book

Intelligence-Driven Incident Response, 2nd Edition

by Rebekah Brown, Scott J. Roberts

June 2023

Intermediate to advanced

343 pages

10h 22m

English

O'Reilly Media, Inc.

Book available

Read now

Unlock full access

Why We Wrote This BookWho This Book Is ForHow This Book Is OrganizedConventions Used in This BookO’Reilly Online LearningHow to Contact UsAcknowledgments
Intelligence as Part of Incident ResponseHistory of Cyber Threat IntelligenceModern Cyber Threat IntelligenceThe Way ForwardIncident Response as a Part of IntelligenceWhat Is Intelligence-Driven Incident Response?Why Intelligence-Driven Incident Response?Operation SMNSolarWindsConclusion
Intelligence and ResearchData Versus IntelligenceSources and MethodsModelsUsing Models for CollaborationProcess ModelsUsing the Intelligence CycleQualities of Good IntelligenceCollection MethodDate of CollectionContextAddressing Biases in AnalysisLevels of IntelligenceTactical IntelligenceOperational IntelligenceStrategic IntelligenceConfidence LevelsConclusion
Incident-Response CyclePreparationIdentificationContainmentEradicationRecoveryLessons LearnedThe Kill ChainTargetingReconnaissanceWeaponizationDeliveryExploitationInstallationCommand and ControlActions on ObjectiveExample Kill ChainThe Diamond ModelBasic ModelExtending the ModelATT&CK and D3FENDATT&CKD3FENDActive DefenseDenyDisruptDegradeDeceiveDestroyF3EADFindFixFinishExploitAnalyzeDisseminateUsing F3EADPicking the Right ModelScenario: Road RunnerConclusion
Actor-Centric TargetingStarting with Known InformationUseful Information During the Find PhaseUsing the Kill ChainGoalsVictim-Centric TargetingUsing Victim-Centric TargetingAsset-Centric TargetingUsing Asset-Centric TargetingCapability-Centric TargetingUsing Capability-Centric TargetingMedia-Centric TargetingTargeting Based on Third-Party NotificationPrioritizing TargetingImmediate NeedsPast IncidentsCriticalityOrganizing Targeting ActivitiesHard LeadsSoft LeadsGrouping Related LeadsLead Storage and DocumentationThe Request for Information ProcessConclusion
Intrusion DetectionNetwork AlertingSystem AlertingFixing Road RunnerIntrusion InvestigationNetwork AnalysisLive ResponseMemory AnalysisDisk AnalysisEnterprise Detection and ResponseMalware AnalysisScopingHuntingDeveloping HypothesesTesting HypothesesConclusion

Finishing Is Not Hacking BackStages of FinishMitigateRemediateRearchitectTaking ActionDenyDisruptDegradeDeceiveDestroyOrganizing Incident DataTools for Tracking ActionsPurpose-Built ToolsAssessing the DamageMonitoring LifecycleCreationTestingDeploymentRefinementRetirementConclusion
Tactical Versus Strategic OODA LoopsWhat to ExploitGathering InformationInformation-Gathering GoalsMining Previous IncidentsGathering External Information (or, Conducting a Literature Review)Extracting and Storing Threat DataStandards for Storing Threat DataData Standards and Formats for IndicatorsData Standards and Formats for Strategic InformationProcess for ExtractingManaging InformationThreat-Intelligence PlatformsConclusion
The Fundamentals of AnalysisDual Process ThinkingDeductive, Inductive, and Abductive ReasoningAnalytic Processes and MethodsStructured Analytic Techniques (SATs)Target-Centric AnalysisConducting the AnalysisWhat to AnalyzeEnriching Your DataLeverage Information SharingDeveloping Your HypothesisEvaluating Key AssumptionsThings That Will Screw You Up (aka Analytic Bias)Accounting for BiasesJudgment and ConclusionsConclusion
Intelligence Customer GoalsAudienceExecutive Leadership CustomerInternal Technical CustomersExternal Technical CustomersDeveloping Customer PersonasAuthorsActionabilityThe Writing ProcessPlanDraftEditIntelligence Product FormatsShort-Form ProductsLong-Form ProductsThe RFI ProcessAutomated Consumption ProductsEstablishing a RhythmDistributionFeedbackRegular ProductsConclusion
What Is Strategic Intelligence?The Role of Strategic Intelligence in Intelligence-Driven Incident ResponseIntelligence Beyond Incident ResponseRed TeamingVulnerability ManagementArchitecture and EngineeringPrivacy, Safety, and Physical SecurityBuilding a Frame with Strategic IntelligenceModels for Strategic IntelligenceThe Strategic Intelligence CycleSetting Strategic RequirementsCollectionAnalysisDisseminationMoving Toward Anticipatory IntelligenceConclusion
Are You Ready?Planning the ProgramDefining StakeholdersDefining GoalsDefining Success CriteriaIdentifying Requirements and ConstraintsThink StrategicallyDefining MetricsStakeholder PersonasTactical Use CasesSOC SupportIndicator ManagementOperational Use CasesCampaign TrackingStrategic Use CasesArchitecture SupportRisk Assessment/Strategic Situational AwarenessStrategic to Tactical or Tactical to Strategic?Critical Information NeedsThe Intelligence TeamBuilding a Diverse TeamTeam and Process DevelopmentDemonstrating Intelligence Program ValueConclusion

Content preview from Intelligence-Driven Incident Response, 2nd Edition

Chapter 6. Finish

It’s not so important who starts the game but who finishes it.

John Wooden

Once you have identified the threats that you are facing and investigated how those threats have accessed and moved through your network, it is time to remove them. This phase is known as Finish and involves not only eradicating the footholds that malicious actors have put in your network, but also working to remediate whatever enabled them to get access in the first place.

Finish involves more than removing malware from a system, which is why we spend so much time in the Find and Fix stages. To properly finish an attacker’s activity, it is critical to understand how that threat actor operates and to remove not just malware or artifacts left behind by an attack, but also communications channels, footholds, redundant access, and any other aspects of an attack that we uncovered in the Fix phase. Properly finishing an adversary requires a deep understanding of the attacker, their motives, and their actions, which will allow you to act with confidence as you secure the systems and regain control of your network.

Finishing Is Not Hacking Back

Finish does not mean hacking back. That is because, unless you are a government department or agency with the proper authority, hacking back—as we discussed earlier—is a very, very bad idea! Why, you ask? There are several reasons:

Attribution is rarely perfect.: You don’t always know what you will end up hacking. Attackers will rarely attack you directly ...

Become an O’Reilly member and get unlimited access to this title plus top books and audiobooks from O’Reilly and nearly 200 top publishers, thousands of courses curated by job role, 150+ live events each month,
and much more.

Start your free trial

Publisher Resources

ISBN: 9781098120672Errata Page

Intelligence-Driven Incident Response, 2nd Edition

by Rebekah Brown, Scott J. Roberts

Chapter 6. Finish

Finishing Is Not Hacking Back

Become an O’Reilly member and get unlimited access to this title plus top books and audiobooks from O’Reilly and nearly 200 top publishers, thousands of courses curated by job role, 150+ live events each month,
and much more.

You might also like

Applied Incident Response

The Official (ISC)2 CISSP CBK Reference, 6th Edition

Solutions Architect's Handbook - Third Edition

Solutions Architect's Handbook - Second Edition

Publisher Resources

Chapter 6. Finish

Finishing Is Not Hacking Back

Become an O’Reilly member and get unlimited access to this title plus top books and audiobooks from O’Reilly and nearly 200 top publishers, thousands of courses curated by job role, 150+ live events each month,and much more.

You might also like

Applied Incident Response

The Official (ISC)2 CISSP CBK Reference, 6th Edition

Solutions Architect's Handbook - Third Edition

Solutions Architect's Handbook - Second Edition

Publisher Resources

Become an O’Reilly member and get unlimited access to this title plus top books and audiobooks from O’Reilly and nearly 200 top publishers, thousands of courses curated by job role, 150+ live events each month,
and much more.