Steve Anson - Applied Incident Response

1. Chapter 3
2. Chapter 4
3. Chapter 5
4. Chapter 7
5. Chapter 8
6. Chapter 9
7. Chapter 11
8. Chapter 12

1. Chapter 2
2. Chapter 3
3. Chapter 4
4. Chapter 5
5. Chapter 6
6. Chapter 7
7. Chapter 8
8. Chapter 9
9. Chapter 10
10. Chapter 11
11. Chapter 12
12. Chapter 13
13. Chapter 14

Steve Anson

Copyright 2020 by John Wiley & Sons, Inc., Indianapolis, Indiana

Published simultaneously in Canada

ISBN: 978-1-119-56026-5

ISBN: 978-1-119-56028-9 (ebk)

ISBN: 978-1-119-56031-9 (ebk)

No part of this publication may be reproduced, stored in a retrieval system or transmitted in any form or by any means, electronic, mechanical, photocopying, recording, scanning or otherwise, except as permitted under Sections 107 or 108 of the 1976 United States Copyright Act, without either the prior written permission of the Publisher, or authorization through payment of the appropriate per-copy fee to the Copyright Clearance Center, 222 Rosewood Drive, Danvers, MA 01923, (978) 750-8400, fax (978) 646-8600. Requests to the Publisher for permission should be addressed to the Permissions Department, John Wiley & Sons, Inc., 111 River Street, Hoboken, NJ 07030, (201) 748-6011, fax (201) 748-6008, or online at http://www.wiley.com/go/permissions.

Limit of Liability/Disclaimer of Warranty: The publisher and the author make no representations or warranties with respect to the accuracy or completeness of the contents of this work and specifically disclaim all warranties, including without limitation warranties of fitness for a particular purpose. No warranty may be created or extended by sales or promotional materials. The advice and strategies contained herein may not be suitable for every situation. This work is sold with the understanding that the publisher is not engaged in rendering legal, accounting, or other professional services. If professional assistance is required, the services of a competent professional person should be sought. Neither the publisher nor the author shall be liable for damages arising herefrom. The fact that an organization or Web site is referred to in this work as a citation and/or a potential source of further information does not mean that the author or the publisher endorses the information the organization or website may provide or recommendations it may make. Further, readers should be aware that Internet websites listed in this work may have changed or disappeared between when this work was written and when it is read.

For general information on our other products and services please contact our Customer Care Department within the United States at (877) 762-2974, outside the United States at (317) 572-3993 or fax (317) 572-4002.

Wiley publishes in a variety of print and electronic formats and by print-on-demand. Some material included with standard print versions of this book may not be included in e-books or in print-on-demand. If this book refers to media such as a CD or DVD that is not included in the version you purchased, you may download this material at http://booksupport.wiley.com. For more information about Wiley products, visit www.wiley.com.

Library of Congress Control Number: 2019954524

Trademarks: Wiley and the Wiley logo are trademarks or registered trademarks of John Wiley & Sons, Inc. and/or its affiliates, in the United States and other countries, and may not be used without written permission. All other trademarks are the property of their respective owners. John Wiley & Sons, Inc. is not associated with any product or vendor mentioned in this book.

This book is dedicated to the community of IT security professionals who innovate, create, and inform through blogs, opensource software, and social media. The techniques outlined in this book are only possible due to your tireless efforts.

Incident response requires a working knowledge of many different specialties. A good incident handler needs to be proficient in log analysis, memory forensics, disk forensics, malware analysis, network security monitoring, scripting, and commandline kung fu. It is an amazingly difficult task and one that requires constant training across a range of disciplines. That's where this book comes in. In between these covers (or in this digital file), you will find the distilled essence of each of these specialized areas. Whether you are an IT professional looking to broaden your understanding of incident response, a student learning the ropes for the first time, or a hardened veteran of the cyber trenches in search of a quick reference guide, this book has you covered.

This work is not focused on highlevel theory, management approaches, or global policy challenges. It is written by and for handson practitioners who need to detect, deter, and respond to adversarial actions within their networks on a daily basis. Drawing on experience performing intrusion investigations for the Federal Bureau of Investigation (FBI) and U.S. Department of Defense, consulting for global clients, developing digital forensics and cyber investigative capabilities for dozens of national police forces, and working with students in hundreds of courses delivered for the U.S. State Department, the FBI Academy, and SANS, I have attempted to provide the most effective and actionable techniques possible for addressing modern cyber adversaries. I have also sought out the opinions, guidance, reviews, and input of many experts (who are far smarter than I am) in the various specialties presented in this book to ensure that the most current and relevant techniques are accurately presented. The end result may bear the name of a single author, but it is truly a collective work. As a result, I will use the plural we for firstperson interjections to bear witness to the many practitioners and editors who helped make this work possible.

This book is in many ways a followup to Mastering Windows Network Forensics and Investigation, 2nd Edition (Sybex, 2012). While that book still contains many useful techniques for dealing with incidents more than 10 years since the release of its first edition, a great deal has changed since it was initially conceived. Threat actors are more advanced; breaches occur at a faster pace; the tactics, techniques, and procedures (TTPs) used by organized criminals and nationstate actors have merged; and code from each attack campaign is routinely reused by other threat actors. The days of pulling massive numbers of hard drives for static imaging and performing full forensic analysis of each have given way to performing targeted forensic examinations, searching live RAM across thousands of systems for injected malware, interrogating systems through scripts for indicators of compromise, and using data visualization techniques to detect malicious lateral movement among seemingly countless legitimate events. Modern threats require a different and more dynamic approach, and that is what you will find here: effective techniques for incident response that you can immediately apply in your environment.