Blue Team Handbook Incident Response (Don Murdoch) (z-library.sk, 1lib.sk, z-lib.sk)

📄 File Format: PDF

💾 File Size: 18.8 MB

📖 Read Online ⬇️ Download

Registered users can read the full content for free

Register as a Gaohf Library member to read the complete e-book online for free and enjoy a better reading experience.

📄 Page 1

Don Murdoch Blue Team Handbook Incident Response

📄 Page 2

9 7 9 8 3 4 1 6 6 1 2 6 4 5 6 5 9 9 ISBN: 979-8-341-66126-4 US $65.99 CAN $82.99 SECURIT Y As cyberthreats grow and infrastructure evolves, organizations must prioritize effective, dynamic, and adaptable incident response. Following the success of the original edition, Blue Team Handbook: Incident Response has been updated to reflect today’s evolving cybersecurity landscape. This trusted and widely used field guide for cybersecurity incident responders, SOC analysts, and defensive security professionals distills incident response essentials into a concise, field-ready format. Author Don Murdoch draws on decades of real-world experience in incident response and cybersecurity operations to provide actionable guidance and sample workflows you can immediately apply in your own work. Whether you’re investigating an alert, analyzing suspicious traffic, or strengthening your organization’s IR capability, you’ll find this field-tested edition an essential resource for hands-on practitioners. • Understand how modern adversaries operate and recognize common indicators of compromise in networks • Analyze network traffic with common tools to identify and investigate suspicious activity • Execute structured incident response procedures and follow a clear response plan • Conduct basic forensic analysis on both Windows and Linux systems • Use proven methodologies and tools to carry out effective, dynamic incident response Don Murdoch, GSE, MBA, is a veteran cybersecurity professional with more than 20 years of experience in incident response and security architecture across nonprofit, academic, and Fortune 500 environments. He is a certified SANS Institute instructor who teaches cyber defense courses. Don holds numerous certifications, including CISSP, ISSAP, GSE, SABSA chartered architect, and TOGAF enterprise architect. Blue Team Handbook: Incident Response “Don Murdoch has created an indispensable f ield guide that belongs on every incident responder’s desk.” Justin Henderson CEO of Tellaro, Inc.

📄 Page 3

Praise for Blue Team Handbook: Incident Response Don Murdoch has created an indispensable field guide that belongs on every incident responder’s desk. It’s packed with practical commands, real-world techniques, and hard-won wisdom from decades in the trenches. —Justin Henderson, CEO of Tellaro, Inc. Don Murdoch takes his many years of experience and boils them down into a handbook that will help you be a better blue teamer! —Doug Burks, founder and CEO of Security Onion Solutions Most incident response books give you theory or they give you commands. This one does both. It walks you through building an actual incident response program, the metrics, the leadership structure, the stuff that keeps you from flailing when things go sideways, and then hands you the PowerShell and packet captures to execute. —James “@whiskeyhacker” McMurry, CEO, ThreatHunter.ai Don’s coverage of incident response kept me reading through the night. Anyone in IR should keep this book in their go-bag. —Dean Bushmiller, president, Expanding Security Don Murdoch connects incident response to real adversary behavior in a way that is immediately useful, tying investigation steps to frameworks like MITRE ATT&CK and practical blue team decision-making. This is a handbook defenders can use to think clearly, prioritize quickly, and improve detection and response with purpose. —Tannu Jiwnani, principal security engineer

📄 Page 4

If you defend systems for a living, this book belongs on your desk. Don Murdoch cuts through the noise and delivers an incident response playbook that’s practical, current, and battle-tested. —Sri Sai Bhargav Tiruveedhula, principal security engineer at Autodesk An essential reference for blue teams at any stage. Deeply practical, and sharply aligned with today’s adversary landscape. —Yaamini Barathi Mohan, award-winning cybersecurity leader Don is one of the brightest cyber professionals that I’ve had the pleasure to work with. His skills and knowledge are deep in incident response, endpoint security, and the controls that defend critical IT infrastructure. This book is great for any blue team cyber professional! —Alex Kahn, staff cybersecurity engineer, Guidewire Software Few books manage to be both a day-one field manual and a long-term desk reference; this one succeeds at both. —Nikhil Teja Dommeti, product innovator and security researcher at a Fortune 100 company As someone who has been mentored by Don, I’ve seen firsthand his dedication to the craft of cybersecurity. This updated edition is like having a master teacher by your side, distilling complex concepts into the actionable, real-life examples that define our field. — Jack Callaway, PhD., SOC manager

📄 Page 5

Don Murdoch Blue Team Handbook: Incident Response

📄 Page 6

979-8-341-66126-4 [LSI] Blue Team Handbook: Incident Response by Don Murdoch Copyright © 2026 Don Murdoch. All rights reserved. Published by O’Reilly Media, Inc., 141 Stony Circle, Suite 195, Santa Rosa, CA 95401. O’Reilly books may be purchased for educational, business, or sales promotional use. Online editions are also available for most titles (https://oreilly.com). For more information, contact our corporate/institu‐ tional sales department: 800-998-9938 or corporate@oreilly.com. Acquisitions Editor: Simina Calin Indexer: Krsta Technology Solutions Development Editor: Jill Leonard Cover Designer: Susan Brown Production Editor: Kristen Brown Cover Illustrator: José Marzan Jr. Copyeditor: Audrey Doyle Interior Designer: David Futato Proofreader: Piper Content Partners Interior Illustrator: Kate Dullea February 2026: First Edition Revision History for the First Edition 2026-02-12: First Release See https://oreilly.com/catalog/errata.csp?isbn=9798341661264 for release details. The O’Reilly logo is a registered trademark of O’Reilly Media, Inc. Blue Team Handbook: Incident Response, the cover image, and related trade dress are trademarks of O’Reilly Media, Inc. The views expressed in this work are those of the author and do not represent the publisher’s views. While the publisher and the author have used good faith efforts to ensure that the information and instructions contained in this work are accurate, the publisher and the author disclaim all responsibility for errors or omissions, including without limitation responsibility for damages resulting from the use of or reliance on this work. Use of the information and instructions contained in this work is at your own risk. If any code samples or other technology this work contains or describes is subject to open source licenses or the intellectual property rights of others, it is your responsibility to ensure that your use thereof complies with such licenses and/or rights.

📄 Page 7

Table of Contents Preface. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . xiii 1. Practical Incident Response Defined. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1 The NIST Incident Response Lifecycle 2 The SANS Incident Response Lifecycle 3 Dynamic Incident Response and Intelligence Lifecycles 4 Time Based Security 6 Leveraging MITRE ATT&CK for Incident Response 8 Prioritizing Data Collection Using ATT&CK 10 Threat-Informed Defense 11 Need a Place to Start? 12 Adapting IR Lifecycles to Your Organization 12 The Changing Adversarial Landscape 13 2. The Six Phases of Modern Incident Response. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 17 Phase 1, Preparation: Know Thy Network and the Identities of Those Who Use It 18 Preparation: Tools and Techniques Survey and Checklist 25 Preparation: Visibility Tools and Techniques 31 Preparation: Command-Line Auditing 32 Preparation: Data Breach Rules of the Road 34 Preparation: Policy and Procedure 35 Preparation: Enable Early Warning Indicators 37 Phase 2, Identification: How Serious Is It? 38 Phase 3, Containment: Stopping the Adversary 41 Phase 4, Eradication: Revert Adversary Actions 44 v

📄 Page 8

Phase 5, Recovery: Back Up and Running 46 Phase 6, Lessons Learned: Reporting and Follow-Up 46 Incident-Driven Countermeasures 47 3. Incident Response Skills and Practices. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 49 Finding Metrics That Matter 49 The Golden Rules of IR Metrics 50 Incident Response Metrics 50 Improving Investigations 53 Understanding the Alexiou Principle 54 Externalization 55 Controlling Your Theories 56 Awareness of Confirmation Bias 56 Following Scene Safe Practices 57 The Incident Commander Role 57 Indicator of Attack Versus Indicator of Compromise 58 IoA Examples 59 IoC Examples 62 Using the OODA Loop 64 Assessing the Impact of a Cyber Attack 66 Avoiding Analysis Paralysis 67 Essential IR Business Process and Paperwork 68 Regulatory Considerations 68 Ed Skoudis’s Pentest Authorization Letter 70 “Trap and Trace” Authorization Letter 71 End User–Focused Data Collection Form(s) 72 Chain of Custody and Evidence Topics 73 Suggestions for Organizing Evidence Data 73 The Traffic Light Protocol 74 Computer Security Incident Response Plan 75 CSIRP Sample Table of Contents 77 Incident Response Templates 79 PICERL Six-Phase Incident Response Template 80 Commercial Incident Response Template 81 Countermeasures and the SBAR Format 83 Secure IR Communications 85 Using GnuPG for Free Encrypted Email 85 Incident Response and Forensics Are Partners 86 Order of Volatility 87 Triage Forensics: 5% of the Data Tells Most of the Story 87 vi | Table of Contents

📄 Page 9

System Forensics: Dig Deep and Dissect at a Cost 87 Derailing IR and DFIR: Mistakes to Avoid 88 Goals and Objectives 91 Packaged Cyber Threat Intelligence for IR 91 Bootable Linux Distributions and Blue Team Platforms 92 Linux with VMware Workstation 93 4. Understanding Adversary Tools and Tactics. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 97 The Attack Process, IR Tools, and IR Points 97 Adversary Campaign Patterns 98 Reconnaissance: Tools and Techniques 102 DNS Analysis Scripts 103 Google Searching 104 Web-Based Recon Sites 105 Weaponization: Building the Adversary Toolset 106 Scanning: Tools and Techniques 106 Exploitation: Tools and Techniques 112 Maintain Access: Tools and Techniques 113 Data Relay and Backdoor Linux Tools 118 Password Guessing 121 5. Windows Volatile Data Investigation. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 123 Normal Windows 11 Processes 124 Step 1: Prepare the IR Collection Environment 125 Step 2: Collect Physical Memory 128 Step 3: Conduct Memory Analysis with Volatility 130 Step 4: Ask Process Indicator Analysis Questions 134 Step 5: Collect Live System State Data 135 Step 6: Conduct Windows Server-Side Collection and Open File Support 142 Step 7: Collect Disk Details and Image 143 Step 8: Collect Supplemental System Information 149 Common Windows Directories Used for Startup 152 Windows Scheduled Tasks 152 Common Windows 32-Bit and 64-Bit Registry Auto-Start Locations 153 Other Windows Artifact Investigation 156 Windows Logfiles and Locations 157 Windows Suspicious Processes: Process Explorer 158 Configuration Options 158 Suspicious Process Review 159 Automated Collection on Windows with KAPE 160 Table of Contents | vii

📄 Page 10

KAPE Quick Start 161 KAPE and Missing Binaries 161 DeepBlueCLI for Windows 162 RDBMS Incident Response 163 Microsoft SQL Server Notes 163 Filesystem and Registry Notes 164 6. Linux Volatile Data System Investigation. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 165 Preparation 165 Linux Distributions 166 Command Background 166 Grep Quick Start 167 Finding Files 169 Step 1: Prepare Storage for Data Collection 170 Step 2: Dump and Analyze Physical Memory 172 Dumping and Capturing Memory to a Remote System Using Netcat 172 Using the Volatility 3 Command Set 172 Step 3: Collect Live System State Data 175 Capturing System State 176 Step 4: Investigate Linux Using lsof 186 Step 5: Investigate Additional Linux Artifacts 188 Gathering Filesystem Information 188 Investigating File Sharing with NFS and SAMBA 189 Collecting Logs 190 Managing and Investigating Linux Package Files 192 Other Topics 194 Containment with Linux Iptables Essentials: An Example 195 Using Iptables 195 Using Nft 197 Recovery: Firewall Assurance/Testing with Hping 198 Recovery: Vulnerability Testing with OpenVAS 198 7. Windows Host Analysis with PowerShell. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 199 Investigating a Standalone Remote System with WinRM 199 Investigating Local Versus Remote Systems 202 Using PSSession for 1:1 Remoting 203 Using Invoke-Command to Script Remote System Interrogation 203 Directory Sharing 205 Creating System and Date-Stamped Files 205 Determining PowerShell Version 206 viii | Table of Contents

📄 Page 11

Documenting Time Zone, Environment, System Date, and Time 206 Machine and OS Information 207 User Accounts, Groups, and Current Logins 209 Network Configuration for IPv4 and IPv6 211 Auto Start Extensibility Points 212 Running Processes 214 Installed and Running Services 218 Installed Certificates 219 Drivers Installed and Running 220 Files and Directories 220 Shares and Currently Open Server-Side Files 223 WMI Indicators 227 Physical Drives 229 Mapped Drives 229 Registry Export 231 Scheduled Tasks 232 Active Network Connections 234 Currently Installed Hotfixes 237 Installed Applications 238 Windows AppLocker 238 Files Changed Since . . . 239 Searching for Alternate Data Streams 240 Searching for Files by Extension 242 Searching for Files by Size 242 Searching for Hidden Files and Retrieve File Times 242 Collecting USB-Related Information 243 Volume Shadow Copy State 244 DNS Cache 245 Analyzing Windows Event Logs 246 Investigating Specific Event IDs in the Security Log 251 Using the Positional Method for Logins (Event ID 4624) 251 Using the XML Overlay Method for Logins (Event ID 4624) 252 Event ID 4688 and Command-Line Auditing 254 Examining Sysmon Event Logs 255 8. Active Directory Analysis. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 261 Adversary Actions Start with Reconnaissance 262 Kerberoasting 263 Authentication Server Response (AS-REP) Roasting 263 Password Spray Attacks 264 Table of Contents | ix

📄 Page 12

Unconstrained Delegation Account Abuse 265 Certificate Services (AD CS) Compromise 265 DCSync and Its Cousin, DCShadow 265 Golden Ticket 266 Early Warning Detection for AD Defense 266 9. Network-Based Analysis. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 267 Capturing Packet Data 267 Capturing Local Packet Data 268 Mirroring on a Portable Switch in a Jump Bag 269 Mirror/SPAN Enterprise Switch Configurations 269 Network Taps 269 Hypervisors 270 The Cloud 270 NGFWs and TLS Packet Export 271 Network Device Collection and Analysis Process 271 Perimeter Router Intrusion Signs 271 Perimeter Firewall Intrusion Signs 272 Intrusion Detection and Prevention Logs 273 Perimeter VPN Concentrators 274 Screened Services (DMZ) Network 274 Interior Switch Devices 274 Suspect DNS Names 274 Website Investigation Techniques 275 Reputation Risk 276 Network Traffic Analysis Techniques 277 Berkeley Packet Filter and Capturing Data 277 Identifying Network Interfaces 278 Using Tshark to Capture Connections 278 Using Pktmon for Wired Connections 279 Profiling PCAP with Tshark and Capinfos 279 Finding the SYN and SYN/ACK Packets 282 Extracting Port/Pair Combinations 283 Implementing Application-Specific Analysis Techniques 284 Suspicious Traffic Patterns 287 Unused Internal Address Activity 287 Certificates 288 Uncommon Applications and Port Numbers 289 Snort Rules: Darknet Example 295 x | Table of Contents

📄 Page 13

10. Enterprise Detection and Response Capabilities. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 297 Sample Attack Flow 298 Entry Points 298 Attack Visualization with the StoryLineTM Report 302 Mitigation Actions 305 Response Actions 306 Hyperautomation 307 Other Capabilities 308 A. Common TCP and UDP Ports. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 311 B. ICMP Types and Codes. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 317 C. Headers. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 321 Index. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 327 Table of Contents | xi

📄 Page 14

(This page has no text content)

📄 Page 15

Preface A lot has changed in the years since the first edition of Blue Team Handbook: Incident Response (BTHb:INRE) was published in 2014. A few blue team–focused books have appeared; meanwhile, red team books still proliferate. If you are not familiar with these terms as they relate to cybersecurity, the blue team is charged with monitoring and defending the organization’s information systems—from endpoints to on- premises servers to cloud service providers to software as a service (SaaS)—and with ensuring that the endpoint uses all these resources securely. The red team has the task of behaving like an adversary, which involves external penetration testing and taking advantage of any successes to see how far it can get into the network, explore, and find valuable resources. Adversaries are effectively pummeling modern businesses and governments into dig‐ ital submission, and as a result, BTHb:INRE must evolve. This edition features numerous updates. These include enhancements to the Preparation, Identification, Containment, Eradication, Recovery, and Lessons Learned (PICERL) incident response (IR) process; memory analysis quick steps; automation tools; Linux lsof; a Volatility 3 quick reference; and a new chapter on PowerShell for Windows. Many of the techniques described can be used in all phases of the IR process. It is my sincere desire that you will continue to gain value from the BTHb series and that this book will prove to be a reference you keep handy. xiii

📄 Page 16

Who Should Read This Book Incident response is a critical aspect of security operations and follows a well- structured process. Incident responders often find themselves needing key pieces of information or thought processes to safely move on to the next phase, all the while realizing that continued discovery can cause rescoping of the incident. Blue Team Handbook provides responders with immediately applicable techniques to handle security incidents today and is filled with life lessons learned from the field. Whether you are new to the field, work in a security operations center and want to move up to the next level, or are a seasoned pro, there is something here for you to up your game. Why I Wrote This Book The first edition of BTHb:INRE focused on very practical advice and notes from the field to aid anyone getting into the IR part of the cybersecurity profession. It was intentionally terse. Today, with ever-capable adversaries who are leveraging all kinds of AI and LLM tools, responders have to grow, establish new skills, and take every aspect of the IR game to the next level. I wrote this edition to introduce new skills, thought patterns, capabilities, and lifecycles that improve and update all aspects of the IR process. Navigating This Book Chapter 1 provides several working definitions of incident response and then covers two aspects of how IR has changed to respond to today’s threat actors. Next, it presents several topics that help define some of the key thought processes for IR with time-based security: a discussion of how to leverage the MITRE ATT&CK framework (https://attack.mitre.org) and an outline of how adversaries operate today. Chapter 2 presents the overall recipe for the IR process. The chapter offers a checklist for all the phases, from Preparation to Lessons Learned, to help you apply a structure and framework to your IR processes. Chapter 3 covers a wide variety of skills and tactics that augment the entire IR pro‐ cess, ranging from roles to templates to the traffic light protocol for information sharing. Chapter 4 provides an overview of adversary tactics, tools, and procedures, most of which can be encountered during an actual incident. Chapters 5, 6, and 7 go over specific technical aspects of the IR process and examine various platforms. Chapter 5 covers Windows examination using a variety of command-line tools; Chapter 6 focuses on triage and collecting volatile data on Linux systems; and Chapter 7 discusses PowerShell. xiv | Preface

📄 Page 17

Chapter 8 provides information on analyzing Active Directory. Chapter 9 covers network examinations at the packet capture and traffic levels. Chapter 10 discusses Endpoint Detection and Response capabilities. The book also includes appendices with reference materials, including a list of com‐ mon TCP and UDP ports. BTHb:INRE has a companion GitHub repository and wiki, providing numerous scripts and command-line analysis techniques drawn from my experience, many of which are used in this book. Conventions Used in This Book The following typographical conventions are used in this book: Italic Indicates new terms, URLs, email addresses, filenames, and file extensions. Constant width Used for program listings, as well as within paragraphs to refer to program ele‐ ments such as variable or function names, databases, data types, environment variables, statements, and keywords. Constant width bold Shows commands or other text that should be typed literally by the user. This element signifies a tip or suggestion. This element signifies a general note. This element indicates a warning or caution. Preface | xv

📄 Page 18

Using Code Examples Supplemental material (code examples, exercises, etc.) is available for download at https://github.com/DonMVB/BlueTeam-Handbook. If you have a technical question or a problem using the code examples, please send an email to support@oreilly.com. This book is here to help you get your job done. In general, if example code is offered with this book, you may use it in your programs and documentation. You do not need to contact us for permission unless you’re reproducing a significant portion of the code. For example, writing a program that uses several chunks of code from this book does not require permission. Selling or distributing examples from O’Reilly books does require permission. Answering a question by citing this book and quoting example code does not require permission. Incorporating a significant amount of example code from this book into your product’s documentation does require per‐ mission. We appreciate, but generally do not require, attribution. An attribution usually includes the title, author, publisher, and ISBN. For example: “Blue Team Handbook: Incident Response by Don Murdoch (O’Reilly). Copyright 2026 Don Murdoch, 979-8-341-66126-4.” If you feel your use of code examples falls outside fair use or the permission given above, feel free to contact us at permissions@oreilly.com. O’Reilly Online Learning For more than 40 years, O’Reilly Media has provided technol‐ ogy and business training, knowledge, and insight to help companies succeed. Our unique network of experts and innovators share their knowledge and expertise through books, articles, and our online learning platform. O’Reilly’s online learning platform gives you on-demand access to live training courses, in-depth learning paths, interactive coding environments, and a vast collection of text and video from O’Reilly and 200+ other publishers. For more information, visit https://oreilly.com. xvi | Preface

📄 Page 19

How to Contact Us Please address comments and questions concerning this book to the publisher: O’Reilly Media, Inc. 141 Stony Circle, Suite 195 Santa Rosa, CA 95401 800-889-8969 (in the United States or Canada) 707-827-7019 (international or local) 707-829-0104 (fax) support@oreilly.com https://oreilly.com/about/contact.html We have a web page for this book, where we list errata and any additional informa‐ tion. You can access this page at https://oreil.ly/BlueTeamHandbook_IR. For news and information about our books and courses, visit https://oreilly.com. Find us on LinkedIn: https://linkedin.com/company/oreilly. Watch us on YouTube: https://youtube.com/oreillymedia. Acknowledgments Thank you to the following reviewers who contributed to this edition: • Trevor Anderson, one of the best cyber threat situation managers I have met to date. Trevor has a background in law enforcement and demonstrates a cool head with tremendous investigative depth every day while navigating the complexity of critical threat situation management and incident command processes. • Alex Kahn, Incident Response team leader for a Fortune 100 healthcare firm. • Chris Sanders, for his groundbreaking PhD research and collaboration on some of the material in Chapter 3. • Samuel West, a seasoned detection engineer working as the Countermeasures lead for a Fortune 500 commodities manufacturer and global distributor. • Jack Callaway, a security operations team leader focused on enabling SecOps in healthcare. • Nikhil Teja, a security product innovator and technology researcher who builds next-generation cybersecurity solutions while contributing to the academic com‐ munity through IEEE paper reviews and technical book critiques. Preface | xvii

📄 Page 20

• Yaamini Barathi Mohan, a multiple award-winning cybersecurity leader and board member spearheading cloud and AI security initiatives, recognized for advancing enterprise incident response, threat detection, and resilience as an international keynote speaker, author, and mentor. • Sri Sai Bhargav Tiruveedhula, a principal security engineer heading cloud and AI security initiatives at a leading global technology company, recognized for advancing enterprise vulnerability management and cybersecurity innovation. Thanks also to the following, who reviewed and contributed to the prior editions of this book: • Matt Baxter, creator of the best packet header visuals available—several are included in this edition. • Dean Bushmiller, for guidance on business issues, VMLT, and adding the book to ExpandingSecurity.com’s NICCS/CISSP programs. • Rowland Harrison, for my ISSO combat training in the wild, wild, west of ODU’s academic environment (mentioned in Episode 389). • Larry Pesce, for technical review, validation, and general insights. • Peter Szczepankiewicz, for red and blue team ops while serving as a US Naval officer. Thank you for your input and service. • Ed Skoudis from CounterHack, for blazing the IR trail, getting me started, pro‐ viding ideas and Netcat source material, and authoring SANS 504/560. • Martin Tremblay, a colleague from Canada who I met through the SANS organi‐ zation. Martin provided some of the original source material and thoughts influ‐ encing this book. • Finally, to my family: you are my inspiration and my joy, and you put up with me. Bonnie, thank you for your creative genius with the cover and for spending seven hours with me overnight in the ER while we designed the new cover illus‐ tration for this edition. xviii | Preface