Crafting an Information Security Playbook

With over ten years of information security experience, Jeff Bollinger has worked as security architect and incident responder for both academic and corporate networks. Specializing in investigations, network security monitoring, and intrusion detection, Jeff Bollinger currently works as an information security investigator, and has built and operated one of the world's largest corporate security monitoring infrastructures. Jeff regularly speaks at international FIRST conferences, and writes for the Cisco Security Blog. His recent work includes log mining, search optimization, threat research, and security investigations.

Brandon Enright is a senior information security investigator with Cisco Systems. Brandon has a bachelor's degree in computer science from UC San Diego where he did research in the Systems and Networking group. Brandon has coauthored several papers on the infrastructure and economics of malware botnets and a paper on the impact of low entropy seeds on the generation of SSL certificates. Some of his work in cryptography includes presenting weaknesses in some of the NIST SHA3 competition candidates, fatally knocking one out of the competition, and authoring the Password Hashing Competition proposal OmegaCrypt. Brandon is a long-time contributor to the Nmap project, a fast and featureful port scanner and security tool. In his free time Brandon enjoys mathematical puzzles and logic games.

Matthew Valites is a senior investigator and site lead on Cisco's Computer Security Incident Response Team (CSIRT). He provides expertise building an Incident Response and monitoring program for cloud and hosted service enterprises, with a focus on targeted and high-value assets. A hobbyist Breaker and Maker for as long as he can recall, his current professional responsibilities include security investigations, mining security-centric alerts from large data sets, operationalizing CSIRT's detection logic, and mobile device hacking. Matt enjoys speaking at international conferences, and is keen to share CSIRT's knowledge, best practices, and lessons-learned.

Chapter 1Incident Response Fundamentals
The Incident Response Team
Justify Your Existence
Measure Up
Who’s Got My Back?
The Tool Maketh the Team
Choose Your Own Adventure
Buy or Build?
Run the Playbook!
Chapter Summary
Chapter 2What Are You Trying to Protect?
The Four Core Questions
There Used to Be a Doorway Here
Host Attribution
Identifying the Crown Jewels
Make Your Own Sandwich
More Crown Jewels
Standard Standards
Risk Tolerance
Can I Get a Copy of Your Playbook?
Chapter Summary
Chapter 3What Are the Threats?
“The Criminal Is the Creative Artist; the Detective Only the Critic”
Hanging Tough
Cash Rules Everything Around Me
Greed.isGood();
I Don’t Want Your Wallet, I Want Your Phone
There’s No Place Like 127.0.0.1
Let’s Play Global Thermonuclear War
Defense Against the Dark Arts
Chapter Summary
Chapter 4A Data-Centric Approach to Security Monitoring
Get a Handle on Your Data
Metadata: Data About Data About Data
Chapter Summary
Chapter 5Enter the Playbook
Report Identification
Chapter Summary
Chapter 6Operationalize!
You Are Smarter Than a Computer
Playbook Management System
Event Query System
Result Presentation System
Incident Handling and Remediation Systems
Case Tracking Systems
Keep It Running
Keep It Fresh
Chapter Summary
Chapter 7Tools of the Trade
Defense in Depth
The Security Monitoring Toolkit
Chapter Summary
Chapter 8Queries and Reports
False Positives: Every Playbook’s Mortal Enemy
There Ain’t No Such Thing as a Free Report
An Inch Deep and a Mile Wide
A Million Monkeys with a Million Typewriters
A Chain Is Only as Strong as Its Weakest Link
Detect the Chain Links, Not the Chain
Getting Started Creating Queries
Turning Samples of Malicious Activity into Queries for Reports
Reports Are Patterns, Patterns Are Reports
The Goldilocks-Fidelity
Exploring Out of Sight of Land
Chapter Summary
Chapter 9Advanced Querying
Basic Versus Advanced
The False Positive Paradox
Good Indications
Consensus as an Indicator (Set Operations and Outlier Finding)
Set Operations for Finding Commonalities
Finding Black Sheep
Statistics: 60% of the Time, It Works Every Time
Skimming the IDS Flotsam Off the Top
Pulling Patterns Out of NetFlow
Looking for Beaconing with Statistics
Is Seven a Random Number?
Correlation Through Contingent Data
Who Is Keyser Söze?
Guilty by Association
Chapter Summary
Chapter 10I’ve Got Incidents Now! How Do I Respond?
Shore Up the Defenses
Lockdown
No Route for You
One Potato, Two Potato, Three Potato, Yours
Lessons Learned
Chapter Summary
Chapter 11How to Stay Relevant
Oh, What a Tangled Web We Weave, When First We Practice to Deceive!
The Rise of Encryption
Encrypt Everything?
TL;DR