Incident Investigations and Response
As organizations continue to rely on expanding infrastructure in an increasingly hostile threat landscape, the escalation of incidents involving malicious actors poses critical risks to information systems and networks. The ability to identify threats, respond to incidents, restore systems, and enhance security postures is vital to the survival of the operation. The Incident Investigations and Response course textbook brings Incident Response core competencies to advanced levels by presenting students with 14 detailed chapters designed to align with academic calendars.
Students will be provided with the knowledge and the practical skills needed to investigate and respond to network and system incidents. With a specific focus on the identification and remediation of incidents involving host and network devices, students will cover topics such as Threat Intelligence Collection, Investigative Techniques, Malware Triage, and Remediation Strategies. Immersive learning labs utilize the Project Ares® Cyber Range by Circadence and Wireshark network protocol analyzer software.
Paperback: 268 Pages
Textbook Chapters and Key Knowledge Points
Click the blue arrow to the left of the chapter title to view an expanded list of key knowledge points.
- What Constitutes an Incident?
- Technology as a Landscape for Crime
- The Incident Response Life Cycle
- What is Incident Response?
- 7 Stages of the Attack Life Cycle
- 10 Steps to Help Reduce Incidents
- Cyber Adversaries vs. Cyber Defenders
- Nation State vs. Non-Nation State Actors
- Components of the Threat Landscape
- Legal Challenges in Digital Investigations
- Challenges to Cyber Crime Investigations
- International Enforcement Challenges
- Defining the Incident Response Mission
- Internal Communication Procedures
- External Communication Procedures
- Incident Response Team Deliverables
- Building a Field Forensic System
- Preparing the Infrastructure
- Collecting Initial Facts
- Incident, Network, and Malware Checklists
- Building an Attack Timeline
- Incident Scene Management
- Elements of Proof and Chain of Custody
- Investigative Interview Strategies
- Vulnerability Program Essentials
- Prioritizing Vulnerability and Risk
- Rating Vulnerability Levels
- Analyzing a Vulnerability Notification
- Establishing an Efficient Workflow
- Vulnerability Scanning Software
- Baseline Measuring Objectives
- Identifying Usage Patterns
- Network Sensor Deployment
- Statistical Monitoring
- Header and Full Packet Logging
- Network Monitoring Evaluation
- Potential Signs of Compromise
- The Need for Network Monitoring
- Turning Leads into Indicators
- The Life Cycle of Indicator Generation
- Indicator of Compromise Verification
- Event-Based Alert Monitoring
- Understanding the Maneuver Warfare Mindset
- The Threat Intelligence Cycle
- Intelligence Collection
- Analysis and Production
- Dissemination of Intelligence
- Threat Intelligence Sources
- Network Forensics vs. Digital Forensics
- General Process for Performing Analysis
- Available Data Sources
- Outlining the Analysis Approach
- Selection of Analysis Methods
- Evaluating Analysis Results
- Responsibilities of The First Responder
- The Host Device Power State
- The Windows Directory Structure
- Locating Endpoint Data
- The Windows Registry
- The Importance of IoT Devices
- When to Perform a Live Response
- Live Response Challenges
- Selecting a Live Response Tool
- Data Collection Considerations
- Common Live Response Data
- Collection Best Practices
- Malware Triage Concepts
- Malware Handling Procedures
- Malware Distribution and Documentation
- Accessing Malicious Websites
- Introduction to Static and Dynamic Analysis
- Automated Analysis: Sandboxes
- Effective Incident Remediation
- Assigning a Remediation Owner
- Remediation Posturing Actions
- Eradication Plan Development
- Plan Timing and Execution
- Developing Strategic Recommendations
- Report Style and Formatting
- Report Content and Organization
- Documenting Lessons Learned
- Response Playbook Components
- Building a Response Playbook
- Planning Table-Top and Simulated Exercises
Training institutions that adopt the Incident Investigations and Response textbook for use in their course curricula may request corresponding instructor resources at no additional cost. These resources include lecture presentation slides, question text banks for each of the 14 chapters, and lab resource guides. For more information please contact Phase2 Advantage.
All Phase2 Advantage digital course materials – including textbooks, lab guides, and lecture slides in PDF and PPT formats – are ADA accessible and score 100% on major Learning Management Systems such as Moodle, Blackboard, Canvas, and LearnUpon. For more information please contact Phase2 Advantage or visit our Higher Education page in this website.
Course Learning Objectives
- CLO #01: Define the characteristics of a computer security incident, list the stages of the incident response life cycle, recognize the stages of the attack life cycle, and identify methods to reduce the likelihood of security incidents.
- CLO #02: Explain the components of the current threat landscape, the capabilities of nation-state and non-nation-state threat actors, threats posed by digital computer crimes, legal challenges common to digital investigations, and the legal principles of investigating and prosecuting cybercrime.
- CLO #03: Prepare a security strategy using labs and industry tools to create an effective incident response capability, define the response mission, prepare for incident response investigations, list potential signs of compromise, and verify indicators of compromise (IOC’s).
- CLO #04: Compare the processes of performing forensic analysis, selection of analysis methods, host and network data collection practices, selection of live response tools and strategies, the location of potential data sources, and the challenges of live data acquisition from a network.
- CLO #05: Organize a risk management program strategy focusing on key components such as risk management frameworks, asset inventories and resource profiles, analysis methodologies, vulnerability assessment, cost estimate challenges, and third-party service providers.
- CLO #06: Recommend an incident response implementation that includes creating a remediation team, posturing actions, incident containment strategies, eradication plan development, plan timing and execution, developing strategic recommendations, and documenting lessons learned.
Phase2 Advantage has partnered with VitalSource’s digital content publishing platform to offer cybersecurity training and credentialing capabilities to students around the globe. VitalSource, a subsidiary of the Ingram Content Group (Ingram Publishing), provides digital academic resources to over 7,000 academic institutions around the globe in support of their academic degree and professional development programs. Sampling has been enabled for all eligible faculty and staff.
Contact Us for Bookstore Orders
To find out more about bookstore orders or our full range of instructor resources, contact us today via the phone number or email address listed below.