• csirt-essential-reading
  • Overview Reading:
  • Essential Reading, in order of priority:
  • Topic Specific Essential Reading:
    • Host Analysis
    • Network Security Monitoring (NSM)
    • Host Monitoring
    • Threats
  • Github Repos:
  • Essential References:
  • Books:
• Uncategorized / Unprioritized documents:
  • <2018-08-03 Fri 12:52> care of 1
  • queue up to reading list
  • queue up to references
  • needs assessment:
    • SANS Reading Room
    • Other.
  • License

csirt-essential-reading

Reading List for CSIRT Team Members

The goal of this list is to develop a prioritized list of essential reading for network defenders. While other github repos (Awesome links below) contain comprehensive lists of references and tools, this list aims to provide a starting point of the top documents defenders need to have a firm operational foundation.

Please create issues if you have comments or suggestions! Pull requests welcome!

Overview Reading:

• CIS Top 20
• NSA Manageable Network Plan Guide
• NSA Methodology for Adversary Obstruction

Essential Reading, in order of priority:

• @sroberts Introduction to DFIR
• SANS Digital Forensics Cheat-Sheets
• Awesome Windows Domain Hardening
• Spotting the Adversary with Windows Event Log Monitoring
• Reducing the Effectiveness of Pass-the-Hash
• Mitigating Pass-the-Hash (PtH) Attacks and Other Credential Theft

Topic Specific Essential Reading:

Host Analysis

Network Security Monitoring (NSM)

• C2 Phone Home: Leveraging SecurityOnion to Identify Command and Control-Channels
• http://www.malware-traffic-analysis.net/
• http://blog.malwaremustdie.org

Host Monitoring

• WMI VS. WMI: Monitoring for Malicious Activity

Threats

For internal red-teams or threat intel groups, for understanding methods and tactics blue teams may be faced with.

• Pentester Lab Bootcamp
• Fireeye Red Team Tool Roundup

Github Repos:

• Threat Hunting Project
• Awesome Incident Response A curated list of tools and resources for security incident response, aimed to help security analysts and DFIR teams.
• Awesome Threat Intelligence A curated list of Awesome Threat Intelligence resources
• Awesome Malware Analysis A curated list of awesome malware analysis tools and resources.
• Awesome Security A collection of awesome software, libraries, documents, books, resources and cool stuff about security.
• APTnotes APTnotes is a repository of publicly-available papers and blogs (sorted by year) related to malicious campaigns/activity/software that have been associated with vendor-defined APT (Advanced Persistent Threat) groups and/or tool-sets.
• OLD APTnotes Various public documents, whitepapers and articles about APT campaigns
• Awesome pcaptools
• Awesome Infosec

Essential References:

• Hardening Guides:

  Although IT Operations are responsible for implementation of systems and hardening guides, defenders should be deeply aware of available controls. Hardening guides should not be considered only as profiles to audit against, but as tools for defense and monitoring. Are you monitoring existing controls for compliance and violation? Or selecting additional controls that can provide useful data for threat-hunting?

  • CIS Secure Configuration Benchmarks
  • Security Technical Implementation Guides (STIGs) Hardening templates from the Defense Information Systems Agency. Also: StigViewer

• National Vulnerability Database NVD is the U.S. government repository of standards based vulnerability management data represented using the Security Content Automation Protocol (SCAP). This data enables automation of vulnerability management, security measurement, and compliance. NVD includes databases of security checklists, security related software flaws, misconfigurations, product names, and impact metrics.

• Cisco Design Zone for Security Cisco Validated Designs provide best-practice configurations for network topologies and configurations.

Books:

Uncategorized / Unprioritized documents:

These need triage to move into the list. If so, add a summary of each link also.

<2018-08-03 Fri 12:52> care of ¹

• https://docs.microsoft.com/en-us/windows-server/identity/securing-privileged-access/securing-privileged-access-reference-material
• https://www.petri.com/use-microsofts-active-directory-tier-administrative-model
• https://social.technet.microsoft.com/wiki/contents/articles/37509.what-is-active-directory-red-forest-design.aspx

queue up to reading list

• The Diamond Model of Intrusion Analysis This paper presents a novel model of intrusion analysis built by analysts, derived from years of experience, asking the simple question, "What is the underlying method to our work?" The model establishes the basic atomic element of any intrusion activity, the event, composed of four core features: adversary, infrastructure, capability, and victim. These features are edge-connected representing their underlying relationships and arranged in the shape of a diamond, giving the model its name: the Diamond Model. It further defines additional meta-features to support higher-level constructs such as linking events together into activity threads and further coalescing events and threads into activity groups. These elements, the event, thread, and group all contribute to a foundational and comprehensive model of intrusion activity built around analytic processes. It captures the essential concepts of intrusion analysis and adversary operations while allowing the model flexibility to expand and encompass new ideas and concepts. The model establishes, for the first time, a formal method applying scientific principles to intrusion analysis – particularly those of measurement, testability, and repeatability – providing a comprehensive method of activity documentation, synthesis, and correlation. This scientific approach and simplicity produces improvements in analytic effectiveness, efficiency, and accuracy. Ultimately, the model provides opportunities to integrate intelligence in real-time for network defense, automating correlation across events, classifying events with confidence into adversary campaigns, and forecasting adversary operations while planning and gaming mitigation strategies.

• SANS Digital Forensics and Incident Response Blog | Protecting Privileged Domain Accounts: PsExec Deep-Dive

• An Analysis of Meterpreter during Post-Exploitation Abstract: Much has been written about using the Metasploit Framework, but what has received minimal attention is an analysis of how it accomplishes what it does. This paper provides an analysis of the post-exploitation activity of a Meterpreter shell on a compromised Windows 7 system. Areas looked at include the characteristics of the stager and payload, fingerprinting the HTTP C2 and beaconing traffic, finding Meterpreter in memory, and several post-exploitation modules that could be used. By focusing on what occurs instead of how to accomplish it, defenders are better equipped to detect and respond.

• Detecting DNS Tunneling Abstract: DNS is a foundational protocol which enables applications such as web browsers to function based on domain names. DNS is not intended for a command channel or general purpose tunneling. However, several utilities have been developed to enable tunneling over DNS. Because it is not intended for general data transfer, DNS often has less attention in terms of security monitoring than other protocols such as web traffic. If DNS tunneling goes undetected, it represents a significant risk to an organization. This paper reviews DNS tunneling utilities and discusses practical techniques for detecting DNS tunneling. Two categories of detection considered are payload analysis and traffic analysis. The payload detection techniques have been used to detect successfully specific DNS tunneling utilities. The traffic analysis based technique can be used to universally detect DNS tunneling. With these detection techniques implemented organizations can reduce the risk associated with DNS tunneling.

queue up to references

• https://www.mitre.org/sites/default/files/publications/pr-13-1028-mitre-10-strategies-cyber-ops-center.pdf

needs assessment:

SANS Reading Room

• Shedding Light on Security Incidents Using Network Flows
• An Approach to Detect Malware Call-Home Activities
• Assessing Outbound Traffic to Uncover Advanced Persistent Threat
• An Approach Detect Malware Call Home Activities
• Detect, Contain and Control Cyberthreats
• Automated Defense - Using Threat Intelligence to Augment
• Trends in Bot Net Command and Control
• Cover Channels Over Social Networks
• Detecting and Preventing Unauthorized Outbound Traffic
• gh0st-dshell-decoding-undocumented-protocols
• SANS: The Conficker Worm
• An Introduction to the Computer Security Incident Response Team (CSIRT) Set-Up and Operational Considerations
• Incident Handlers Handbook
• Profiling SSL Clients with tshark
• SANS Digital Forensics and Incident Response Blog | The Importance of Command and Control Analysis for Incident Response
• SANS Security Information/Event Management Security Development Life Cycle Version 5
• APT Incident Handling Checklist

Other.

• Using Risk Analysis to Inform Intelligence Analysis
• IOCs: How to Create, Manage, and Understand
• yahoo/PyIOCe
• Fireeye IOC Editor
• IETF: The Incident Object Description Exchange Format
• Cyber Threat Intel and IR Report Template
• Lancope: Cyber Security Incident Response: Are we as prepared as we think?
• NSA IAD: Slicksheet Segregating Networks And Functions
• NSA IAD: Slicksheet Limiting Workstation to Workstation Communication
• Office 365 Security Resources

License

Licensed under Apache License 2.0.

Footnotes

¹ https://www.reddit.com/r/netsec/comments/8v7kqp/the_rnetsec_monthly_discussion_thread_july_2018/e33xmq9