“We now see hacking taking place by foreign governments and by private individuals all around the world.”
Intelligence is only one half of the intelligence-driven incident-response puzzle. While computer incident response isn’t nearly as old as the art of espionage, in the last 40 years it has rapidly evolved into a major industry. Incident response encompasses the entire process of identifying intrusions (whether against a single system or an entire network), developing the information necessary to fully understand them, and then developing and executing the plans to remove the intruders.
Intrusion detection and incident response share many characteristics. Both are abstract. They are both complicated topics, and as a result people have sought to simplify them by abstracting them into cycles or models. These models make understanding the complex interplay between defender and adversary possible and form the basis for planning how to undertake responding to these incidents. Just like intelligence models, they are rarely perfect and can’t always be followed explicitly, but they provide a framework for understanding the attackers’ intrusion and the defenders’ response processes.
Just like the exploration of intelligence, this chapter starts with the most overarching models and moves to more-specific models. Afterward we’ll dig into common defensive techniques and finish with the integrated intelligence and operations models we’ll ...