Copyright © Blue Team Handbook. All rights reserved.

Blue Team Handbook: Incident Response Edition

A condensed guide for the Cyber Security Incident Responder. 
Below is the Table of Contents, List of Tables, and List of Figures from the final published version of the BTHb. 

1.    Blue Team Handbook - Introduction    3
2.    Some Lessons from the US Military    4
3.    Six Steps of Incident Response    5
4.    Assessing Impact of Cyber Attacks    15
5.    Essential IR Business Process and Paperwork    17
6.    Six Step Incident Response Template    22
7.    Commercial Incident Response Template    24
8.    Incident Response and Forensics are Partners    28
9.    The Attack Process, Tools, and IR Points    30
10.    Secure Communications    36
11.    Netcat and Cryptcat for the Blue Team    38
12.    Nmap and Masscan Network Assessment    41
13.    Windows Counter Loops    45
14.    Simple Windows Password Guessing    46
15.    Automated Collection (Windows)    47
16.    Malware Standard Response Pattern    49
17.    Windows Volatile Data Investigation    50
18.    Other Windows Artifact Investigation    64
19.    Linux Volatile Data System Investigation    65
20.    Linux Artifact Investigation    69
21.    SIFT Based Timeline Construction (Windows)    73
22.    Linux IPTable Essentials: An Example    75
23.    Firewall Assurance/Testing with HPing    77
24.    Network Device Collection and Analysis Process    79
25.    Website Investigation Techniques    82
26.    Network Traffic Analysis Techniques    83
27.    Common Malware Campaign Pattern    92
28.    Suspicious Traffic Patterns    94
29.    Packet Data Carving Notes    99
30.    Wireless Specific Topics    100
31.    Using the Snort IDS (BackTrack, Kali)    102
32.    Notes: Bootable Linux Distributions    107
33.    Vulnerability Testing (OpenVAS)    109
34.    Wireshark Usage Notes    110
35.    Password Assessment    112
36.    Common TCP and UDP Ports    114
37.    ICMP Table    118
38.    Web Site References    121
39.    Acronyms Used in this Manual    124
40.    Bibliography, Reading List, and References    126

List of Tables
Table 1 Step One: Preparation    5
Table 2 Step Two: Identification    9
Table 3 Step Three: Containment    11
Table 4 Step Four: Eradication    12
Table 5 Step Five: Recovery    13
Table 6 Step Six: Lessons Learned (or Follow Up)    14
Table 7 Categorize Cyber Attack’s Effects (MITRE)    15
Table 8 “Get Out Of Jail Free” Authorization Letter (Skoudis)    19
Table 9 Six Step Structured Incident Response Template    22
Table 10 Commercial Structured Incident Response Template    24
Table 11 Google Search Examples    32
Table 12 Google Search Terms for IR    32
Table 13 NetCat Relay Setup    40
Table 14 Masscan Examples    41
Table 15 WFT Quick Start    47
Table 16 Mandiant RedLine Quickstart    48
Table 17 Prepare Environment for Collection (Windows)    50
Table 18 Mandiant Memoryze Quick Start    51
Table 19 Volatility Example for Win2008 SP1    52
Table 20 Windows Environment Data Collection (Native)    53
Table 21 Windows Environment Data Collection (Third Party)    54
Table 22 FTK Imager Collection    55
Table 23 Supplemental System Collection (Windows)    56
Table 24 Process Explorer View of Normal Processes    57
Table 25 Windows Firewall Commands (netsh)    58
Table 26  Windows Firewall Commands (netsh advfirewall)    58
Table 27 Other Windows Artifact Investigation    64
Table 28 Prepare Environment for Collection (Linux)    65
Table 29 User Account Related Artifacts (Linux)    69
Table 30 OS Artifacts (Linux)    69
Table 31 Log Collection (Linux)    71
Table 32 File Activity Analysis (Linux)    71
Table 33 hping    77
Table 34 Hping2 Examples    77
Table 35 Hping3 Examples    78
Table 36 PCAP Timeframe Analysis (Wireshark)    86
Table 37 PCAP Timeframe Analysis (tcpdump)    86
Table 38 Detect MAC Address Manipulation    87
Table 39 Fragmentation Checks    87
Table 40Tcpdump Traffic Filter Examples    90
Table 41 tcpdump Control Bits    90
Table 42 Malware Distribution Pattern    92
Table 43 Common Ports Found in Corporate Setting    95
Table 44 Wireshark Wireless Display Filters    100
Table 45 Wireshark Wireless Capture Filters    100
Table 46 Wireshark Display Filters    110

List of Figures
Figure 1 Conflict Superimposed on Six Steps    4
Figure 2 Malware / Automated Attacker General Process    30
Figure 3 Determined Attacker General Process    30
Figure 4 NIST 800-115 Penetration Test Process    31
Figure 5 Example of a Windows Disk Image with mmls    73
Figure 6 Syn/Ack Packets in Wireshark    83
Figure 7 WireShark ICMP Type and Code Display    89
Figure 8 Wireshark "contains" Example    110