I’ve resumed reading The Practice of Network Security Monitoring, by Richard Bejtlich. In the past I’ve stalled once Security Onion is installed as I haven’t had a good place to implement it and continue learning how it works. So yesterday I skipped ahead to Chapter 9, NSM Operations and read the chapter. I was surprised to see a bunch of promising references, so I’m going to list them here for future use along with a couple of choice quotes.
First, an opening quote: “Too many security organizations put tools before operations. <snip> A tool-driven team will not be as effective as a mission-driven team. When the mission is defined by running software, analysts become captive to the features and limitations of their tools.” [The Practice of Network Security Monitoring, Richard Bejtlich, page 185]
- “CIRT-Level Response to Advanced Persistent Threat” Richard Bejtlich, 2010
- The Red Team Journal
- SANS Forensics Blog
- Mandiant M-Trends Reports
- “Intelligence-Driven Computer Network Defense Informed by Analysis of Adversary Campaigns and Intrusion Kill Chains” Eric M. Hutchins, Michael J. Cloppert, and Rohan M Amin August, 2011
- Mandiant Threat Research Blog – Contains links for more information about Advanced Persistent Threats
- Vocabulary for Event Recording and Incident Sharing (VERIS) Community
- Defensible Network Architecture, Richard Bejtlich, 2008
- Become a Hunter, Richard Bejtlich, 2011
- David Bianco’s Blog– An NSM Professional’s Blog (Silent since 2016)
- Aaron Wade’s Blog – Another NSM Professional’s Blog (Silent since 2011)
A textbook reference: Incident Response and Computer Forensics, Third Edition (McGraw Hill Education, 2014 – Jason Luttgens, Matthew Pepe, Kevin Mandia)
Finally, a closing quote: “…intruders conduct campaigns, and CIRTs defend in waves.” [The Practice of Network Security Monitoring, Richard Bejtlich, page 200]