O'Reilly logo

Intelligence-Driven Incident Response by Scott J. Roberts, Rebekah Brown

Stay ahead with the world's most comprehensive technology and business learning platform.

With Safari, you learn the way you learn best. Get unlimited access to videos, live online training, learning paths, books, tutorials, and more.

Start Free Trial

No credit card required


Welcome to the exciting world of intelligence-driven incident response! Intelligence—specifically, cyber threat intelligence—has a huge potential to help network defenders better understand and respond to attackers’ actions against their networks. 

The purpose of this book is to demonstrate how intelligence fits into the incident-response process, helping responders understand their adversaries in order to reduce the time it takes to detect, respond to, and remediate intrusions. Cyber threat intelligence and incident response have long been closely related, and in fact are inextricably linked. Not only does threat intelligence support and augment incident response, but incident response generates threat intelligence that can be utilized by incident responders. The goal of this book is to help readers understand, implement, and benefit from this relationship.

Why We Wrote This Book

In recent years, we have seen a transition from approaching incident response as a standalone activity to viewing it as an integral part of an overall network security program. At the same time, cyber threat intelligence is rapidly becoming more and more popular, and more companies and incident responders are trying to understand how to best incorporate threat intelligence into their operations. The struggle is real—both of us have been through these growing pains as we learned how to apply traditional intelligence principles into incident-response practices, and vice versa—but we know that it is worth the effort. We wrote this book to pull together the two worlds, threat intelligence and incident response, to show how they are stronger and more effective together, and to shorten the time it takes practicioners to incorporate them into operations. 

Who This Book Is For

This book is written for people involved in incident response, whether their role is an incident manager, malware analyst, reverse engineer, digital forensics specialist, or intelligence analyst. It is also for those interested in learning more about incident response. Many people who are drawn to cyber threat intelligence want to know about attackers—what motivates them and how they operate—and the best way to learn that is through incident response. But it is only when incident response is approached with an intelligence mindset that we start to truly understand the value of the information we have available to us. You don’t need to be an expert in incident response, or in intelligence, to get a lot out of this book. We step through the basics of both disciplines in order to show how they work together, and give practical advice and scenarios to illustrate the process. 

How This Book Is Organized

This book is organized as follows:

  • Part 1 includes chapters 1, 2, and 3, and provides an introduction to the concept of intelligence-driven incident response (IDIR) and an overview of the intelligence and incident-response disciplines. We introduce the concept of F3EAD, the primary model for IDIR that will be used in the rest of the book. 
  • Part 2  includes chapters 4, 5, and 6, which step through the incident-response-focused portion of F3EAD: Find, Fix, and Finish, as well as chapters 7, 8, and 9, which cover the intelligence-focused steps in the F3EAD process: Exploit, Analyze, and Disseminate.
  • Part 3 includes Chapter 10, an overview of strategic-level intelligence and how it applies to incident response and network security programs, and Chapter 11, which discusses formalized intelligence programs and how to set up an intelligence-driven incident-response programs for success.
  • The appendix includes examples of intelligence products that you may create during the dissemination phase (covered in Chapter 9). 

Typically, people who are interested in integrating threat intelligence into incident response have a stronger background in one of those disciplines over the other, so it may be appealing to skim through the sections you are more familiar with and focus only on the parts that are new to you. While that is perfectly fine, you may find that we have discussed a new model or approaches to better integrate the two disciplines, so don’t skip through too much, even if you think you know it already!

Conventions Used in This Book

The following typographical conventions are used in this book:


Indicates new terms, URLs, email addresses, filenames, and file extensions.

Constant width

Used for program listings, as well as within paragraphs to refer to program elements such as variable or function names, databases, data types, environment variables, statements, and keywords.

Constant width bold

Shows commands or other text that should be typed literally by the user.

Constant width italic

Shows text that should be replaced with user-supplied values or by values determined by context.


This element signifies a tip or suggestion.


This element signifies a general note.


This element indicates a warning or caution.

O’Reilly Safari


Safari (formerly Safari Books Online) is a membership-based training and reference platform for enterprise, government, educators, and individuals.

Members have access to thousands of books, training videos, Learning Paths, interactive tutorials, and curated playlists from over 250 publishers, including O’Reilly Media, Harvard Business Review, Prentice Hall Professional, Addison-Wesley Professional, Microsoft Press, Sams, Que, Peachpit Press, Adobe, Focal Press, Cisco Press, John Wiley & Sons, Syngress, Morgan Kaufmann, IBM Redbooks, Packt, Adobe Press, FT Press, Apress, Manning, New Riders, McGraw-Hill, Jones & Bartlett, and Course Technology, among others.

For more information, please visit http://oreilly.com/safari.

How to Contact Us

Please address comments and questions concerning this book to the publisher:

  • O’Reilly Media, Inc.
  • 1005 Gravenstein Highway North
  • Sebastopol, CA 95472
  • 800-998-9938 (in the United States or Canada)
  • 707-829-0515 (international or local)
  • 707-829-0104 (fax)

To comment or ask technical questions about this book, send email to .

For more information about our books, courses, conferences, and news, see our website at http://www.oreilly.com.

Find us on Facebook: http://facebook.com/oreilly

Follow us on Twitter: http://twitter.com/oreillymedia

Watch us on YouTube: http://www.youtube.com/oreillymedia


Rebekah would like to thank the following people (and places):

My wonderful kiddos: Emma, Caitlyn, and Colin, for encouraging me to write and for offering up helpful suggestions on how to catch hackers (the bad ones). 

My parents, brothers, sisters, and extended family for supporting me throughout this undertaking.

My work family: Jen, Wade, Rachel, Jordan, Bob, Derek (and many more!) for always believing in me and not saying (out loud) how crazy I was to write a book. 

My partner in crime and partner in life, for keeping me hydrated, caffeinated, and happy, and reassuring me that deadlines were made to be missed. 

My coauthor, Scott, for being the best BFFFG a girl could ask for.

And finally, to the staff of 23 Hoyt in Portland, the Trademark in Alexandria, and countless flights in between, where the majority of my writing took place. 

Scott would like to thank the following people (and places):

My amazing wife, Kessa: I wouldn’t have gotten this done without your encouragement and insight, and I wouldn’t have bothered to try without your inspiration. Thanks for supporting me during the early mornings, late nights, and all the times in between. I’m hopeful I can be half as supportive in all your endeavors. JTMC

My parents, Steve and Janet: from another epic writing project and my first computer to now, you’ve constantly supported my curiosity and have made getting to this place possible. I can’t thank you enough and wouldn’t be here without my basecamp.

The GitHub Security team: you have given me the freedom to learn, to write, to share, and to build in a way I didn’t know I could. 

Kyle: your fingerprints are still all over this thing. I appreciate you telling me when I am crazy and when I am just ambitious and telling me to go for it either way. 

My many friends and mentors throughout the years: my guess is most of you don’t know how much impact you’ve had or how much I appreciate the conversations, the experiences, and the willingness to listen to me sharing my passions. 

To my excellent coauthor Rebekah, you’re the gunny we need, not the gunny we deserve. I couldn’t have done it alone, and it wouldn’t be excellent without you.

The staff at O’Reilly for being the best in the business and for helping make our ideas a reality. 

Lastly, the fine folks at Mission Coffee Company in Columbus for the espresso and bagels that fueled many of my words. 

With Safari, you learn the way you learn best. Get unlimited access to videos, live online training, learning paths, books, interactive tutorials, and more.

Start Free Trial

No credit card required