (IoA and IoC).

    1.2 Review potential correlation with other data sources.

    1.3 Once you determine that the incident has occurred, document your findings and prioritize the handling of the incident based on the criticality of the incident. Take into consideration the impact and the recoverability effort.

    1.4 Report the incident to the appropriate channels.

  2. Make sure you gather and preserve evidence.
  3. Perform incident containment.

    3.1 Examples of incident containment include:

    3.1.1 Quarantining the affected resource

    3.1.2 Resetting the password for the compromised credential

  4. Eradicate the incident using the following steps:

    4.1 Ensure that all vulnerabilities that were exploited are mitigated.

    4.2 Remove any malware from the compromised system and evaluate the level of trustworthiness of that system. In some cases, it will be necessary to fully reformat the system, as you may not be able to trust that system anymore.

  5. Recover from the incident.

    5.1 There might be multiple steps to recover from an incident, mainly because it depends on the incident. Generally speaking, the steps here may include:

    5.1.1 Restoring files from backup

    5.1.2 Ensuring that all affected systems are fully functional again

  6. Perform a post-incident analysis.

    6.1 Create a follow-up report with all lessons learned

    6.2 Ensure that you are implementing actions to enhance your security posture based on those lessons learned

As mentioned previously, this list is not exhaustive, and these steps should be tailored to suit specific needs. However, this checklist provides a solid baseline to build on for your own incident response requirements.

Post-incident activity

The incident priority may dictate the containment strategy—for example, if you are dealing with a DDoS attack that was opened as a high-priority incident, the containment strategy must be treated with the same level of criticality. It is rare that situations where the incident is opened as high severity are prescribed medium-priority containment measures unless the issue was somehow resolved in between phases.

Let’s have a look at two real-world scenarios to see how containment strategies, and the lessons learned from a particular incident, may differ depending on incident priority.

Real-world scenario 1

Let’s use the WannaCry outbreak as a real-world example, using the fictitious company Diogenes & Ozkaya Inc. to demonstrate the end-to-end incident response process.

On May 12, 2017, some users called the help desk saying that they were receiving the following screen:

Graphical user interface, text  Description automatically generated

Figure 2.5: A screen from the WannaCry outbreak

After an initial assessment and confirmation of the issue (detection phase), the security team was engaged, and an incident was created. Since many systems were experiencing the same issue, they raised the severity of this incident to high. They used their threat intelligence to rapidly identify that this was a ransomware outbreak, and to prevent other systems from getting infected, they had to apply the MS17-00(3) patch.

At this point, the incident response team was working on three different fronts: one to try to break the ransomware encryption, another to try to identify other systems that were vulnerable to this type of attack, and another one working to communicate the issue to the press.

They consulted their vulnerability management system and identified many other systems that were missing this update. They started the change management process and raised the priority of this change to critical. The management system team deployed this patch to the remaining systems.

The incident response team worked with their anti-malware vendor to break the encryption and gain access to the data again. At this point, all other systems were patched and running without any problems. This concluded the containment eradication and recovery phase.

Lessons learned from scenario 1

After reading this scenario, you can see examples of many areas that were covered throughout this chapter and that will come together during an incident. But an incident is not finished when the issue is resolved. In fact, this is just the beginning of a whole different level of work that needs to be done for every single incident—documenting the lessons learned.

One of the most valuable pieces of information that you have in the post-incident activity phase is the lessons learned. This will help you to keep refining the process through the identification of gaps in the process and areas of improvement. When an incident is fully closed, it will be documented. This documentation must be very detailed, with the full timeline of the incident, the steps that were taken to resolve the problem, what happened during each step, and how the issue was finally resolved outlined in depth.

This documentation will be used as a base to answer the following questions:

  • Who identified the security issue, a user or the detection system?
  • Was the incident opened with the right priority?
  • Did the security operations team perform the initial assessment correctly?
  • Is there anything that could be improved at this point?
  • Was the data analysis done correctly?
  • Was the containment done correctly?
  • Is there anything that could be improved at this point?
  • How long did it take to resolve this incident?

The answers to these questions will help refine the incident response process and enrich the incident database. The incident management system should have all incidents fully documented and searchable. The goal is to create a knowledge base that can be used for future incidents. Oftentimes, an incident can be resolved using the same steps that were used in a similar previous incident.

Another important point to cover is evidence retention. All the artifacts that were captured during the incident should be stored according to the company’s retention policy unless there are specific guidelines for evidence retention. Keep in mind that if the attacker needs to be prosecuted, the evidence must be kept intact until legal actions are completely settled.

When organizations start to migrate to the cloud and have a hybrid environment (on-premises and connectivity to the cloud), their IR process may need to pass through some revisions to include some deltas that are related to cloud computing. You will learn more about IR in the cloud later in this chapter.

Real-world scenario 2

Sometimes you don’t have a very well-established incident, only clues that you are starting to put together to understand what is happening. In this scenario, the case started with support, because it was initiated by a user that said that their machine was very slow, mainly when accessing the internet.

The support engineer that handled the case did a good job isolating the issue and identified that the process Powershell.exe was downloading content from a suspicious site. When the IR team received the case, they reviewed the notes from the case to understand what was done. Then they started tracking the IP address to where the PowerShell command was downloading information from. To do that, they used the VirusTotal website and got the result below:

Graphical user interface, text, application  Description automatically generated

Figure 2.6: VirusTotal scan result

This result raised a flag, and to further understand why this was flagged as malicious, they continued to explore by clicking on DETAILS, which led them to the result below:

Graphical user interface, text, application  Description automatically generated

Figure 2.7: VirusTotal scan details tab

Now things are starting to come together, as this IP seems to be correlated with Cobalt Strike. At this point, the IR team didn’t have much knowledge about Cobalt Strike, and they needed to learn more about it. The best place to research threat actors, the software they use, and the techniques they leverage is the MITRE ATT&CK website (attack.mitre.org).

By accessing this page, you can simply click the Search button (located in the upper-right corner) and type in the keywords, in this case, cobalt strike, and the result appears as shown below:

Figure 2.8: Searching on the MITRE ATT&CK website

Once you open the Cobalt Strike page, you can read more about what Cobalt Strike is, the platforms that it targets, the techniques that it uses, and the threat actor groups that are associated with this software. By simply searching PowerShell on this page, you will see the following statement:

Figure 2.9: A technique used by Cobalt Strike

Notice that this usage of PowerShell maps to technique T1059 (https://attack.mitre.org/techniques/T1059). If you open this page, you will learn more about how this technique is used and the intent behind it.

OK, now things are clearer, and you know that you are dealing with Cobalt Strike. While this is a good start, it is imperative to understand how the system got compromised in the first place, because PowerShell was not making a call to that IP address out of nowhere, something triggered that action.

This is the type of case where you will have to trace it back to understand how everything started. The good news is that you have plenty of information on the MITRE ATT&CK website that explains how Cobalt Strike works.

The IR team started looking at different data sources to better understand the entire scenario and they found that the employee that initially opened the case with support complaining about the computer’s performance opened a suspicious document (RTF) that same week. The reason to say that this file was suspicious was the name and the hash of the file:

  • File name: once.rtf
  • MD5: 2e0cc6890fbf7a469d6c0ae70b5859e7

If you copy and paste this hash into VirusTotal search, you will find a tremendous number of results, as shown below:

Graphical user interface, application  Description automatically generated

Figure 2.10: Searching for a file hash

This raises many flags, but to better correlate this with the PowerShell activity, we need more evidence. If you click on the BEHAVIOR tab, you will have that evidence, as shown below:

Graphical user interface, text, application, email  Description automatically generated

Figure 2.11: More evidence of malicious use of PowerShell

With this evidence, it is possible to conclude that the initial access was via email (see https://attack.mitre.org/techniques/T1566) and from there the attached file abuses CVE-2017-11882 to execute PowerShell.

Lessons learned from scenario 2

This scenario shows that all you need is a simple click to get compromised, and social engineering is still one of the predominant factors, as it exploits the human factor in order to entice a user to do something. From here the recommendations were:

  • Improve the security awareness of training for all users to cover this type of scenario
  • Reduce the level of privileges for the user on their own workstations
  • Implement AppLocker to block unwanted applications
  • Implement EDR in all endpoints to ensure that this type of attack can be caught in the initial phase
  • Implement a host-based firewall to block access to suspicious external addresses

There is a lot to learn with a case like this, mainly from the security hygiene perspective and how things can get better. Never lose the opportunity to learn and improve your incident response plan.

Considerations for incident response in the cloud

When we speak about cloud computing, we are talking about a shared responsibility between the cloud provider and the company that is contracting the service. The level of responsibility will vary according to the service model, as shown in the following diagram:

Diagram  Description automatically generated

Figure 2.12: Shared responsibility in the cloud

For Software as a Service (SaaS), most of the responsibility is on the cloud provider; in fact, the customer’s responsibility is basically to keep their infrastructure on-premises protected (including the endpoint that is accessing the cloud resource). For Infrastructure as a Service (IaaS), most of the responsibility lies on the customer’s side, including vulnerability and patch management.

Understanding the responsibilities is important in order to understand the data gathering boundaries for incident response purposes. In an IaaS environment, you have full control of the virtual machine and have complete access to all logs provided by the operating system. The only missing information in this model is the underlying network infrastructure and hypervisor logs.

Each cloud provider will have its own policy regarding data gathering for incident response purposes, so make sure that you review the cloud provider policy before requesting any data.

For the SaaS model, the vast majority of the information relevant to an incident response is in the possession of the cloud provider. If suspicious activities are identified in a SaaS service, you should contact the cloud provider directly, or open an incident via the portal. Make sure that you review your SLA to better understand the rules of engagement in an incident response scenario.

However, regardless of your service model, there are a number of key issues to bear in mind when migrating to the cloud—such as adjusting your overall IR process to accommodate cloud-based incidents (including making sure you have the necessary tools to deal with cloud-based issues) and investigating your cloud service provider to ensure they have sufficient IR policies in place.

Updating your IR process to include the cloud

Ideally, you should have one single incident response process that covers both major scenarios—on-premises and cloud. This means you will need to update your current process to include all relevant information related to the cloud.

Make sure that you review the entire IR life cycle to include cloud computing-related aspects. For example, during the preparation, you need to update the contact list to include the cloud provider contact information, on-call process, and so on. The same applies to other phases such as:

  • Detection: Depending on the cloud model that you are using, you want to include the cloud provider solution for detection in order to assist you during the investigation.
  • Containment: Revisit the cloud provider capabilities to isolate an incident if it occurs, which will also vary according to the cloud model that you are using. For example, if you have a compromised VM in the cloud, you may want to isolate this VM from others in a different virtual network and temporarily block access from outside.

For more information about incident response in the cloud, we recommend that you read Domain 9 of the Cloud Security Alliance Guidance.

Appropriate toolset

Another important aspect of IR in the cloud is to have the appropriate toolset in place. Using on-premises-related tools may not be feasible in the cloud environment, and worse, may give you the false impression that you are doing the right thing.

The reality is that with cloud computing, many security-related tools that were used in the past are not efficient for collecting data and detecting threats. When planning your IR, you must revise your current toolset and identify the potential gaps for your cloud workloads.

In Chapter 12, Active Sensors, we will cover some cloud-based tools that can be used in the IR process, such as Microsoft Defender for Cloud and Microsoft Sentinel.

IR process from the Cloud Solution Provider (CSP) perspective

When planning your migration to the cloud and comparing the different CSPs’ solutions, make sure to understand their own incident response process. What if another tenant in their cloud starts sending attacks against your workloads that reside on the same cloud? How will they respond to that? These are just examples of a couple of questions that you need to think about when planning which CSP will host your workloads.

The following diagram has an example of how a CSP could detect a suspicious event, leverage their IR process to perform the initial response, and notify their customer about the event:

Timeline  Description automatically generated

Figure 2.13: How a CSP might detect a potential threat, form an initial response, and notify the customer

The handover between CSP and customer must be very well synchronized, and this should be settled during the planning phase for cloud adoption. If this handover is well co-ordinated with the CSP, and you ensure that cloud-based incidents are accounted for in both your own IR and the CSP’s IR, then you should be far better prepared for these incidents when they arise.

Summary

In this chapter, you learned about the incident response process, and how this fits into the overall purpose of enhancing your security posture.

You also learned about the importance of having an incident response process in place to rapidly identify and respond to security incidents. By planning each phase of the incident response life cycle, you create a cohesive process that can be applied to the entire organization. The foundation of the incident response plan is the same for different industries and, on top of this foundation, you can include the customized areas that are relevant to your own business. You also came across the key aspects of handling an incident, and the importance of post-incident activity—which includes full documentation of the lessons learned—and how to use this information as input to improve the overall process. Lastly, you learned the basics of incident response in the cloud and how this can affect your current process.

In the next chapter, you will gain an understanding of the mindset of an attacker, the different stages of an attack, and what usually takes place in each one of these phases. This is an important concept for the rest of the book, considering that the attack and defense exercises will be using the cybersecurity kill chain as a foundation.

References

Join our community on Discord

Join our community’s Discord space for discussions with the author and other readers:

https://packt.link/SecNet

Left arrow icon Right arrow icon

Key benefits

  • Updated for ransomware prevention, security posture management in multi-cloud, Microsoft Defender for Cloud, MITRE ATT&CK Framework, and more
  • Explore the latest tools for ethical hacking, pentesting, and Red/Blue teaming
  • Includes recent real-world examples to illustrate the best practices to improve security posture

Description

Cybersecurity – Attack and Defense Strategies, Third Edition will bring you up to speed with the key aspects of threat assessment and security hygiene, the current threat landscape and its challenges, and how to maintain a strong security posture. In this carefully revised new edition, you will learn about the Zero Trust approach and the initial Incident Response process. You will gradually become familiar with Red Team tactics, where you will learn basic syntax for commonly used tools to perform the necessary operations. You will also learn how to apply newer Red Team techniques with powerful tools. Simultaneously, Blue Team tactics are introduced to help you defend your system from complex cyber-attacks. This book provides a clear, in-depth understanding of attack/defense methods as well as patterns to recognize irregular behavior within your organization. Finally, you will learn how to analyze your network and address malware, while becoming familiar with mitigation and threat detection techniques. By the end of this cybersecurity book, you will have discovered the latest tools to enhance the security of your system, learned about the security controls you need, and understood how to carry out each step of the incident response process.

Who is this book for?

If you are an IT security professional who wants to venture deeper into cybersecurity domains, this book is for you. Cloud security administrators, IT pentesters, security consultants, and ethical hackers will also find this book useful. Basic understanding of operating systems, computer networking, and web applications will be helpful.

What you will learn

  • Learn to mitigate, recover from, and prevent future cybersecurity events
  • Understand security hygiene and value of prioritizing protection of your workloads
  • Explore physical and virtual network segmentation, cloud network visibility, and Zero Trust considerations
  • Adopt new methods to gather cyber intelligence, identify risk, and demonstrate impact with Red/Blue Team strategies
  • Explore legendary tools such as Nmap and Metasploit to supercharge your Red Team
  • Discover identity security and how to perform policy enforcement
  • Integrate threat detection systems into your SIEM solutions
  • Discover the MITRE ATT&CK Framework and open-source tools to gather intelligence

Product Details

Country selected
Publication date, Length, Edition, Language, ISBN-13
Publication date : Sep 30, 2022
Length: 570 pages
Edition : 3rd
Language : English
ISBN-13 : 9781803248776
Category :
Concepts :
Tools :

What do you get with a Packt Subscription?

Free for first 7 days. $19.99 p/m after that. Cancel any time!
Product feature icon Unlimited ad-free access to the largest independent learning library in tech. Access this title and thousands more!
Product feature icon 50+ new titles added per month, including many first-to-market concepts and exclusive early access to books as they are being written.
Product feature icon Innovative learning tools, including AI book assistants, code context explainers, and text-to-speech.
Product feature icon Thousands of reference materials covering every tech concept you need to stay up to date.
Subscribe now
View plans & pricing

Product Details

Publication date : Sep 30, 2022
Length: 570 pages
Edition : 3rd
Language : English
ISBN-13 : 9781803248776
Category :
Concepts :
Tools :

Packt Subscriptions

See our plans and pricing
Modal Close icon
€18.99 billed monthly
Feature tick icon Unlimited access to Packt's library of 7,000+ practical books and videos
Feature tick icon Constantly refreshed with 50+ new titles a month
Feature tick icon Exclusive Early access to books as they're written
Feature tick icon Solve problems while you work with advanced search and reference features
Feature tick icon Offline reading on the mobile app
Feature tick icon Simple pricing, no contract
€189.99 billed annually
Feature tick icon Unlimited access to Packt's library of 7,000+ practical books and videos
Feature tick icon Constantly refreshed with 50+ new titles a month
Feature tick icon Exclusive Early access to books as they're written
Feature tick icon Solve problems while you work with advanced search and reference features
Feature tick icon Offline reading on the mobile app
Feature tick icon Choose a DRM-free eBook or Video every month to keep
Feature tick icon PLUS own as many other DRM-free eBooks or Videos as you like for just €5 each
Feature tick icon Exclusive print discounts
€264.99 billed in 18 months
Feature tick icon Unlimited access to Packt's library of 7,000+ practical books and videos
Feature tick icon Constantly refreshed with 50+ new titles a month
Feature tick icon Exclusive Early access to books as they're written
Feature tick icon Solve problems while you work with advanced search and reference features
Feature tick icon Offline reading on the mobile app
Feature tick icon Choose a DRM-free eBook or Video every month to keep
Feature tick icon PLUS own as many other DRM-free eBooks or Videos as you like for just €5 each
Feature tick icon Exclusive print discounts

Frequently bought together


Stars icon
Total 115.97
Mastering Windows Security and Hardening
€41.99
The Ultimate Kali Linux Book
€41.99
Cybersecurity – Attack and Defense Strategies, 3rd edition
€31.99
Total 115.97 Stars icon

Table of Contents

19 Chapters
Security Posture Chevron down icon Chevron up icon
Incident Response Process Chevron down icon Chevron up icon
What is a Cyber Strategy? Chevron down icon Chevron up icon
Understanding the Cybersecurity Kill Chain Chevron down icon Chevron up icon
Reconnaissance Chevron down icon Chevron up icon
Compromising the System Chevron down icon Chevron up icon
Chasing a User’s Identity Chevron down icon Chevron up icon
Lateral Movement Chevron down icon Chevron up icon
Privilege Escalation Chevron down icon Chevron up icon
Security Policy Chevron down icon Chevron up icon
Network Security Chevron down icon Chevron up icon
Active Sensors Chevron down icon Chevron up icon
Threat Intelligence Chevron down icon Chevron up icon
Investigating an Incident Chevron down icon Chevron up icon
Recovery Process Chevron down icon Chevron up icon
Vulnerability Management Chevron down icon Chevron up icon
Log Analysis Chevron down icon Chevron up icon
Other Books You May Enjoy Chevron down icon Chevron up icon
Index Chevron down icon Chevron up icon

Customer reviews

Top Reviews
Rating distribution
Full star icon Full star icon Full star icon Full star icon Half star icon 4.9
(42 Ratings)
5 star 90.5%
4 star 9.5%
3 star 0%
2 star 0%
1 star 0%
Filter icon Filter
Top Reviews

Filter reviews by




N/A Feb 21, 2024
Full star icon Full star icon Full star icon Full star icon Full star icon 5
Feefo Verified review Feefo
Marek Zima Feb 13, 2024
Full star icon Full star icon Full star icon Full star icon Full star icon 5
Feefo Verified review Feefo
SRP Oct 03, 2022
Full star icon Full star icon Full star icon Full star icon Full star icon 5
Short review about Cybersecurity – Attack and Defense Strategies (3rd Ed) by Yuri Diogenes and Dr Erdal Ozkaya. It has been a few years since I read the first edition of this book, and from what I recall, the first book was a convenient reference on the topic of cybersecurity strategy. Although unfortunately, I did not get to read the book end-to-end, it was valuable at the time in my research on the creation of incident response playbooks.I am pleased to say the third edition has not disappointed me with the depth and quality of the information. Included here is my feedback on some of the select chapters. Chapter 1. Security Posture - An excellent initial readout on the cybersecurity world's current and evolving threat landscape. I liked that it was not presented as a "doom and gloom" readout but as a realistic scenario that cybersecurity practitioners should be aware of and, more importantly, how to be prepared for it. It was also great to see the authors include concepts of Zero Trust concepts in this book. Zero Trust is a simple concept; however, the messaging can easily confuse someone new to this. Hence it is good to see that the authors present the topic in an easy-to-understand fashion especially tying this back to the NIST special publication and the principles captured within that.Chapter 2. Incident Response Process. Since I was familiar with this chapter in the first edition, I was curious to find out what had changed. In my opinion, the core concepts have remained the same. However, it was good to see the inclusion of additional real-world scenarios, which is something the readers will benefit from.Chapter 4. Understanding the Cybersecurity Kill Chain. No serious publication on cybersecurity attacks and a defence strategy will be complete without the cybersecurity kill chain model, and this book provides comprehensive coverage on this topic. Chapter 4 provides the foundations for the kill chain, and the latter chapters go deeper into distinct steps. I also liked that additional focus has been provided on the new and emerging attack vectors, such as IoT security.The remainder of the book focuses on helping organisations build effective security policies and the surrounding threat intelligence platforms. The final chapters are focused more on incident response, vulnerability management and real-world log analysis using on-prem and cloud-based systems.In summary, I really enjoyed this book, and I am also a bit embarrassed to say that it had taken me almost 5 years to read the book end-to-end (all be it was the 3rd edition that I was most interested in reviewing). This book will appeal to a broad audience of IT security practitioners, starting with the Cx team responsible for the overall cybersecurity strategy, to security architects involved in designing and deploying security solutions and equally appealing to the cybersecurity operations team responsible for incident response planning.
Amazon Verified review Amazon
Lester Chng Oct 19, 2022
Full star icon Full star icon Full star icon Full star icon Full star icon 5
A ton of knowledge on cybersecurity and the book includes many examples and case studies to illustrate and bring to life the various aspects of cyber.Highly recommended for anyone wanting to learn more about this fascinating space.
Amazon Verified review Amazon
erich Dec 15, 2022
Full star icon Full star icon Full star icon Full star icon Full star icon 5
I've found this book to be super helpful for me: an IT professional looking to transition into the Cybersecurity space. It provides a wealth of InfoSec material that any IT professional could benefit from. I strongly recommend it!
Amazon Verified review Amazon
Get free access to Packt library with over 7500+ books and video courses for 7 days!
Start Free Trial

FAQs

What is included in a Packt subscription? Chevron down icon Chevron up icon

A subscription provides you with full access to view all Packt and licnesed content online, this includes exclusive access to Early Access titles. Depending on the tier chosen you can also earn credits and discounts to use for owning content

How can I cancel my subscription? Chevron down icon Chevron up icon

To cancel your subscription with us simply go to the account page - found in the top right of the page or at https://subscription.packtpub.com/my-account/subscription - From here you will see the ‘cancel subscription’ button in the grey box with your subscription information in.

What are credits? Chevron down icon Chevron up icon

Credits can be earned from reading 40 section of any title within the payment cycle - a month starting from the day of subscription payment. You also earn a Credit every month if you subscribe to our annual or 18 month plans. Credits can be used to buy books DRM free, the same way that you would pay for a book. Your credits can be found in the subscription homepage - subscription.packtpub.com - clicking on ‘the my’ library dropdown and selecting ‘credits’.

What happens if an Early Access Course is cancelled? Chevron down icon Chevron up icon

Projects are rarely cancelled, but sometimes it's unavoidable. If an Early Access course is cancelled or excessively delayed, you can exchange your purchase for another course. For further details, please contact us here.

Where can I send feedback about an Early Access title? Chevron down icon Chevron up icon

If you have any feedback about the product you're reading, or Early Access in general, then please fill out a contact form here and we'll make sure the feedback gets to the right team. 

Can I download the code files for Early Access titles? Chevron down icon Chevron up icon

We try to ensure that all books in Early Access have code available to use, download, and fork on GitHub. This helps us be more agile in the development of the book, and helps keep the often changing code base of new versions and new technologies as up to date as possible. Unfortunately, however, there will be rare cases when it is not possible for us to have downloadable code samples available until publication.

When we publish the book, the code files will also be available to download from the Packt website.

How accurate is the publication date? Chevron down icon Chevron up icon

The publication date is as accurate as we can be at any point in the project. Unfortunately, delays can happen. Often those delays are out of our control, such as changes to the technology code base or delays in the tech release. We do our best to give you an accurate estimate of the publication date at any given time, and as more chapters are delivered, the more accurate the delivery date will become.

How will I know when new chapters are ready? Chevron down icon Chevron up icon

We'll let you know every time there has been an update to a course that you've bought in Early Access. You'll get an email to let you know there has been a new chapter, or a change to a previous chapter. The new chapters are automatically added to your account, so you can also check back there any time you're ready and download or read them online.

I am a Packt subscriber, do I get Early Access? Chevron down icon Chevron up icon

Yes, all Early Access content is fully available through your subscription. You will need to have a paid for or active trial subscription in order to access all titles.

How is Early Access delivered? Chevron down icon Chevron up icon

Early Access is currently only available as a PDF or through our online reader. As we make changes or add new chapters, the files in your Packt account will be updated so you can download them again or view them online immediately.

How do I buy Early Access content? Chevron down icon Chevron up icon

Early Access is a way of us getting our content to you quicker, but the method of buying the Early Access course is still the same. Just find the course you want to buy, go through the check-out steps, and you’ll get a confirmation email from us with information and a link to the relevant Early Access courses.

What is Early Access? Chevron down icon Chevron up icon

Keeping up to date with the latest technology is difficult; new versions, new frameworks, new techniques. This feature gives you a head-start to our content, as it's being created. With Early Access you'll receive each chapter as it's written, and get regular updates throughout the product's development, as well as the final course as soon as it's ready.We created Early Access as a means of giving you the information you need, as soon as it's available. As we go through the process of developing a course, 99% of it can be ready but we can't publish until that last 1% falls in to place. Early Access helps to unlock the potential of our content early, to help you start your learning when you need it most. You not only get access to every chapter as it's delivered, edited, and updated, but you'll also get the finalized, DRM-free product to download in any format you want when it's published. As a member of Packt, you'll also be eligible for our exclusive offers, including a free course every day, and discounts on new and popular titles.