Chapter 3. Basics of Incident Response
âWe now see hacking taking place by foreign governments and by private individuals all around the world.â
Mike Pompeo
Intelligence is only one half of the intelligence-driven incident-response puzzle. While computer incident response isnât nearly as old as the art of espionage, in the last 40 years it has rapidly evolved into a major industry. Incident response encompasses the entire process of identifying intrusions (whether against a single system or an entire network), developing the information necessary to fully understand them, and then developing and executing the plans to remove the intruders.
Intrusion detection and incident response share many characteristics. Both are abstract. They are both complicated topics, and as a result people have sought to simplify them by abstracting them into cycles or models. These models make understanding the complex interplay between defender and adversary possible and form the basis for planning how to undertake responding to these incidents. Just like intelligence models, they are rarely perfect and canât always be followed explicitly, but they provide a framework for understanding the attackersâ intrusion and the defendersâ response processes.
Just like the exploration of intelligence, this chapter starts with the most overarching models and moves to more-specific models. Afterward weâll dig into common defensive techniques and finish with the integrated intelligence and operations ...
Get Intelligence-Driven Incident Response now with the O’Reilly learning platform.
O’Reilly members experience books, live events, courses curated by job role, and more from O’Reilly and nearly 200 top publishers.