Incident Response: A Strategic Guide to Handling System and Network Security Breaches (Landmark) [Englisch] [Taschenbuch]

I am a senior engineer for network security operations. I read "Incident Response: A Strategic Guide" (IR:ASG) by Shultz and Shumway to enhance my own understanding of ways to deal with security events. As a "strategic guide," the book will be useful to managers of incident response teams. Nevertheless, "Incident Response: Investigating Computer Crime," by Mandia, Prosise, and Pepe remains king of the hill.

IR:ASG is well-written, and focuses attention on processes and methodology over technical implementation. While this approach lengthens the book's shelf-life, it lessens its value to those looking for solutions to technical problems. Still, IR:ASG offers plenty of good advice, such as guidelines for users reporting security events, tips for handling the media, and recognition of the importance of operations staff. Chapter five provides useful recommendations for training and testing incident response personnel, and chapter ten's coverage of insider attacks is especially enlightening.

On the negative side, incorrect material on "packet sequence numbers" on pages 34-5 reflects the widespread misunderstanding that TCP sequence numbers count packets. As RFC 793 clearly states, "each octet of data is assigned a sequence number;" i.e., packets are NOT assigned sequence numbers; bytes of data are. The authors do not accurately represent the 2600 DeCSS case properly on p. 148, as the issue is not copy-protection but play-prevention on non-licensed platforms. The "traps and deceptions" chapter is weak compared to Lance Spitzner's truly definitive honeynet work, and in chapter thirteen the authors repeat the party line on the supposed weaknesses of intrusion detection systems.

The best reason to buy and read IR:ASG isn't written by the lead authors. Dr. Terry Gudaitis' chapter eleven, "The Human Side of Incident Response," is refreshing and educational. As a behavioral scientist and criminologist, she discusses "cyber criminal profiling." While the average security incident may not require application of her techniques, it's reassuring to know people with her level of skill and insight are available to add a human dimension when responding to serious incidents.

IR:ASG reminded me of "Computer Forensics" by Kruse and Heiser when I read this line on p. 188 in the "Forensics II" chapter: "The specific steps in analyzing a mission-critical system are beyond the scope of this book." Unfortunately for both books, most readers crave details on investigating systems for signs of external compromise and exploitation. We've heard enough about searching hard drives for remnants of illicit images, illegal software, or harassing emails. Until another set of authors can do better, "Incident Response" by Mandia, Prosise, and Pepe will be the single "go-to" book for most incident responders.

(Disclaimer: I received a free review copy of this book.)

Being the third book with the same title that I reviewed, "Incident Response" by Eugene Schultz and Russell Shumway had to overcome a certain expectation barrier, even though the authors are recognized experts in the security field. It passed the barrier with flying colors, being different, but still covering many facets of the intricate incident response (IR) process, such as technology, procedures and especially people.

The books starts with security basics. A risk assessment overview with loss estimates and a summary of digital risks (such as privilege escalation, break-in, denial-of-service, etc) is provided. It appears to be useful mostly for newcomers to the security field. Formal six stage incident response methodology is then presented by the authors. Preparation, Detection, Containment, Eradication Recovery and Follows-Up (PDCERF) process helps create a solid skeleton to support the fluid form of the IR process.

Admittedly, the book is less hands-on oriented than some other IR manuals; the reader will not find things like computer forensics tool command line options and ext2fs filesystem internals there. However, the book shines brightly in the area of human aspect of incident response. Written by a ex-CIA Ph.D. Psychologist, the amazing chapter on social sciences and incident response covers a diverse range of topics. Cybercrime profiling techniques such as victim counseling and victimology, identifying 'modus operandi' and attack pattern recognition, establishment of threat level and communication with attacker are all covered in the chapter, which provides an exciting journey into the mind of a computer criminal, a cyber-sleuth and a cybercrime victim. Also covered are insider attacks, often considered to be the doom of information security. A number of reasons "Why insiders attack?" are analyzed. The author overlays the social methods over the standard procedure of incident response

(detection->containment->eradication->recovery), which helps understand the crucial role the human element plays in any security incident.

Two chapters are devoted to high-level computer forensics overview. Hard disk basics are explained - FAT, cluster, secure deletion are all given an appropriate space. The book then goes to talk about the "guiding principles" of the investigation. The brief overview of forensic software and hardware is also provided. It only serves to familiarize the reader with the names of common packages and utilities. For example, TCT coroner kit is only given about 15 lines of text.

Honeypots also take an honorable place in the book. Their role in IR is studied in detail and is deemed important. Honeypots are also tied to the PDCERF methodology (namely, to detection, eradication and follow-up phases). The value of honeypots is recognized for studying attackers, shielding of IT resources and even gathering evidence for court prosecution. Some common ways of implementing honeypots (such as via virtual environment) are discussed. The authors even digress to touch upon the ethical implication of honeypots.

Another gem is a stimulating chapter on future direction in IR. The ambitious prediction of intelligent automated incident response and attacker tracking tools is made by the authors. While it is known that automated response to security incidents must be viewed with caution, the potential seem to exist for future automated IR "helpers".

Legal issues overview is a must for any IR book. A brief and to-the-point section on US laws and international cybercrime treaties is available.

Last, but not least, a short response and reporting checklist is compiled by the authors. It is based on the six step IR process and will help investigators to structure their efforts and assist with data collection. Also included is a copy of a Site Security Handbook (RFC2196) with an extensive list of references.

Overall, the book is an extremely useful guide for security managers and those tasked with organizing/maintaining incident response teams. It will not reveal any technology secrets to a skilled computer crime investigator. However, he is likely to enjoy the book anyway!

Anton Chuvakin, Ph.D., GCIA, GCIH is a Senior Security Analyst with a major information security company. His areas of infosec expertise include intrusion detection, UNIX security, forensics, honeypots, etc. In his spare time, he maintains his security portal info-secure.org

Incident Response: A Strategic Guide to Handling System and Network Security Breaches provides an excellent introduction into the concepts of IR.

The book covers all of the main areas required for effective incident response. There are a lot of real world scenarios written to provide the reader with a feel for what is truly required of IR.

The book is geared towards the high level and does not provide much hands on information. Those looking for a heavy hands-on tome for IR will be better served by reading `Incident Response' by Kevin Mandia & Chris Prosise.

The only think I found lacking in the book was an overview of third-party software applications that can be used for a Computer Incident Response Team.

Other than that, Incident Response: A Strategic Guide to Handling System and Network Security Breaches is an excellent read written by two experts in the field.