Incident Response in the Age of Cloud

(ebook) (audiobook) (audiobook)

Autor:: Dr. Erdal Ozkaya

Incident Response in the Age of Cloud Dr. Erdal Ozkaya - okładka książki

Incident Response in the Age of Cloud Dr. Erdal Ozkaya - okładka audiobooka MP3

Incident Response in the Age of Cloud Dr. Erdal Ozkaya - okładka audiobooks CD

Wydawnictwo:: Packt Publishing (Z chęcią przeczytam książkę w języku polskim)
Ocena:: Bądź pierwszym, który oceni tę książkę
Stron:: 622
Dostępne formaty::      PDF

     ePub

     Mobi

Ebook

129,00 zł

Dodaj do koszyka lub Kup na prezent Kup 1-kliknięciem

Przenieś na półkę

Do przechowalni

Cybercriminals are always in search of new methods to infiltrate systems. Quickly responding to an incident will help organizations minimize losses, decrease vulnerabilities, and rebuild services and processes.

In the wake of the COVID-19 pandemic, with most organizations gravitating towards remote working and cloud computing, this book uses frameworks such as MITRE ATT&CK(R) and the SANS IR model to assess security risks.

The book begins by introducing you to the cybersecurity landscape and explaining why IR matters. You will understand the evolution of IR, current challenges, key metrics, and the composition of an IR team, along with an array of methods and tools used in an effective IR process. You will then learn how to apply these strategies, with discussions on incident alerting, handling, investigation, recovery, and reporting.

Further, you will cover governing IR on multiple platforms and sharing cyber threat intelligence and the procedures involved in IR in the cloud. Finally, the book concludes with an "Ask the Experts" chapter wherein industry experts have provided their perspective on diverse topics in the IR sphere.

By the end of this book, you should become proficient at building and applying IR strategies pre-emptively and confidently.

Wybrane bestsellery

Dr. Erdal Ozkaya - pozostałe książki

Ebooka przeczytasz na:

czytnikach Inkbook, Kindle, Pocketbook
i innych
systemach Windows, MacOS i innych

systemach Windows, Android, iOS, HarmonyOS
na dowolnych urządzeniach i aplikacjach obsługujących formaty: PDF, EPub, Mobi

Masz pytania? Zajrzyj do zakładki Pomoc »

Audiobooka posłuchasz:

w aplikacji Ebookpoint na Android, iOS, HarmonyOs
na systemach Windows, MacOS i innych

na dowolonych urządzeniach
i aplikacjach obsługujących format MP3
(pliki spakowane w ZIP)

Masz pytania? Zajrzyj do zakładki Pomoc »

Kurs Video zobaczysz:

Oceny i opinie klientów: Incident Response in the Age of Cloud Dr. Erdal Ozkaya (0) Weryfikacja opinii następuję na podstawie historii zamówień na koncie Użytkownika umieszczającego opinię. Użytkownik mógł otrzymać punkty za opublikowanie opinii uprawniające do uzyskania rabatu w ramach Programu Punktowego.

Szczegóły książki

Tytuł oryginału:: Incident Response in the Age of Cloud
ISBN Ebooka:: 978-18-005-6992-8, 9781800569928
Data wydania ebooka:: 2021-02-26 Data wydania ebooka często jest dniem wprowadzenia tytułu do sprzedaży i może nie być równoznaczna z datą wydania książki papierowej. Dodatkowe informacje możesz znaleźć w darmowym fragmencie. Jeśli masz wątpliwości skontaktuj się z nami sklep@helion.pl.
Język publikacji:: angielski
Rozmiar pliku Pdf:: 40.6MB
Rozmiar pliku ePub:: 42.6MB
Rozmiar pliku Mobi:: 42.6MB

Kategorie:
Hacking » Bezpieczeństwo systemów
Programowanie » Programowanie w chmurze

Spis treści książki

Preface
- Who this book is for
- What this book covers
- To get the most out of this book
- Get in touch
Getting Started with Incident Response
- The cybersecurity threat landscape
  - Cybersecurity and COVID-19
  - Understanding the attack surface
- What is incident response?
  - What is an incident?
  - The orchestrators of cybersecurity incidents
    - The people
    - The services
    - The tools
  - Common factors in recent incidents
    - Lack of resources
    - Lack of skills
    - Security as an afterthought
    - Weak applications
    - Weak networks
    - System complexity
    - Lack of visibility
    - Failure to learn from past mistakes
    - Cloud security assumptions
- The importance of organizational incident response plans
  - Protecting data
  - Protecting reputation and customer trust
  - Protecting revenue
- GDPR and NIS regulations about incident response
  - GDPR regulations
  - NIS regulations
- Components of an incident response plan
  - Step 1: Preparation
  - Step 2: Identification
  - Step 3: Containment
  - Step 4: Eradication
  - Step 5: Recovery
  - Step 6: Reporting
- Tips
- Summary
- Further reading
Incident Response Evolution and Current Challenges
- The evolution of incident response
  - The history of data breaches
  - Modern cybersecurity evolution
- Challenges facing incident response
  - Protecting the company brand
  - Preventing future breaches
  - Preparing for attacks
    - Developing cyber resilience
  - Assessing security safeguards
  - Aiding investigations and legal prosecutions
  - Bringing the organization together during crises
  - Ensuring the integration of security initiatives
  - Improving the overall security stature of the organization
- Why do we need incident response?
- Tips
- Summary
- Further reading
How to Organize an Incident Response Team
- What an IR team does
- The composition of an IR team
  - Team lead
  - IT auditor
  - Communications personnel
  - Legal representative
  - Technical personnel
  - Human resources
  - Public relations
  - Financial auditor
  - Management liaison
- Choosing the ideal response team
  - Availability
  - Integrity
  - Team spirit
  - Innovativeness
- How the IR team should be supported
- Where the IR team should be located
- Building an IR strategy
  - Reactive security
    - Monitoring
    - Response
    - Disaster recovery
    - Forensic investigations
  - Proactive security
  - Operational security
    - What is operational security?
    - How is operational security implemented?
  - The significance of the three security pillars
- Security operations and continuous monitoring
  - Captive SOC
  - Co-managed SOC
  - Fully managed SOC
  - Threat intelligence systems
  - Digital forensics and real-time IR with SIEM
- Tips
- Summary
- Further reading
Key Metrics for Incident Response
- Key incident response metrics
  - Prevalence metrics
    - Ticket volume
    - Total number of incidents
    - Number of incidents over time
    - Incidents involving known problems
    - Incidents resolved remotely
    - Incidents with no known resolution
    - Incidents per department
  - Effectiveness metrics
    - Escalation rate
    - Customer satisfaction
    - Post-incident reviews
    - Alerts created
    - Service level indicator
    - First-touch resolution rate
    - Reopen rate
    - Cost per ticket
    - Number of active tickets
    - Incidents by type
    - Recategorized incidents
    - Incidents initiated by direct contact
  - Time-based metrics
    - Mean time to acknowledge
    - Average incident response time
    - Mean time to resolution
    - Amount of uptime
    - Amount of downtime
    - Timeline
    - Percentage of incidents resolved in a defined timeframe
    - Time spent on-call
    - Average time between incidents
    - Mean time between failures
    - Mean time to detect
- Understanding KPIs
- Key metrics for a phishing attack
  - Prevalence metrics
    - Total number of incidents
    - Average time between incidents
    - Number of incidents over time
    - Incidents per department
  - Effectiveness metrics
    - Escalation rate
    - Mean time to acknowledge
    - Mean time to resolution
  - Time-based metrics
    - Timeline
- Incident response metrics in the cloud
- Tips
- Summary
- Further reading
Methods and Tools of Incident Response Processes
- The OODA loop
  - Observe
    - Tools and tactics
    - Questions to ask
    - Key takeaways
  - Orient
    - Tools and tactics
    - Questions to ask
    - Key takeaways
  - Decide
    - Tactics
    - Questions to ask
    - Key takeaways
  - Act
    - Tools and tactics
    - Questions to ask
    - Key takeaways
- IR playbooks
  - The playbook lifecycle
- IR tactics in the cloud
  - What to do before you move to the cloud
  - What to do during an incident
- IR tools for the cloud
  - GRR Rapid Response
  - Malware Information Sharing Platform
  - TheHive
  - Apache Metron
  - OwlH
- Tips
- Summary
- Further reading
Incident Handling
- The NIST definition of a security incident
- The incident response process
  - Creating an incident response process
  - Incident response team
  - Incident lifecycle
- Handling an incident
  - Scoping an incident
  - Collecting key artifacts
  - Containing incidents with IDS
  - Real-world scenario
  - Documenting the lessons learned
- Handling an incident in a phishing scenario
  - Identification
  - Triage
  - Investigation
  - Remediation
  - Recovery
  - Avoidance of future incidents
- Hands-on phishing incident response
  - Containing confirmed malicious emails
    - Keepnet Incident Responder
    - Office 365 Advanced Threat Protection
    - Google Workspace investigation tool
  - Generating Snort rules
  - Generating YARA rules
  - Keepnet Labs REST API
- Tips
- Summary
- Further reading
Incident Investigation
- Incident investigation essentials
  - Identification
    - Suspicious processes
    - Processes running from suspicious locations
    - Suspicious directories
    - Suspicious users
    - Suspicious logs
  - Data collection
    - Volatile data collection
    - Collecting memory dumps
    - Collecting hard disk data
- Investigating a phishing attack
  - Log retrieval and review
  - Identification of the tools that detected the attack
  - Identification of the affected systems and networks
  - Identification of users affected by the attack
  - Identification of systems at risk
  - Identification of the business processes affected by the attack
  - Evidence collection
- Analysis of emails
- Investigation tools
  - Microsoft Threat Explorer
  - Google Workspace security investigation tool
  - Keepnet Incident Responder
- Investigating user inboxes
  - Using Microsoft Threat Explorer
  - Google Workspace security investigation tool
  - Keepnet Incident Responder
- Automatic and scheduled investigations
  - Microsoft automated investigation and response in Office 365
  - Google Workspace investigation tool
  - KIR automatic investigation
- Summary
- Further reading
Incident Reporting
- Reporting to the IR team
  - Description of the incident
  - Cause of the incident
  - Mitigation measures taken
  - Future IR recommendations
- Reporting to the SOC team
  - Description of the incident
  - Cause of the incident
  - Follow-up recommendations
- Reporting to third parties
  - Description of the incident
  - Cause of the incident
  - Mitigation measures taken
  - Short-term and long-term business impacts
- Reporting to the media
  - Description of the incident
  - Cause of the incident
  - Mitigation measures taken
  - Impacts on business
- Reporting to the cloud service provider
- Phishing alerting and reporting
  - Significance of reporting phishing activity
  - When to report suspicious activity
  - How can an end user report a suspicious email?
- Reporting on mobile devices
- Reporting with web email access
  - Reporting with Outlook
  - Reporting with Gmail
  - Reporting with Yahoo
  - Reporting with Keepnet Phishing Reporter
- Reporting to a SOC team and third-party services using IOC feeds
  - Getting reports from IOC feeds
  - Data share APIs for SOC teams
- Summary
- Further reading
Incident Response on Multiple Platforms
- IR on computers
  - Preparation
  - Identification
  - Data collection
  - Containment
  - Eradication
  - Recovery
  - Reporting
- IR on mobile devices
  - Identification
  - Containment
  - Eradication
  - Recovery
  - Lessons learned
- IR on Active Directory
  - Types of Active Directory incidents
    - Handling user account changes
    - Handling password resets
    - Handling security group changes
    - Numerous logons by the same user account on multiple endpoints
    - Group policy changes
  - Common Active Directory vulnerabilities
  - Identifying an attack on Active Directory
    - Understanding Windows startup
  - Preventing domain compromise on Active Directory
- IR in the cloud
  - Microsoft Azure
  - Amazon Cloud
    - Copying data in Linux for investigation
  - Google Cloud
  - Choosing the right IR partner
- Summary
- Further reading
Cyber Threat Intelligence Sharing
- Introducing threat intelligence
- The importance of threat intelligence
- How to share threat intelligence
  - Cyber threat intelligence sharing lifecycle
  - Automating threat intelligence collecting, sharing, and analysis
- Threat intelligence tools and platforms
  - The Malware Information Sharing Platform
    - How does it work?
  - Keepnets Threat Intelligence Sharing Community
    - How does it work?
    - Incident response with Keepnet's TISC
  - Open source tools for threat intelligence
    - OPSWAT MetaDefender Cloud API
    - FraudGuard
  - Threat intelligence feeds
    - Ransomware Tracker
    - Automated Indicator Sharing
    - VirusTotal
    - Talos Intelligence
    - The Harvester
    - Azure Sentinel
  - Leveraging Azure Sentinel to investigate suspicious activity
  - The Comodo Threat Intelligence Lab
- Summary
- Further reading
Incident Response in the Cloud
- Cloud service models
- Assessing IR in the cloud using the SANS IR model
  - Preparation
  - Identification
  - Containment
  - Eradication
  - Recovery
  - Reporting
- Understanding cloud attacks using the MITRE cloud matrix
  - Initial access
    - Drive-by compromises
    - The exploitation of a public-facing application
    - Spear phishing links
    - Insider threats
    - Existing accounts
  - Persistence
    - Account manipulation
    - Creating new accounts
    - Implanting images
    - Start up applications
  - Privilege escalation
  - Defense evasion
  - Credential access
  - Discovery
    - Cloud service dashboards
    - Cloud service discovery
    - Account and remote host discovery
    - Shared drives
  - Lateral movement
  - Collection
  - Exfiltration
  - Impact
- Top threats facing cloud systems
  - Insecure APIs
  - Account hijacking
  - Insider threats
  - Data breaches
  - DDoS attacks
  - Exploits
  - Vulnerabilities
- Implementing SOAR techniques and recommendations
- IR in the cloud: developing a plan of action
  - Updating your IR process to include the cloud
- Summary
- Further reading
Building a Culture of Incident Readiness
- Threat hunting
  - Threat hunting framework
    - Implementing a threat hunting framework
  - Threat hunting tools and techniques
    - Security monitoring tools
    - SIEM solutions
    - Security Operations Center
    - Managed Detection and Response
    - Analytics tools
  - The threat hunting process
    - Preparation
    - Creating a hypothesis
    - Hunting
    - Response
    - Prevention
- Purple teaming
  - The MITRE ATT&CK framework
  - Synthetic war-gaming
- Artificial intelligence and incident response
  - Threat hunting
  - Threat anticipation
  - Incident handling
  - Incident analysis
- IR readiness in the cloud
- Summary
- Further reading
Incident Response Best Practices
- Adopting proactive mobilization
- Using a well-defined resolution process
- Making an easy-to-implement IR plan
- Using effective communication strategies
- Breaking down information silos
- Using a centralized approach
- Testing IR plans
- Assessing and reviewing the IR plan
- Automating basic tasks
- Using templates and playbooks
- Carrying out post-incident reviews
- Tips
- Summary
- Further reading
Incident Case Studies
- Dealing with a spear phishing attack with Keepnet Incident Responder
  - Installing on Office 365 or Exchange
  - The importance of user attentiveness
  - Technical analysis of malicious software
  - Dealing with a threat in multiple inboxes
  - Automated incident response feature
- Performing digital forensics with Binalyze's IREC
  - Using IREC's practical features
  - Interacting with IREC using the CLI
  - Binalyze AIR
- Summary
Ask the Experts
- Approaches to IR
  - Orin Thomas Cloud security requires an updated mindset
  - Tyler Wrightson Know thy enemy
    - Level of skill
    - Attacker TTPs
    - Motives or agenda
    - What next?
  - George Balafoutis The acronym that should be in every CISO's vocabulary
  - Yilmaz Degirmenci Cybersecurity visibility analysis: a soldier's perspective
- IR in the cloud
  - Brian Svidergol Incident response fundamentals
  - Mark Simos The cloud transformation journey
    - What is changing about IR in the cloud age?
    - What does a major transformation involve?
    - What are the key lessons learned from other organizations?
  - Hala ElGhawi Cloud incident management and response
    - Choosing a cloud provider
    - The IR lifecycle
    - How cloud deployment impacts IR
  - Ahmed Nabil Incident response in the cloud
    - Cloud incident response aspects
    - Incident response process
    - Cloud incident response framework
    - Automated incident response in the Microsoft 365 cloud
    - Incident response cloud best practices
- Tools and techniques
  - Emre Tinaztepe The case: a modern approach to DFIR
    - Where to look
    - Dead-box forensics: Use it, but not as the first thing!
    - Prioritize your actions based on the case
    - Correlating and timelining
  - Raif Sarica and Şükrü Durmaz Remote incident response with DFIR
    - Implementing DFIR
    - Case study
    - Using Binalyze tools
    - Using other tools
  - Santos Martinez Protecting corporate data on mobile devices
    - What is the most common use of a mobile device?
    - What is Zero Trust networking?
    - How do we protect our company data on a mobile device?
    - Using Microsoft Endpoint Manager
  - Ozan Veranyurt Artificial intelligence in incident response
    - Phases of incident response
    - The challenges of artificial intelligence for incident response
    - Conclusion
- Methods of attack
  - Gokhan Yuceler Analyzing a target-oriented attack
    - Technical Details
    - Conclusion
  - Grzegorz Tworek Windows object permissions as a backdoor
  - Summary
- Why subscribe?
Other Books You May Enjoy
Index

pokaż cały spis treści