Chapter 5. Fix

“Never interrupt your enemy when he is making a mistake.”

Napoléon Bonaparte

We do not gather intelligence just for the sake of saying that we have intelligence; at its core, intelligence is meant to enable actions, whether those actions involve strategic planning or provide support to the incident-response process. Intelligence supports incident response in a few key ways:

  • Providing better starting points by creating improved alerting criteria
  • Contextualizing information identified in the response process
  • Understanding attackers, methodologies, and tactics

The process of using previously identified intelligence or threat data to identify where an adversary is, either in your environment or externally, is called a Fix. In the Fix phase of F3EAD, all the intelligence you gathered in the Find phase is put to work tracking down signs of adversary activity on your networks. This chapter covers three ways to Fix the location of adversary activity—using indicators of compromise, adversary behavioral indicators, also known as TTPs, and adversary goals.

This chapter was tough to write, as entire books have been written about many of the items we’ll discuss. This discussion is not meant to be comprehensive. If you want to learn malware analysis, it’s not sufficient to read just a single section of a single chapter, but likely multiple books, and to do months of work. Additionally, many of the approaches taken in Fix will be dramatically different based on ...

Get Intelligence-Driven Incident Response now with the O’Reilly learning platform.

O’Reilly members experience books, live events, courses curated by job role, and more from O’Reilly and nearly 200 top publishers.