Welcome to the exciting world of intelligence-driven incident response! Intelligence—specifically, cyber threat intelligence—has a huge potential to help network defenders better understand and respond to attackers’ actions against their networks.
The purpose of this book is to demonstrate how intelligence fits into the incident-response process, helping responders understand their adversaries in order to reduce the time it takes to detect, respond to, and remediate intrusions. Cyber threat intelligence and incident response have long been closely related, and in fact are inextricably linked. Not only does threat intelligence support and augment incident response, but incident response generates threat intelligence that can be utilized by incident responders. The goal of this book is to help readers understand, implement, and benefit from this relationship.
In recent years, we have seen a transition from approaching incident response as a standalone activity to viewing it as an integral part of an overall network security program. At the same time, cyber threat intelligence is rapidly becoming more and more popular, and more companies and incident responders are trying to understand how to best incorporate threat intelligence into their operations. The struggle is real—both of us have been through these growing pains as we learned how to apply traditional intelligence principles into incident-response practices, and vice versa—but we know that it is worth the effort. We wrote this book to pull together the two worlds, threat intelligence and incident response, to show how they are stronger and more effective together, and to shorten the time it takes practicioners to incorporate them into operations.
This book is written for people involved in incident response, whether their role is an incident manager, malware analyst, reverse engineer, digital forensics specialist, or intelligence analyst. It is also for those interested in learning more about incident response. Many people who are drawn to cyber threat intelligence want to know about attackers—what motivates them and how they operate—and the best way to learn that is through incident response. But it is only when incident response is approached with an intelligence mindset that we start to truly understand the value of the information we have available to us. You don’t need to be an expert in incident response, or in intelligence, to get a lot out of this book. We step through the basics of both disciplines in order to show how they work together, and give practical advice and scenarios to illustrate the process.
Typically, people who are interested in integrating threat intelligence into incident response have a stronger background in one of those disciplines over the other, so it may be appealing to skim through the sections you are more familiar with and focus only on the parts that are new to you. While that is perfectly fine, you may find that we have discussed a new model or approaches to better integrate the two disciplines, so don’t skip through too much, even if you think you know it already!
Indicates new terms, URLs, email addresses, filenames, and file extensions.
Used for program listings, as well as within paragraphs to refer to program elements such as variable or function names, databases, data types, environment variables, statements, and keywords.
Constant width bold
Shows commands or other text that should be typed literally by the user.
Constant width italic
Shows text that should be replaced with user-supplied values or by values determined by context.
This element signifies a tip or suggestion.
This element signifies a general note.
This element indicates a warning or caution.
Safari (formerly Safari Books Online) is a membership-based training and reference platform for enterprise, government, educators, and individuals.
Members have access to thousands of books, training videos, Learning Paths, interactive tutorials, and curated playlists from over 250 publishers, including O’Reilly Media, Harvard Business Review, Prentice Hall Professional, Addison-Wesley Professional, Microsoft Press, Sams, Que, Peachpit Press, Adobe, Focal Press, Cisco Press, John Wiley & Sons, Syngress, Morgan Kaufmann, IBM Redbooks, Packt, Adobe Press, FT Press, Apress, Manning, New Riders, McGraw-Hill, Jones & Bartlett, and Course Technology, among others.
For more information, please visit http://oreilly.com/safari.
To comment or ask technical questions about this book, send email to firstname.lastname@example.org.
For more information about our books, courses, conferences, and news, see our website at http://www.oreilly.com.
Find us on Facebook: http://facebook.com/oreilly
Follow us on Twitter: http://twitter.com/oreillymedia
Watch us on YouTube: http://www.youtube.com/oreillymedia
My wonderful kiddos: Emma, Caitlyn, and Colin, for encouraging me to write and for offering up helpful suggestions on how to catch hackers (the bad ones).
My parents, brothers, sisters, and extended family for supporting me throughout this undertaking.
My work family: Jen, Wade, Rachel, Jordan, Bob, Derek (and many more!) for always believing in me and not saying (out loud) how crazy I was to write a book.
My partner in crime and partner in life, for keeping me hydrated, caffeinated, and happy, and reassuring me that deadlines were made to be missed.
My coauthor, Scott, for being the best BFFFG a girl could ask for.
And finally, to the staff of 23 Hoyt in Portland, the Trademark in Alexandria, and countless flights in between, where the majority of my writing took place.
Scott would like to thank the following people (and places):
My amazing wife, Kessa: I wouldn’t have gotten this done without your encouragement and insight, and I wouldn’t have bothered to try without your inspiration. Thanks for supporting me during the early mornings, late nights, and all the times in between. I’m hopeful I can be half as supportive in all your endeavors. JTMC
My parents, Steve and Janet: from another epic writing project and my first computer to now, you’ve constantly supported my curiosity and have made getting to this place possible. I can’t thank you enough and wouldn’t be here without my basecamp.
The GitHub Security team: you have given me the freedom to learn, to write, to share, and to build in a way I didn’t know I could.
Kyle: your fingerprints are still all over this thing. I appreciate you telling me when I am crazy and when I am just ambitious and telling me to go for it either way.
My many friends and mentors throughout the years: my guess is most of you don’t know how much impact you’ve had or how much I appreciate the conversations, the experiences, and the willingness to listen to me sharing my passions.
To my excellent coauthor Rebekah, you’re the gunny we need, not the gunny we deserve. I couldn’t have done it alone, and it wouldn’t be excellent without you.
The staff at O’Reilly for being the best in the business and for helping make our ideas a reality.
Lastly, the fine folks at Mission Coffee Company in Columbus for the espresso and bagels that fueled many of my words.