Industry Frameworks
NIST Cybersecurity Framework
The NIST Cybersecurity Framework provides a policy framework of computer security guidance for how private sector organizations can assess and improve their ability to prevent, detect, and respond to cyber attacks.
- NIST SP 800-61 Rev 2: Computer Security Incident Handling Guide
- NIST SP 800-83: Guide to Malware Incident Prevention and Handling
- NIST SP 800-86: Guide to Integrating Forensic Techniques into Incident Response
SANS Incident Response
The SANS Institute provides comprehensive incident response training and resources including the widely-adopted six-phase incident response methodology.
- SANS Incident Handler's Handbook
- SANS Digital Forensics and Incident Response (DFIR) resources
- Internet Storm Center threat intelligence
MITRE ATT&CK Framework
A globally-accessible knowledge base of adversary tactics and techniques based on real-world observations. Essential for understanding attacker behavior and improving detection.
- Enterprise ATT&CK Matrix
- ATT&CK Navigator for threat mapping
- Cyber Analytics Repository (CAR)
ISO/IEC 27035
International standard for information security incident management, providing structured guidance for incident response programs.
Microsoft Security Solutions
Microsoft Sentinel
Microsoft Sentinel is a cloud-native SIEM solution that delivers scalable, cost-efficient security across multicloud and multiplatform environments. It combines AI, automation, and threat intelligence to support threat detection, investigation, response, and proactive hunting. Microsoft Sentinel SIEM empowers analysts to anticipate and stop attacks across clouds and platforms, faster and with greater precision.
- Collect data across all users, devices, applications, and infrastructure, both on-premises and in multiple clouds
- Detect previously undetected threats and minimize false positives using Microsoft's analytics and unparalleled threat intelligence
- Investigate threats with artificial intelligence and hunt for suspicious activities at scale
- Automate common tasks and simplify security orchestration with playbooks that integrate with Azure services
- Security content packaged in SIEM solutions that enable you to ingest, monitor, alert, hunt, investigate, and respond
- Unified experience in the Microsoft Defender portal for comprehensive security operations
Microsoft Defender for Endpoint
Enterprise endpoint security platform designed to help prevent, detect, investigate, and respond to advanced threats.
- Behavioral-based detection and EDR capabilities
- Automated investigation and remediation
- Advanced hunting with Kusto Query Language (KQL)
- Attack surface reduction rules
- Threat and vulnerability management
Microsoft Defender for Office 365
Protection against advanced threats in email and collaboration tools.
- Anti-phishing and anti-malware protection
- Safe Links and Safe Attachments
- Automated investigation and response for email threats
- Threat Explorer for email security analysis
Microsoft Defender for Cloud
Cloud security posture management and workload protection for multi-cloud and hybrid environments.
- Cloud security posture management (CSPM)
- Cloud workload protection platform (CWPP)
- Security recommendations and compliance tracking
- Integration with Azure, AWS, and Google Cloud
Azure AD Identity Protection
Automated detection and remediation of identity-based risks.
- Risk-based Conditional Access policies
- Impossible travel and anomalous activity detection
- Password spray and credential leak detection
- Integration with Azure AD and Microsoft 365
Microsoft Purview
Unified data governance and compliance solutions.
- Data Loss Prevention (DLP) policies
- Information protection and classification
- Insider risk management
- eDiscovery and content search
Essential Tools
Detection and Analysis
| Tool | Purpose | Type |
|---|---|---|
| Microsoft Sentinel | SIEM and security orchestration | Commercial |
| Wireshark | Network protocol analyzer | Open Source |
| Zeek (formerly Bro) | Network security monitoring | Open Source |
| Suricata | IDS/IPS and network security monitoring | Open Source |
| Velociraptor | Endpoint visibility and collection | Open Source |
Forensics and Investigation
| Tool | Purpose | Type |
|---|---|---|
| FTK Imager | Disk imaging and forensic acquisition | Free |
| Autopsy | Digital forensics platform | Open Source |
| Volatility | Memory forensics framework | Open Source |
| KAPE | Triage and evidence collection | Free |
| X-Ways Forensics | Comprehensive forensic analysis | Commercial |
| Sleuth Kit | File system and disk analysis | Open Source |
Malware Analysis
| Tool | Purpose | Type |
|---|---|---|
| VirusTotal | Multi-scanner malware analysis | Free/Commercial |
| Any.run | Interactive malware sandbox | Free/Commercial |
| IDA Pro / Ghidra | Reverse engineering and disassembly | Commercial/Open Source |
| PEStudio | Malware initial assessment | Free |
| Cuckoo Sandbox | Automated malware analysis | Open Source |
Threat Intelligence Sources
Commercial Threat Intelligence
- Microsoft Threat Intelligence: Integrated threat intelligence across Microsoft security products
- Recorded Future: Real-time threat intelligence platform
- CrowdStrike Intelligence: Adversary and threat intelligence
- Mandiant Threat Intelligence: APT and threat actor intelligence
- Anomali: Threat intelligence platform and marketplace
Open Source Intelligence (OSINT)
- MISP (Malware Information Sharing Platform): Threat intelligence sharing platform
- AlienVault OTX: Open threat exchange community
- Abuse.ch: Various threat intelligence feeds (URLhaus, MalwareBazaar, etc.)
- Spamhaus: IP and domain blocklists
- VirusTotal: File and URL analysis with community intelligence
- Shodan: Internet-connected device search engine
Government and Information Sharing
- US-CERT: Alerts and advisories from CISA
- FBI IC3: Internet Crime Complaint Center
- ISACs: Industry-specific information sharing centers
- MS-ISAC: Multi-State Information Sharing and Analysis Center
Training and Certifications
Professional Certifications
| Certification | Provider | Focus Area |
|---|---|---|
| GCIH | GIAC/SANS | Incident handling and response |
| GCFA | GIAC/SANS | Advanced digital forensics |
| GREM | GIAC/SANS | Reverse engineering and malware analysis |
| CISSP | (ISC)² | Information security management |
| CISM | ISACA | Information security management |
| SC-200 | Microsoft | Security Operations Analyst |
| AZ-500 | Microsoft | Azure Security Engineer |
| OSCP | Offensive Security | Penetration testing |
| CEH | EC-Council | Certified Ethical Hacker |
| CHFI | EC-Council | Computer Hacking Forensic Investigator |
| ECIH | EC-Council | EC-Council Certified Incident Handler |
| CND | EC-Council | Certified Network Defender |
Training Resources
- Microsoft Learn: Free training on Microsoft security technologies
- EC-Council: Global leader in cybersecurity certification and training (CEH, CHFI, ECIH, CND)
- SANS Institute: Comprehensive incident response and forensics training
- Cybrary: Free and paid cybersecurity training
- Offensive Security: Hands-on penetration testing training
- TryHackMe / HackTheBox: Interactive security learning platforms
- CISA Training: Free training from US Cybersecurity and Infrastructure Security Agency
Communities and Information Sharing
Professional Communities
- Microsoft Security Community: Forums and resources for Microsoft security products
- FIRST (Forum of Incident Response and Security Teams): Global incident response community
- OWASP: Open Web Application Security Project
- Cloud Security Alliance: Cloud security best practices and research
- /r/netsec, /r/blueteam (Reddit): Active security communities
Conferences and Events
- Microsoft Ignite / Build: Microsoft technology and security conferences
- Black Hat / DEF CON: Premier security conferences
- RSA Conference: Large security industry event
- SANS Summit Series: Regional security summits
- BSides Events: Community-driven security conferences
Documentation Templates
Essential Documents
- Incident Response Plan: Comprehensive procedures, roles, and communication plans
- Incident Report Template: Standardized format for documenting incidents
- Communication Templates: Pre-approved messaging for various stakeholders
- Evidence Collection Log: Chain of custody documentation
- Post-Incident Review Template: Lessons learned documentation
- Runbooks and Playbooks: Step-by-step procedures for specific incidents
- Contact Lists: Emergency contacts, escalation paths, external resources
Regulatory and Legal Resources
Data Protection and Privacy
- GDPR: EU General Data Protection Regulation
- CCPA/CPRA: California Consumer Privacy Act and Rights Act
- HIPAA: Health Insurance Portability and Accountability Act
- PCI DSS: Payment Card Industry Data Security Standard
- SOX: Sarbanes-Oxley Act
Law Enforcement Resources
- FBI Cyber Division: Federal cybercrime investigation
- IC3 (Internet Crime Complaint Center): Report cybercrime to FBI
- Secret Service ECTF: Electronic Crimes Task Forces
- Local Cyber Task Forces: Regional law enforcement cyber units
Recommended Reading
Books
- "Incident Response & Computer Forensics" by Luttgens, Pepe, and Mandia
- "The Art of Memory Forensics" by Case, Levy, and Richard
- "Digital Forensics & Incident Response" by Gerald Johansen
- "Blue Team Handbook: Incident Response Edition" by Murdock
- "Intelligence-Driven Incident Response" by Scott Roberts and Rebekah Brown
Blogs and Publications
- Microsoft Security Blog: Latest security research and threat intelligence from Microsoft
- Palo Alto Networks Unit 42 Blog: In-depth incident response reports, threat research, and insights
- Rapid7 Blog – Incident Response Research: Post-incident analysis, threat intelligence, and IR findings
- CrowdStrike Blog – Incident Response & Detection: IR-centric content
- SANS Internet Storm Center: Daily threat intelligence and analysis