Intelligence-Driven Incident Response, 2nd Edition

Intelligence-Driven Incident Response, 2nd Edition

by Rebekah Brown, Scott J. Roberts
Released June 2023
Publisher(s): O'Reilly Media, Inc.
ISBN: 9781098120689

Read it now on the O’Reilly learning platform with a 10-day free trial.

O’Reilly members get unlimited access to books, live events, courses curated by job role, and more from O’Reilly and nearly 200 top publishers.

Buy on Amazon Buy on ebooks.com
Start your free trial

Book description

Using a well-conceived incident response plan in the aftermath of an online security breach enables your team to identify attackers and learn how they operate. But only when you approach incident response with a cyber threat intelligence mindset will you truly understand the value of that information. In this updated second edition, you'll learn the fundamentals of intelligence analysis as well as the best ways to incorporate these techniques into your incident response process.

Each method reinforces the other: threat intelligence supports and augments incident response, while incident response generates useful threat intelligence. This practical guide helps incident managers, malware analysts, reverse engineers, digital forensics specialists, and intelligence analysts understand, implement, and benefit from this relationship.

In three parts, this in-depth book includes:

  • The fundamentals: Get an introduction to cyberthreat intelligence, the intelligence process, the incident response process, and how they all work together
  • Practical application: Walk through the intelligence-driven incident response (IDIR) process using the F3EAD process: Find, Fix, Finish, Exploit, Analyze, and Disseminate
  • The way forward: Explore big-picture aspects of IDIR that go beyond individual incident response investigations, including intelligence team building

Publisher resources

View/Submit Errata

Table of contents

  1. Foreword to the Second Edition
  2. Foreword to the First Edition
  3. Preface
    1. Why We Wrote This Book
    2. Who This Book Is For
    3. How This Book Is Organized
    4. Conventions Used in This Book
    5. O’Reilly Online Learning
    6. How to Contact Us
    7. Acknowledgments
  4. I. The Fundamentals
  5. 1. Introduction
    1. Intelligence as Part of Incident Response
      1. History of Cyber Threat Intelligence
      2. Modern Cyber Threat Intelligence
      3. The Way Forward
    2. Incident Response as a Part of Intelligence
    3. What Is Intelligence-Driven Incident Response?
    4. Why Intelligence-Driven Incident Response?
      1. Operation SMN
      2. SolarWinds
    5. Conclusion
  6. 2. Basics of Intelligence
    1. Intelligence and Research
    2. Data Versus Intelligence
    3. Sources and Methods
    4. Models
      1. Using Models for Collaboration
      2. Process Models
      3. Using the Intelligence Cycle
    5. Qualities of Good Intelligence
      1. Collection Method
      2. Date of Collection
      3. Context
      4. Addressing Biases in Analysis
    6. Levels of Intelligence
      1. Tactical Intelligence
      2. Operational Intelligence
      3. Strategic Intelligence
    7. Confidence Levels
    8. Conclusion
  7. 3. Basics of Incident Response
    1. Incident-Response Cycle
      1. Preparation
      2. Identification
      3. Containment
      4. Eradication
      5. Recovery
      6. Lessons Learned
    2. The Kill Chain
      1. Targeting
      2. Reconnaissance
      3. Weaponization
      4. Delivery
      5. Exploitation
      6. Installation
      7. Command and Control
      8. Actions on Objective
      9. Example Kill Chain
    3. The Diamond Model
      1. Basic Model
      2. Extending the Model
    4. ATT&CK and D3FEND
      1. ATT&CK
      2. D3FEND
    5. Active Defense
      1. Deny
      2. Disrupt
      3. Degrade
      4. Deceive
      5. Destroy
    6. F3EAD
      1. Find
      2. Fix
      3. Finish
      4. Exploit
      5. Analyze
      6. Disseminate
      7. Using F3EAD
    7. Picking the Right Model
    8. Scenario: Road Runner
    9. Conclusion
  8. II. Practical Application
  9. 4. Find
    1. Actor-Centric Targeting
      1. Starting with Known Information
      2. Useful Information During the Find Phase
      3. Using the Kill Chain
      4. Goals
    2. Victim-Centric Targeting
      1. Using Victim-Centric Targeting
    3. Asset-Centric Targeting
      1. Using Asset-Centric Targeting
    4. Capability-Centric Targeting
      1. Using Capability-Centric Targeting
    5. Media-Centric Targeting
    6. Targeting Based on Third-Party Notification
    7. Prioritizing Targeting
      1. Immediate Needs
      2. Past Incidents
      3. Criticality
    8. Organizing Targeting Activities
      1. Hard Leads
      2. Soft Leads
      3. Grouping Related Leads
      4. Lead Storage and Documentation
    9. The Request for Information Process
    10. Conclusion
  10. 5. Fix
    1. Intrusion Detection
      1. Network Alerting
      2. System Alerting
      3. Fixing Road Runner
    2. Intrusion Investigation
      1. Network Analysis
      2. Live Response
      3. Memory Analysis
      4. Disk Analysis
      5. Enterprise Detection and Response
      6. Malware Analysis
    3. Scoping
    4. Hunting
      1. Developing Hypotheses
      2. Testing Hypotheses
    5. Conclusion
  11. 6. Finish
    1. Finishing Is Not Hacking Back
    2. Stages of Finish
      1. Mitigate
      2. Remediate
      3. Rearchitect
    3. Taking Action
      1. Deny
      2. Disrupt
      3. Degrade
      4. Deceive
      5. Destroy
    4. Organizing Incident Data
      1. Tools for Tracking Actions
      2. Purpose-Built Tools
    5. Assessing the Damage
    6. Monitoring Lifecycle
      1. Creation
      2. Testing
      3. Deployment
      4. Refinement
      5. Retirement
    7. Conclusion
  12. 7. Exploit
    1. Tactical Versus Strategic OODA Loops
    2. What to Exploit
    3. Gathering Information
      1. Information-Gathering Goals
      2. Mining Previous Incidents
      3. Gathering External Information (or, Conducting a Literature Review)
    4. Extracting and Storing Threat Data
      1. Standards for Storing Threat Data
      2. Data Standards and Formats for Indicators
      3. Data Standards and Formats for Strategic Information
      4. Process for Extracting
    5. Managing Information
      1. Threat-Intelligence Platforms
    6. Conclusion
  13. 8. Analyze
    1. The Fundamentals of Analysis
      1. Dual Process Thinking
      2. Deductive, Inductive, and Abductive Reasoning
    2. Analytic Processes and Methods
      1. Structured Analytic Techniques (SATs)
      2. Target-Centric Analysis
    3. Conducting the Analysis
      1. What to Analyze
      2. Enriching Your Data
      3. Leverage Information Sharing
      4. Developing Your Hypothesis
      5. Evaluating Key Assumptions
    4. Things That Will Screw You Up (aka Analytic Bias)
      1. Accounting for Biases
    5. Judgment and Conclusions
    6. Conclusion
  14. 9. Disseminate
    1. Intelligence Customer Goals
    2. Audience
      1. Executive Leadership Customer
      2. Internal Technical Customers
      3. External Technical Customers
      4. Developing Customer Personas
    3. Authors
    4. Actionability
    5. The Writing Process
      1. Plan
      2. Draft
      3. Edit
    6. Intelligence Product Formats
      1. Short-Form Products
      2. Long-Form Products
      3. The RFI Process
      4. Automated Consumption Products
    7. Establishing a Rhythm
      1. Distribution
      2. Feedback
      3. Regular Products
    8. Conclusion
  15. III. The Way Forward
  16. 10. Strategic Intelligence
    1. What Is Strategic Intelligence?
    2. The Role of Strategic Intelligence in Intelligence-Driven Incident Response
    3. Intelligence Beyond Incident Response
      1. Red Teaming
      2. Vulnerability Management
      3. Architecture and Engineering
      4. Privacy, Safety, and Physical Security
    4. Building a Frame with Strategic Intelligence
      1. Models for Strategic Intelligence
    5. The Strategic Intelligence Cycle
      1. Setting Strategic Requirements
      2. Collection
      3. Analysis
      4. Dissemination
    6. Moving Toward Anticipatory Intelligence
    7. Conclusion
  17. 11. Building an Intelligence Program
    1. Are You Ready?
    2. Planning the Program
      1. Defining Stakeholders
      2. Defining Goals
      3. Defining Success Criteria
      4. Identifying Requirements and Constraints
      5. Think Strategically
      6. Defining Metrics
    3. Stakeholder Personas
    4. Tactical Use Cases
      1. SOC Support
      2. Indicator Management
    5. Operational Use Cases
      1. Campaign Tracking
    6. Strategic Use Cases
      1. Architecture Support
      2. Risk Assessment/Strategic Situational Awareness
    7. Strategic to Tactical or Tactical to Strategic?
      1. Critical Information Needs
    8. The Intelligence Team
      1. Building a Diverse Team
      2. Team and Process Development
    9. Demonstrating Intelligence Program Value
    10. Conclusion
  18. Index
  19. About the Authors

Product information

  • Title: Intelligence-Driven Incident Response, 2nd Edition
  • Author(s): Rebekah Brown, Scott J. Roberts
  • Release date: June 2023
  • Publisher(s): O'Reilly Media, Inc.
  • ISBN: 9781098120689