book

Intelligence-Driven Incident Response, 2nd Edition

by Rebekah Brown, Scott J. Roberts

June 2023

Intermediate to advanced

343 pages

10h 22m

English

O'Reilly Media, Inc.

Read now

Unlock full access

Foreword to the Second Edition
Foreword to the First Edition
Preface
Why We Wrote This BookWho This Book Is ForHow This Book Is OrganizedConventions Used in This BookO’Reilly Online LearningHow to Contact UsAcknowledgments
I. The Fundamentals
1. Introduction
Intelligence as Part of Incident ResponseHistory of Cyber Threat IntelligenceModern Cyber Threat IntelligenceThe Way ForwardIncident Response as a Part of IntelligenceWhat Is Intelligence-Driven Incident Response?Why Intelligence-Driven Incident Response?Operation SMNSolarWindsConclusion
2. Basics of Intelligence
Intelligence and ResearchData Versus IntelligenceSources and MethodsModelsUsing Models for CollaborationProcess ModelsUsing the Intelligence CycleQualities of Good IntelligenceCollection MethodDate of CollectionContextAddressing Biases in AnalysisLevels of IntelligenceTactical IntelligenceOperational IntelligenceStrategic IntelligenceConfidence LevelsConclusion
3. Basics of Incident Response
Incident-Response CyclePreparationIdentificationContainmentEradicationRecoveryLessons LearnedThe Kill ChainTargetingReconnaissanceWeaponizationDeliveryExploitationInstallationCommand and ControlActions on ObjectiveExample Kill ChainThe Diamond ModelBasic ModelExtending the ModelATT&CK and D3FENDATT&CKD3FENDActive DefenseDenyDisruptDegradeDeceiveDestroyF3EADFindFixFinishExploitAnalyzeDisseminateUsing F3EADPicking the Right ModelScenario: Road RunnerConclusion
II. Practical Application
4. Find
Actor-Centric TargetingStarting with Known InformationUseful Information During the Find PhaseUsing the Kill ChainGoalsVictim-Centric TargetingUsing Victim-Centric TargetingAsset-Centric TargetingUsing Asset-Centric TargetingCapability-Centric TargetingUsing Capability-Centric TargetingMedia-Centric TargetingTargeting Based on Third-Party NotificationPrioritizing TargetingImmediate NeedsPast IncidentsCriticalityOrganizing Targeting ActivitiesHard LeadsSoft LeadsGrouping Related LeadsLead Storage and DocumentationThe Request for Information ProcessConclusion
5. Fix
Intrusion DetectionNetwork AlertingSystem AlertingFixing Road RunnerIntrusion InvestigationNetwork AnalysisLive ResponseMemory AnalysisDisk AnalysisEnterprise Detection and ResponseMalware AnalysisScopingHuntingDeveloping HypothesesTesting HypothesesConclusion

6. Finish
Finishing Is Not Hacking BackStages of FinishMitigateRemediateRearchitectTaking ActionDenyDisruptDegradeDeceiveDestroyOrganizing Incident DataTools for Tracking ActionsPurpose-Built ToolsAssessing the DamageMonitoring LifecycleCreationTestingDeploymentRefinementRetirementConclusion
7. Exploit
Tactical Versus Strategic OODA LoopsWhat to ExploitGathering InformationInformation-Gathering GoalsMining Previous IncidentsGathering External Information (or, Conducting a Literature Review)Extracting and Storing Threat DataStandards for Storing Threat DataData Standards and Formats for IndicatorsData Standards and Formats for Strategic InformationProcess for ExtractingManaging InformationThreat-Intelligence PlatformsConclusion
8. Analyze
The Fundamentals of AnalysisDual Process ThinkingDeductive, Inductive, and Abductive ReasoningAnalytic Processes and MethodsStructured Analytic Techniques (SATs)Target-Centric AnalysisConducting the AnalysisWhat to AnalyzeEnriching Your DataLeverage Information SharingDeveloping Your HypothesisEvaluating Key AssumptionsThings That Will Screw You Up (aka Analytic Bias)Accounting for BiasesJudgment and ConclusionsConclusion
9. Disseminate
Intelligence Customer GoalsAudienceExecutive Leadership CustomerInternal Technical CustomersExternal Technical CustomersDeveloping Customer PersonasAuthorsActionabilityThe Writing ProcessPlanDraftEditIntelligence Product FormatsShort-Form ProductsLong-Form ProductsThe RFI ProcessAutomated Consumption ProductsEstablishing a RhythmDistributionFeedbackRegular ProductsConclusion
III. The Way Forward
10. Strategic Intelligence
What Is Strategic Intelligence?The Role of Strategic Intelligence in Intelligence-Driven Incident ResponseIntelligence Beyond Incident ResponseRed TeamingVulnerability ManagementArchitecture and EngineeringPrivacy, Safety, and Physical SecurityBuilding a Frame with Strategic IntelligenceModels for Strategic IntelligenceThe Strategic Intelligence CycleSetting Strategic RequirementsCollectionAnalysisDisseminationMoving Toward Anticipatory IntelligenceConclusion
11. Building an Intelligence Program
Are You Ready?Planning the ProgramDefining StakeholdersDefining GoalsDefining Success CriteriaIdentifying Requirements and ConstraintsThink StrategicallyDefining MetricsStakeholder PersonasTactical Use CasesSOC SupportIndicator ManagementOperational Use CasesCampaign TrackingStrategic Use CasesArchitecture SupportRisk Assessment/Strategic Situational AwarenessStrategic to Tactical or Tactical to Strategic?Critical Information NeedsThe Intelligence TeamBuilding a Diverse TeamTeam and Process DevelopmentDemonstrating Intelligence Program ValueConclusion
Index
About the Authors

Content preview from Intelligence-Driven Incident Response, 2nd Edition

Chapter 7. Exploit

If you focus solely on the enemy, you will ignore the threat.

Colonel Walter Piatt

After the Find, Fix, and Finish phases, it is common for the final incident-response report to be delivered and the responders to move on to the next matter requiring their attention. But that is not where this book ends. Throughout the course of the investigation, incident-response teams gather a lot of data on attackers, look for additional information from within their networks, and take actions that have an impact on the attacker’s operations. Now, we need to gather all of that data, analyze it for intelligence value, and integrate it into not only detection and prevention methods but also more strategic-level initiatives such as risk assessments, prioritization of efforts, and future security investments. You now have to engage the intelligence portion of the F3EAD cycle: Exploit, Analyze, and Disseminate.

It is no secret why most security teams stop short of completing the F3EAD cycle: It’s hard enough to generate intelligence, but managing it is a whole new series of headaches. Dealing with processes, timing, aging, access control, and formats is enough to make anyone’s head spin. And yet, as undeniably complex as these problems are, they have to be addressed head-on. Properly extracting and capturing information about an incident and ensuring that it is followed up on can mean the difference between truly remediating an adversary’s access to your network and simply delaying ...

Become an O’Reilly member and get unlimited access to this title plus top books and audiobooks from O’Reilly and nearly 200 top publishers, thousands of courses curated by job role, 150+ live events each month,
and much more.

Read now

Unlock full access

More than 5,000 organizations count on O’Reilly

O’Reilly covers everything we've got, with content to help us build a world-class technology community, upgrade the capabilities and competencies of our teams, and improve overall team performance as well as their engagement.

Julian F.

Head of Cybersecurity

I wanted to learn C and C++, but it didn't click for me until I picked up an O'Reilly book. When I went on the O’Reilly platform, I was astonished to find all the books there, plus live events and sandboxes so you could play around with the technology.

Addison B.

Field Engineer

I’ve been on the O’Reilly platform for more than eight years. I use a couple of learning platforms, but I'm on O'Reilly more than anybody else. When you're there, you start learning. I'm never disappointed.

Amir M.

Data Platform Tech Lead

I'm always learning. So when I got on to O'Reilly, I was like a kid in a candy store. There are playlists. There are answers. There's on-demand training. It's worth its weight in gold, in terms of what it allows me to do.

Mark W.

Embedded Software Engineer

Publisher Resources

ISBN: 9781098120672Errata Page

Cloud Computing

Data Engineering

Data Science

AI & ML

Programming Languages

Software Architecture

IT/Ops

Security

Design

Business

Soft Skills

Intelligence-Driven Incident Response, 2nd Edition

by Rebekah Brown, Scott J. Roberts

Chapter 7. Exploit

Become an O’Reilly member and get unlimited access to this title plus top books and audiobooks from O’Reilly and nearly 200 top publishers, thousands of courses curated by job role, 150+ live events each month,
and much more.