Chapter 5. Fix

Never interrupt your enemy when he is making a mistake.

Napoléon Bonaparte

We do not gather intelligence just for the sake of having intelligence. At its core, intelligence is meant to enable actions, whether those actions involve strategic planning or providing support to the incident-response process. Intelligence can and should support incident response in a few key ways:

Detection

Providing better starting points by creating improved alerting criteria

Enrichment

Contextualizing information identified in the response process

Situational awareness

Understanding attackers, methodologies, and tactics

The process of using previously identified intelligence or threat data to identify where an adversary is, either in your environment or externally, is called a Fix. In the Fix phase of F3EAD, all the intelligence you gathered in the Find phase is put to work tracking down signs of adversary activity on your networks. This chapter covers three ways to track the location of adversary activity—using indicators of compromise, adversary behavioral indicators (also known as TTPs), and adversary goals.

This chapter was tough to write, as entire books have been written about many of the items we’ll cover. This discussion is not meant to be comprehensive; in fact, it should be thought of as a starting point. If you want to learn malware analysis, for example, it’s not sufficient to read just a single section of a single chapter. Instead, read multiple books, learn from other ...