SANS publishes 720‑page modern IR book

Most incident response books were written for a world where the evidence lived on one server and the attacker used one laptop. SANS just put out a 720-page replacement built for cloud accounts, software-as-a-service logs, ransomware, and mixed on-premises networks. (sans.org) (dynamicincidentresponse.com) Incident response is the part of cybersecurity that starts after something has already gone wrong. The old SANS six-step model most teams learned was Preparation, Identification, Containment, Eradication, Recovery, and Lessons Learned. (cisa.gov) (sentinelone.com) That older model assumed you controlled the computers, the logs, and the network switches. Microsoft’s cloud guidance now tells defenders to account for “shared responsibility” and to build one plan that works across Azure, Amazon Web Services, and Google Cloud instead of treating each platform like a separate island. (learn.microsoft.com) The practical problem is evidence. In a cloud breach, the clues are often account actions, storage snapshots, audit trails, and identity changes, not a hard drive you can pull out of a rack and image in a lab. (dynamicincidentresponse.com) (learn.microsoft.com) That is why SANS is framing this as a successor to Stephen Northcutt’s 2001 incident handling book. The older book was about 50 pages in its first SANS edition, while the new one is 720 pages because the job now spans cloud platforms, ransomware recovery, industrial systems, and artificial intelligence-era logging. (books.google.com) (sans.org) (dynamicincidentresponse.com) SANS says the new framework is “dynamic,” which is a polite way of saying real incidents do not move in a neat straight line. Teams may have to verify a ransomware note, scope dozens of cloud identities, contain one business unit, and restore another at the same time. (dynamicincidentresponse.com) The book’s chapter list shows what changed in the field. It includes cloud incident response for Amazon Web Services and Microsoft Azure, ransomware casework tied to NotPetya, LockBit, and Scattered Spider, operational technology handling, threat intelligence, memory forensics, and playbook design. (dynamicincidentresponse.com) There is a second shift buried in the SANS material: logs now contain far more sensitive information than they used to. SANS instructor Rob T. Lee said artificial intelligence logs can capture drug questions, suicide discussions, health details, and private corporate strategy, which turns routine evidence collection into a privacy problem too. (sans.org) The release also fits a wider move toward written playbooks that can survive stress. The Cybersecurity and Infrastructure Security Agency’s federal playbook still uses the classic phases, but vendors and cloud providers now layer in platform-specific steps for notification, triage, evidence collection, and recovery. (cisa.gov) (learn.microsoft.com) So the real news is not just that SANS published a very large free book. It is that one of the oldest names in incident response is formally admitting the old “follow the checklist on the server” era is over, and the modern job now starts with identities, cloud control planes, and logs scattered across systems you do not fully own. (sans.org) (learn.microsoft.com)