You are previewing Crafting the InfoSec Playbook.
O'Reilly logo
Crafting the InfoSec Playbook

Book Description

This practical book demonstrates a data-centric approach to distilling complex security monitoring, incident response, and threat analysis ideas into their most basic elements. You’ll learn how to develop your own threat intelligence and incident detection strategy, rather than depend on security tools alone. Written by members of Cisco’s Computer Security Incident Response Team, this book shows IT and information security professionals how to create an InfoSec playbook by developing strategy, technique, and architecture.

Table of Contents

  1. Foreword
  2. Preface
    1. Should You Read This Book?
    2. Why We Wrote This Book
    3. Cut to the Chase
    4. How to Navigate This Book
    5. Additional Resources
    6. Conventions Used in This Book
    7. Safari<sup xmlns="http://www.w3.org/1999/xhtml" xmlns:epub="http://www.idpf.org/2007/ops">&#174;</sup> Books Online Books Online
    8. How to Contact Us
    9. Acknowledgments
  3. 1. Incident Response Fundamentals
    1. The Incident Response Team
    2. Justify Your Existence
    3. Measure Up
    4. Who’s Got My Back?
      1. Friends on the Outside
    5. The Tool Maketh the Team
    6. Choose Your Own Adventure
    7. Buy or Build?
    8. Run the Playbook!
    9. Chapter Summary
  4. 2. What Are You Trying to Protect?
    1. The Four Core Questions
    2. There Used to Be a Doorway Here
    3. Host Attribution
      1. Bring Your Own Metadata
    4. Identifying the Crown Jewels
    5. Make Your Own Sandwich
    6. More Crown Jewels
      1. Low-Hanging Fruit
    7. Standard Standards
    8. Risk Tolerance
    9. Can I Get a Copy of Your Playbook?
    10. Chapter Summary
  5. 3. What Are the Threats?
    1. “The Criminal Is the Creative Artist; the Detective Only <span xmlns="http://www.w3.org/1999/xhtml" xmlns:epub="http://www.idpf.org/2007/ops" class="keep-together">the Critic</span>&#8221;”
    2. Hanging Tough
    3. Cash Rules Everything Around Me
    4. Greed.isGood();
    5. I Don’t Want Your Wallet, I Want Your Phone
    6. There’s No Place Like 127.0.0.1
    7. Let’s Play Global Thermonuclear War
    8. Defense Against the Dark Arts
    9. Chapter Summary
  6. 4. A Data-Centric Approach to <span xmlns="http://www.w3.org/1999/xhtml" xmlns:epub="http://www.idpf.org/2007/ops" class="keep-together">Security Monitoring</span>
    1. Get a Handle on Your Data
      1. Logging Requirements
      2. Just the Facts
      3. Normalization
      4. Playing Fields
      5. Fields in Practice
      6. Fields Within Fields
    2. Metadata: Data About Data About Data
      1. Metadata for Security
      2. Blinded Me with [Data] Science!
      3. Metadata in Practice
      4. Context Is King
    3. Chapter Summary
  7. 5. Enter the Playbook
    1. Report Identification
      1. Objective Statement
      2. Result Analysis
      3. Data Query/Code
      4. Analyst Comments/Notes
      5. The Framework Is Complete—Now What?
    2. Chapter Summary
  8. 6. Operationalize!
    1. You Are Smarter Than a Computer
      1. People, Process, and Technology
      2. Trusted Insiders
      3. Don’t Quit the Day Job
      4. Critical Thinking
      5. Systematic Approach
    2. Playbook Management System
      1. Measure Twice, Cut Once, Then Measure Again
      2. Report Guidelines
      3. Reviewing High-Fidelity Reports in Theory
      4. Reviewing Investigative Reports in Theory
      5. Reviewing Reports in Practice
    3. Event Query System
    4. Result Presentation System
    5. Incident Handling and Remediation Systems
    6. Case Tracking Systems
    7. Keep It Running
    8. Keep It Fresh
    9. Chapter Summary
  9. 7. Tools of the Trade
    1. Defense in Depth
      1. Successful Incident Detection
    2. The Security Monitoring Toolkit
      1. Log Management: The Security Event Data Warehouse
      2. Intrusion Detection Isn’t Dead
      3. HIP Shot
      4. Hustle and NetFlow
      5. DNS, the One True King
      6. HTTP Is the Platform: Web Proxies
      7. [rolling] Packet Capture
      8. Applied Intelligence
      9. Shutting the Toolbox
      10. Putting It All Together
    3. Chapter Summary
  10. 8. Queries and Reports
    1. False Positives: Every Playbook’s Mortal Enemy
    2. There Ain’t No Such Thing as a Free Report
    3. An Inch Deep and a Mile Wide
    4. A Million Monkeys with a Million Typewriters
    5. A Chain Is Only as Strong as Its Weakest Link
    6. Detect the Chain Links, Not the Chain
    7. Getting Started Creating Queries
    8. Turning Samples of Malicious Activity into Queries for Reports
    9. Reports Are Patterns, Patterns Are Reports
    10. The Goldilocks-Fidelity
    11. Exploring Out of Sight of Land
      1. Sticking with What You Know
      2. Inverting “Known Good”
      3. Looking for Things Labeled as “Bad”
    12. Chapter Summary
  11. 9. Advanced Querying
    1. Basic Versus Advanced
    2. The False Positive Paradox
    3. Good Indications
    4. Consensus as an Indicator (Set Operations and Outlier Finding)
    5. Set Operations for Finding Commonalities
    6. Finding Black Sheep
    7. Statistics: 60% of the Time, It Works Every Time
    8. Skimming the IDS Flotsam Off the Top
    9. Pulling Patterns Out of NetFlow
      1. Horizontal Scanning
      2. Vertical Scanning
    10. Looking for Beaconing with Statistics
    11. Is Seven a Random Number?
    12. Correlation Through Contingent Data
    13. Who Is Keyser Söze?
    14. Guilty by Association
    15. Chapter Summary
  12. 10. I’ve Got Incidents Now! How Do I Respond?
    1. Shore Up the Defenses
    2. Lockdown
      1. The Fifth Estate
    3. No Route for You
      1. Not Your Bailiwick
    4. One Potato, Two Potato, Three Potato, Yours
      1. Get to the Point
    5. Lessons Learned
    6. Chapter Summary
  13. 11. How to Stay Relevant
    1. Oh, What a Tangled Web We Weave, When First We Practice to Deceive!
    2. The Rise of Encryption
    3. Encrypt Everything?
      1. Catching the Ghost
    4. TL;DR
  14. Index