Any good attacker will tell you that expensive security monitoring and prevention tools aren’t enough to keep you secure. This practical book demonstrates a data-centric approach to distilling complex security monitoring, incident response, and threat analysis ideas into their most basic elements. You’ll learn how to develop your own threat intelligence and incident detection strategy, rather than depend on security tools alone.
Written by members of Cisco’s Computer Security Incident Response Team, this book shows IT and information security professionals how to create an InfoSec playbook by developing strategy, technique, and architecture.
Learn incident response fundamentals—and the importance of getting back to basics
Understand threats you face and what you should be protecting
Collect, mine, organize, and analyze as many relevant data sources as possible
Build your own playbook of repeatable methods for security monitoring and response
Learn how to put your plan into action and keep it running smoothly
Select the right monitoring and detection tools for your environment
Develop queries to help you sort through data and create valuable reports
Know what actions to take during the incident response phase
Chapter 1Incident Response Fundamentals
The Incident Response Team
Justify Your Existence
Who’s Got My Back?
The Tool Maketh the Team
Choose Your Own Adventure
Buy or Build?
Run the Playbook!
Chapter 2What Are You Trying to Protect?
The Four Core Questions
There Used to Be a Doorway Here
Identifying the Crown Jewels
Make Your Own Sandwich
More Crown Jewels
Can I Get a Copy of Your Playbook?
Chapter 3What Are the Threats?
“The Criminal Is the Creative Artist; the Detective Only the Critic”
Cash Rules Everything Around Me
I Don’t Want Your Wallet, I Want Your Phone
There’s No Place Like 127.0.0.1
Let’s Play Global Thermonuclear War
Defense Against the Dark Arts
Chapter 4A Data-Centric Approach to Security Monitoring
Get a Handle on Your Data
Metadata: Data About Data About Data
Chapter 5Enter the Playbook
You Are Smarter Than a Computer
Playbook Management System
Event Query System
Result Presentation System
Incident Handling and Remediation Systems
Case Tracking Systems
Keep It Running
Keep It Fresh
Chapter 7Tools of the Trade
Defense in Depth
The Security Monitoring Toolkit
Chapter 8Queries and Reports
False Positives: Every Playbook’s Mortal Enemy
There Ain’t No Such Thing as a Free Report
An Inch Deep and a Mile Wide
A Million Monkeys with a Million Typewriters
A Chain Is Only as Strong as Its Weakest Link
Detect the Chain Links, Not the Chain
Getting Started Creating Queries
Turning Samples of Malicious Activity into Queries for Reports
Reports Are Patterns, Patterns Are Reports
Exploring Out of Sight of Land
Chapter 9Advanced Querying
Basic Versus Advanced
The False Positive Paradox
Consensus as an Indicator (Set Operations and Outlier Finding)
Set Operations for Finding Commonalities
Finding Black Sheep
Statistics: 60% of the Time, It Works Every Time
Skimming the IDS Flotsam Off the Top
Pulling Patterns Out of NetFlow
Looking for Beaconing with Statistics
Is Seven a Random Number?
Correlation Through Contingent Data
Who Is Keyser Söze?
Guilty by Association
Chapter 10I’ve Got Incidents Now! How Do I Respond?
Shore Up the Defenses
No Route for You
One Potato, Two Potato, Three Potato, Yours
Chapter 11How to Stay Relevant
Oh, What a Tangled Web We Weave, When First We Practice to Deceive!
With over ten years of information security experience, Jeff Bollinger has worked as a security architect and incident responder for both academic and corporate networks. Specializing in investigations, network security monitoring, and intrusion detection, Jeff Bollinger currently works as an information security investigator, and has built and operated one of the world's largest corporate security monitoring infrastructures. Jeff regularly speaks at international FIRST conferences, and writes for the Cisco Security Blog. His recent work includes log mining, search optimization, threat research, and security investigations.
Brandon Enright is a senior information security investigator with Cisco Systems. Brandon has a bachelor’s degree in computer science from UC San Diego where he did research in the Systems and Networking group. Brandon has coauthored several papers on the infrastructure and economics of malware botnets and a paper on the impact of low entropy seeds on the generation of SSL certificates. Some of his work in cryptography includes presenting weaknesses in some of the NIST SHA3 competition candidates, fatally knocking one out of the competition, and authoring the Password Hashing Competition proposal OmegaCrypt. Brandon is a long-time contributor to the Nmap project, a fast and featureful port scanner and security tool. In his free time Brandon enjoys mathematical puzzles and logic games.
Matthew Valites is a senior investigator and site lead on Cisco's Computer Security Incident Response Team (CSIRT). He provides expertise building an Incident Response and monitoring program for cloud and hosted service enterprises, with a focus on targeted and high-value assets. A hobbyist Breaker and Maker for as long as he can recall, his current professional responsibilities include security investigations, mining security-centric alerts from large data sets, operationalizing CSIRT's detection logic, and mobile device hacking. Matt enjoys speaking at international conferences, and is keen to share CSIRT's knowledge, best practices, and lessons-learned.
The animal on the cover of Crafting the InfoSec Playbook is an American crocodile (Crocodylus acutus), the most widespread crocodile species in the Americas. It prefers tropical coastal habitats near brackish or salty water, and is found in the Caribbean, the state of Florida, Mexico, Central America, and parts of South America. The name crocodylus comes from the Greek for "pebble worm," because of this animal's bumpy scaled skin and typical crawling motion.
This species of crocodile is one of the largest reptiles—males can grow up to 20 feet long and weigh 2,000 pounds. Females are smaller, around 12 feet long on average. Though they are formidable predators, the American crocodile does not often attack large animals (or humans, though it is not unheard of). The bulk of its diet is made up of fish, reptiles, birds, and small mammals, with an occasional deer or cow on the menu. They are not capable of running long distances, and rely on an ambush technique to catch land prey. Within the water, their olive brown skin camouflages them well; when another animal comes close, they lunge forward and grab their victim with exceptionally strong jaws.
Interestingly, while crocodiles have one of the strongest bite forces of any animal (more than seven times stronger than a great white shark), the muscles for opening their jaw are extremely weak compared to those for closing it. Thus, their mouth can be held shut with duct tape.
From the 1930s to the 1960s, American crocodiles were overhunted due to high demand for their hides in leather goods such as shoes and handbags. Though many countries began protecting them in the 1970s, they are still endangered by illegal hunting and coastal development that destroys their nesting grounds.
The cover image is from Lydekker's Royal Natural History.