Being the third book with the same title that I reviewed, "Incident Response" by Eugene Schultz and Russell Shumway had to overcome a certain expectation barrier, even though the authors are recognized experts in the security field. It passed the barrier with flying colors, being different, but still covering many facets of the intricate incident response (IR) process, such as technology, procedures and especially people.
The books starts with security basics. A risk assessment overview with loss estimates and a summary of digital risks (such as privilege escalation, break-in, denial-of-service, etc) is provided. It appears to be useful mostly for newcomers to the security field. Formal six stage incident response methodology is then presented by the authors. Preparation, Detection, Containment, Eradication Recovery and Follows-Up (PDCERF) process helps create a solid skeleton to support the fluid form of the IR process.
Admittedly, the book is less hands-on oriented than some other IR manuals; the reader will not find things like computer forensics tool command line options and ext2fs filesystem internals there. However, the book shines brightly in the area of human aspect of incident response. Written by a ex-CIA Ph.D. Psychologist, the amazing chapter on social sciences and incident response covers a diverse range of topics. Cybercrime profiling techniques such as victim counseling and victimology, identifying 'modus operandi' and attack pattern recognition, establishment of threat level and communication with attacker are all covered in the chapter, which provides an exciting journey into the mind of a computer criminal, a cyber-sleuth and a cybercrime victim. Also covered are insider attacks, often considered to be the doom of information security. A number of reasons "Why insiders attack?" are analyzed. The author overlays the social methods over the standard procedure of incident response
(detection->containment->eradication->recovery), which helps understand the crucial role the human element plays in any security incident.
Two chapters are devoted to high-level computer forensics overview. Hard disk basics are explained - FAT, cluster, secure deletion are all given an appropriate space. The book then goes to talk about the "guiding principles" of the investigation. The brief overview of forensic software and hardware is also provided. It only serves to familiarize the reader with the names of common packages and utilities. For example, TCT coroner kit is only given about 15 lines of text.
Honeypots also take an honorable place in the book. Their role in IR is studied in detail and is deemed important. Honeypots are also tied to the PDCERF methodology (namely, to detection, eradication and follow-up phases). The value of honeypots is recognized for studying attackers, shielding of IT resources and even gathering evidence for court prosecution. Some common ways of implementing honeypots (such as via virtual environment) are discussed. The authors even digress to touch upon the ethical implication of honeypots.
Another gem is a stimulating chapter on future direction in IR. The ambitious prediction of intelligent automated incident response and attacker tracking tools is made by the authors. While it is known that automated response to security incidents must be viewed with caution, the potential seem to exist for future automated IR "helpers".
Legal issues overview is a must for any IR book. A brief and to-the-point section on US laws and international cybercrime treaties is available.
Last, but not least, a short response and reporting checklist is compiled by the authors. It is based on the six step IR process and will help investigators to structure their efforts and assist with data collection. Also included is a copy of a Site Security Handbook (RFC2196) with an extensive list of references.
Overall, the book is an extremely useful guide for security managers and those tasked with organizing/maintaining incident response teams. It will not reveal any technology secrets to a skilled computer crime investigator. However, he is likely to enjoy the book anyway!
Anton Chuvakin, Ph.D., GCIA, GCIH is a Senior Security Analyst with a major information security company. His areas of infosec expertise include intrusion detection, UNIX security, forensics, honeypots, etc. In his spare time, he maintains his security portal info-secure.org