Chapter 10. Strategic Intelligence

Our products have become so specific, so tactical even, that our thinking has become tactical. We’re losing our strategic edge because we’re so focused on today’s issues.

John G. Heidenrich

Once you’ve worked through the F3EAD process—from day one of Find all the way through Disseminate—you may be wondering what comes next. Well, in most situations, there is barely enough time to work all the way through the entire intelligence-driven incident response process before you need to jump right back to the beginning with another intrusion or some other pressing task. While it may seem urgent to move onto something else, you are not quite done yet. Taking a little bit of time to understand if and how the recent incident fits into the strategic threat landscape is a task that will pay dividends down the road. It is one of the best ways to make sure that your organization actually learns from the incident and moves forward in a more resilient, informed manner.

All too often, incident responders must deal with the same situation manifesting itself in the same way, with the same vulnerabilities, the same lateral movement, maybe even the exact same stolen or reused passwords, and very often the same adversaries. At that point, many find themselves shaking their fists at the sky, asking how this could have happened. Didn’t we learn from the last time? Didn’t we fix the problems? Unfortunately, the answer is often “no.” When the last incident was resolved, ...

Get Intelligence-Driven Incident Response, 2nd Edition now with the O’Reilly learning platform.

O’Reilly members experience books, live events, courses curated by job role, and more from O’Reilly and nearly 200 top publishers.