Book Review: "Blue Team Handbook: Incident Response Edition"


"Blue Team Handbook: Incident Response Edition, A condensed field guide for the Cyber Security Incident Responder" By: Don Murdoch

This book steal for $13.39, averaging 4 and half star reviews, and totaling roughly 140 pages. Published in August of 2014, on its second version, with content realistic to an incident responders day in and out activities, this book is right on the pulse of real incident response. Overall, it covers the theory, processes, tools, tips, and tricks regarding incident response as well as some more general blue teaming processes. The book is split into 48 unique chapters, which I will cover and group into my own meta categories below. It is also worth mentioning, due to price, size, and naming similarities that this book is really not so similar to "RTFM: Red Team Field Manual" (RTFM) for the following reasons. This book contains a lot more theory and a lot less cheat cheats when compared to RTFM. Each chapter has a few paragraphs devoted to why and how the tools will be used, as well as personal anecdotes, as opposed to the single description and one liners in RTFM. This book still does have a considerable number of cheat sheets, laid out into tables that have a one line description and associated command. I could see using these few key tables as a reference manual, but in general this book is not as useful as a reference manual as RTFM is. That said, this is both a fantastic intro and refresher book for incident response, as it provides some of that base theory while also giving some general cheat sheets to get people started / make them effective. Overall, I give this book 6 out of 10 stars, for reasons different than RTFM, namely I appreciate the added theory, I still don't like the unexplained syntax, but mostly I felt like this book lost it's logical flow at points, delving into attacker areas that an incident responder would go about differently (identifying exploited vulnerabilities, log aggregation, and identifying an attackers tools). I'd recommend this book to incident responders as a basic reference guide, those looking to get into incident response, and general security enthusiasts as a short blue-team read.

The following are the chapters from the book, grouped into my own meta categories:
(Note: I've moved some chapters of the book around in my meta categories, as sometimes I feel like the book loses it's logical flow. The numbers correspond to the real chapter numbers, however I've placed them in the logical order that makes the most sense in my opinion.)

Theory, Process, and Plan:
(These are great chapters on incident response and a must read if you are new to the topic. Seasoned professionals can likely skip these chapters).

1. Blue Team Handbook - Introduction
2. Some Lessons from the US Military
3. Six Steps of Incident Response
4. Assessing Impact of Cyber Attacks
5. Essential IR Business Process and Paperwork
6. Chain of Custody and Evidence Topics (V2)
7. Six Step Incident Response Template
8. Commercial Incident Response Template
9. Incident Response and Forensics are Partners
34. Notes: Bootable Linux Distributions
46. Acronyms Used in this Manual
40. Web Site References
47. Bibliography, Reading List, and References
48. Index

Understanding the Attacker:

(These are my least favorite chapters of the book, as I feel other books just do this better and this space could have been better utilized)

10. The Attack Process, Tools, and IR Points

11. Secure Communications
12. Netcat and Cryptcat for the Blue Team
14. Windows Counter Loops
13. Nmap and Massscan Network Assessment
24. Firewall Assurance/Testing with HPing
35. Vulnerability Testing (OpenVAS)
15. Simple Windows Password Guessing
37. Password Assessment
28. Common Malware Campaign Pattern


Host Based Analysis:

(IMO: These are the best chapters in the entire book, they are highly useful and can be used as reference material, similar to RTFM)

16. Automated Collection (Windows)

17. Malware Standard Response Pattern
18. Windows Volatile Data Investigation
19. Other Windows Artifact Investigation 
20. Linux Volatile Data System Investigation
21. Linux Artifact Investigation
22. SIFT Based Timeline Construction (Windows)
23. Linux Iptables Essentials: An Example
30. RDBMS Incident Response (V2)

Network Based Analysis:

(These are also great chapters, and can be used as reference material, similar to RTFM)

25. Network Device Collection and Analysis Process

26. Website Investigation Techniques
27. Network Traffic Analysis Techniques
29. Suspicious Traffic Patterns
30. Packet Data Carving Notes
32. Wireless Specific Topics
33. Using the Snort IDS
35. Wireshark Usage Notes
38. Common TCP and UDP Ports
39. ICMP Table
41. ICMP Header
42. IPV4 Header
43. UDP Header
44. TCP Header
45. IPv6 Header

Overall, I thought this was a fantastic, short, and informative read. One of my favorite parts of the book is that at end of every chapter there is a brief IR summary, talking about where that chapter fits into the 6 key phases of incident response. One of my gripes with both this book (and RTFM) is that I wish they spent an additional line clarifying what all of the variables in their cheat sheet command statements mean, because this lack of clarification can makes the one liner statements confusing, as the reader is unsure which arguments are flags and which are variables. I'm a little upset they didn't touch on malware analysis at all, as often that is a crucial aid to incident response in identifying malware families and attacker campaigns at play (similar to the way they discussed having dedicated forensics specialists working in tandem with the IR team). When reading this book I suggest you have a machine nearby, as to test the commands out and see the variables and output for yourself. Again, this is a practical book, makes the cut as a reference material I will keep in my bag, and I encourage infosec enthusiast to pick up their own copy.