Book Review: "Incident Response and Computer Forensics, Third Edition"

Welcome back for another computer science / information security book review! Today I'm bringing you a core staple in incident response theory and methodology, "Incident Response and Computer Forensics, Thirst Edition", by a gang of people, including such major and minor authors as, Jason T. Luttgens, Matt Pepe, Kevin Mandia, Marshall Heilman, Ryan Kazanciyan, Jeff Hamm, Willi Ballenthin, Justin Prosco, Ryan Benson, Niles Akens, and Robert Honnies. I've had the pleasure of working with most of these gents at Mandiant and I can say definitively that this text lives and breaths core Mandiant incident response methodology and theory. The book is cheap too, at $40 for 544 pages, this book really delivers on value and content, despite being slightly dated. A lot of the tools and core methodologies are Mandiant based (from using RedLine to defining host based observable events in terms of IOCs), which is nice that they use reliable methodologies that I am familiar with, but this also comes with the criticism that incident responders should not be tool dependent (which the book emphasizes). The book is also rife with examples, providing entertaining and real world stories that bring the theories to life. The sections of the book are well thought out as well, the entire book continually shifts from theory up front (Parts 1-3) to hardcore technical details and operations (Parts 3-5). Overall, I give this book a solid 8 out of 10 stars for bringing the theory, being applicable (despite being outdated), and conveying tried, true, and effective methods for incident response. I recommend blue teamers stop what they are doing and pick this book up immediately if they haven't read this or a similar book on incident response, and I also recommend this book to other infosec practitioners looking to get a better understand of incident response.

As with my other reviews, the following is the Table of Contents, as to give the reader a solid understanding of each chapter and its detailed contents.

Cover
Title Page
Copyright Page
About the Authors
    About the Contributors
    About the Technical Editor
Contents
Foreword
Acknowledgments
Introduction

Part I: Preparing for the Inevitable Incident

Chapter 1: Real-World Incidents
    What Constitutes an Incident?
    What Is Incident Response?
    Where We Are Now
    Why Should You Care About Incident Response?
    Case Studies
        Case Study #1: Show Me the Money
        Case Study #2: Certificate of Authenticity
    Concept of the Attack Lifecycle
    So What?
    Questions
Chapter 2: IR Management Handbook
    What Is a Computer Security Incident?
    What Are the Goals of Incident Response?
    Who Is Involved in the IR Process?
        Finding IR Talent
    The Incident Response Process
        Initial Response
        Investigation
        Remediation
        Tracking of Significant Investigative Information
        Reporting
    So What?
    Questions
Chapter 3: Pre-Incident Preparation
    Preparing the Organization for Incident Response
        Identifying Risk
        Policies That Promote a Successful IR
        Working with Outsourced IT
        Thoughts on Global Infrastructure Issues
        Educating Users on Host-Based Security
    Preparing the IR Team
        Defining the Mission
        Communication Procedures
        Deliverables
        Resources for the IR Team
    Preparing the Infrastructure for Incident Response
        Computing Device Configuration
        Network Configuration
    So What?
    Questions

Part II: Incident Detection and Characterization

Chapter 4: Getting the Investigation Started on the Right Foot
    Collecting Initial Facts
        Checklists
    Maintenance of Case Notes
        Building an Attack Timeline
    Understanding Investigative Priorities
        What Are Elements of Proof?
        Setting Expectations with Management
    So What?
    Questions
Chapter 5: Initial Development of Leads
    Defining Leads of Value
    Acting on Leads
        Turning Leads into Indicators
        The Lifecycle of Indicator Generation
        Resolving Internal Leads
        Resolving External Leads
    So What?
    Questions
Chapter 6: Discovering the Scope of the Incident
    What Should I Do?
        Examining Initial Data
        Gathering and Reviewing Preliminary Evidence
        Determining a Course of Action
    Customer Data Loss Scenario
        Customer Data Loss—Scoping Gone Wrong
    Automated Clearing House (ACH) Fraud Scenario
        ACH Fraud—Scoping Gone Wrong
    So What?
    Questions

Part III: Data Collection

Chapter 7: Live Data Collection
    When to Perform a Live Response
    Selecting a Live Response Tool
    What to Collect
    Collection Best Practices
    Live Data Collection on Microsoft Windows Systems
        Prebuilt Toolkits
        Do It Yourself
        Memory Collection
    Live Data Collection on Unix-Based Systems
        Live Response Toolkits
        Memory Collection
    So What?
    Questions
Chapter 8: Forensic Duplication
    Forensic Image Formats
        Complete Disk Image
        Partition Image
        Logical Image
        Image Integrity
    Traditional Duplication
        Hardware Write Blockers
        Image Creation Tools
    Live System Duplication
    Duplication of Enterprise Assets
        Duplication of Virtual Machines
    So What?
    Questions
Chapter 9: Network Evidence
    The Case for Network Monitoring
    Types of Network Monitoring
        Event-Based Alert Monitoring
        Header and Full Packet Logging
        Statistical Modeling
    Setting Up a Network Monitoring System
        Choosing Appropriate Hardware
        Installation of a Pre-built Distribution
        Deploying the Network Sensor
        Evaluating Your Network Monitor
    Network Data Analysis
        Data Theft Scenario
        Webshell Reconnaissance Scenario
        Other Network Analysis Tools
    Collect Logs Generated from Network Events
    So What?
    Questions
Chapter 10: Enterprise Services
    Network Infrastructure Services
        DHCP
        DNS
    Enterprise Management Applications
        LANDesk Software Management Suite
        Symantec Altiris Client Management Suite
    Antivirus Software
        Antivirus Quarantine
        Symantec Endpoint Protection
        McAfee VirusScan
        Trend Micro OfficeScan
    Web Servers
        Web Server Background
        Apache HTTP Server
        Microsoft Internet Information Services (IIS)
    Database Servers
        Microsoft SQL
        MySQL
        Oracle
    So What?
    Questions

Part IV: Data Analysis

Chapter 11: Analysis Methodology
    Define Objectives
    Know Your Data
        Where Is Data Stored?
        What’s Available?
    Access Your Data
    Analyze Your Data
        Outline an Approach
        Select Methods
    Evaluate Results
    So What?
    Questions
Chapter 12: Investigating Windows Systems
    NTFS and File System Analysis
        The Master File Table
        INDX Attributes
        Change Logs
        Volume Shadow Copies
        File System Redirector
    Prefetch
        The Evidence
        Analysis
    Event Logs
        The Evidence
        Analysis
    Scheduled Tasks
        Creating Tasks with the “at” Command
        Creating Tasks with the schtasks Command
        The Evidence
        Analysis
    The Windows Registry
        The Evidence
        Analysis
        Registry Analysis Tools
    Other Artifacts of Interactive Sessions
        LNK Files
        Jump Lists
        The Recycle Bin
    Memory Forensics
        The Evidence
        Memory Analysis
    Alternative Persistence Mechanisms
        Startup Folders
        Recurring Tasks
        System Binary Modification
        DLL Load-Order Hijacking
    Review: Answering Common Investigative Questions
    So What?
    Questions
Chapter 13: Investigating Mac OS X Systems
    HFS+ and File System Analysis
        Volume Layout
        File System Services
    Core Operating System Data
        File System Layout
        User and Service Configuration
        Trash and Deleted Files
        System Auditing, Databases, and Logging
        Scheduled Tasks and Services
        Application Installers
    A Review: Answering Common Investigative Questions
    So What?
    Questions
Chapter 14: Investigating Applications
    What Is Application Data?
    Where Is Application Data Stored?
        Windows
        OS X
        Linux
    General Investigation Methods
    Web Browsers
        Internet Explorer
        Google Chrome
        Mozilla Firefox
    E-Mail Clients
        Web E-Mail
        Microsoft Outlook for Windows
        Apple Mail
        Microsoft Outlook for Mac
    Instant Message Clients
        Methodology
        Instant Message
    So What?
    Questions
Chapter 15: Malware Triage
    Malware Handling
        Safety
        Documentation
        Distribution
        Accessing Malicious Sites
    Triage Environment
        Setting Up a Virtual Environment
    Static Analysis
        What Is That File?
        Portable Executable Files
    Dynamic Analysis
        Automated Dynamic Analysis: Sandboxes
        Manual Dynamic Analysis
    So What?
    Questions
Chapter 16: Report Writing
    Why Write Reports?
    Reporting Standards
        Report Style and Formatting
        Report Content and Organization
    Quality Assurance
    So What?
    Questions

Part V: Remediation

Chapter 17: Remediation Introduction
    Basic Concepts
    Remediation Pre-Checks
    Form the Remediation Team
        When to Create the Remediation Team
        Assigning a Remediation Owner
        Members of the Remediation Team
    Determine the Timing of the Remediation
    Develop and Implement Remediation Posturing Actions
        Implications of Alerting the Attacker
    Develop and Implement Incident Containment Actions
    Develop the Eradication Action Plan
    Determine Eradication Event Timing and Execute Eradication Plan
    Develop Strategic Recommendations
    Document the Lessons Learned
    Putting It All Together
    Common Mistakes That Lead to Remediation Failure
    So What?
    Questions
Chapter 18: Remediation Case Study
    Remediation Plan for Case Study #1: Show Me the Money
        Select the Team
        Determine Remediation Timing
        Contain the Incident
        Posture the Environment
        Eradicate the Attacker
        Set the Strategic Direction
    So What?
    Questions
Index

In conclusion, if your a blue team member or an incident responder, this is a book you really can't afford to pass up. This book would be a massive miss for any type of defensive information security leader to pass up, such as a CSO, CISO, SOC manager or even IR engagement lead, as it really impresses core information security management concepts such as properly scoping an investigation, handling various local and international regulations, and even proper handling of evidence and chain of custody. The authors also provide tons of resources from the IR3E book in a specific site to maintain the content.  Essentially, it's a seminal work of Mandiant, their methodologies and operations, as one of the leading incident response firms currently dealing with advanced state actors and incident response at scale.