“If you focus solely on the enemy, you will ignore the threat.”
Colonel Walter Piatt
At this point in the incident-response process, it is common for the final incident-response report to be delivered and the responders to move on to the next matter requiring attention, but that is not where this book ends. Throughout the course of the investigation, we have gathered a lot of data on our attackers, looked for additional information from within our networks, and taken actions that have had an impact on the attacker’s operations. Now we need to gather all of that data, analyze it for intelligence value, and integrate it into not only detection and prevention methods, but also more strategic-level initiatives such as risk assessments, prioritization of efforts, and future security investments. To get to the point where you can do all these things, you have to engage the intelligence portion of the F3EAD cycle: Exploit, Analyze, and Disseminate.
It is no secret why most people stop short of completing the F3EAD cycle: it’s hard enough to generate intelligence, but managing it is a whole new series of headaches. Dealing with timing, aging, access control, and formats is enough to make anyone’s head spin. And yet, as undeniably complex as these problems are, they have to be addressed head on. Having great intelligence that doesn’t see the light of day is as disappointing as a star athlete sitting on the bench. Exploiting the intelligence that you have generated ...