Steve Anson Books

Incident response is essential for the active defense of any network, requiring responders to utilize current, applicable techniques to engage adversaries. This resource outlines effective strategies for responding to advanced attacks on both local and remote network resources, offering proven techniques and a framework for implementation. It serves as a foundational guide for new incident handlers and a technical reference for seasoned IR professionals. Key topics include preparing environments for effective incident response, leveraging MITRE ATT&CK and threat intelligence for active defense, and conducting local and remote system triage using PowerShell, WMIC, and open-source tools. The book also covers acquiring RAM and disk images, analyzing RAM with Volatility and Rekall, and performing deep forensic analysis of system drives with various tools. Additionally, it discusses using Security Onion and Elastic Stack for network security monitoring, techniques for log analysis, and aggregating high-value logs. Readers will learn static and dynamic malware analysis with YARA rules, FLARE VM, and Cuckoo Sandbox, as well as detecting and responding to lateral movement techniques. Effective threat hunting, adversary emulation with Atomic Red Team, and improving preventive and detective controls are also addressed.