"Intelligence-Driven Incident Response" equips Incident Response professionals with the knowledge and context to integrate traditional Intelligence principles into their cyber defense strategies. My pre-ordered copy arrived today, and I am already impressed with the...
"Intelligence-Driven Incident Response" equips Incident Response professionals with the knowledge and context to integrate traditional Intelligence principles into their cyber defense strategies. My pre-ordered copy arrived today, and I am already impressed with the authors'' experience and expertise spanning both of these complex domains.
As someone with a background in both information security and "traditional intelligence," I am excited and thankful to see Scott and Rebekah skillfully deconstruct the core components of Incident Response (IR) and intel. They introduce and explain the incident response process, the intelligence process, and cyber threat intelligence, enriched throughout with real-world case studies that tie the concepts together effectively.
The content organization is excellent: "Part I. The Fundamentals. Part II. Practical Application. Part III. The Way Forward."
There are too many "hit-the-nail-on-the-head" aspects of this book to highlight here, so I''ll just mention a few concepts the authors cover that address current gaps in the collective understanding of many organizations.
1. The authors discuss the Intelligence cycle and outline ways in which Intelligence-driven incident response feeds the Intelligence cycle. This is a critical point of departure from the mindset of intelligence being just a series of "threat feeds" containing known-bad file hashes and IP addresses. They present a more coherent and reality-aligned way of thinking about this concept than the tool-focused paradigms our executives are exposed to through interactions with vendors.
2. "Mining Previous Incidents." This section on page 125 highlights something I''ve referred to as "internal intelligence" in discussions with industry colleagues. In my experience with tactical intelligence collection in kinetic environments, the concept of "knowing the terrain" is so ingrained in the mindset of Warfighters that it doesn''t warrant much discussion. Within information security / cyber defense circles, though, this foundational concept doesn''t seem to have the same traction. (Yet.)
3. "Intelligence Consumer Goals." The authors articulate the need to think about various consumers of intelligence products through the lens of each consumer''s goals. For example, an Executive representing the business has a different scope and set of goals than the malware analyst working with the threat hunting team. The section in chapter 9: "Disseminate" that frames information sharing in the context of which types of stakeholders will consume the intelligence is a must-read for practitioners as well as leadership. In my experience working in both Intel and corporate environments, there tends to be a traditional view of "management reporting" in the corporate setting that can taint the intent of Intelligence Dissemination. Instead of considering the value of producing intelligence reports for "Internal Technical Consumers" as the authors discuss on page 167, the allocation of scarce resources to "reporting" falls into the traditional upward, leadership-focused information sharing. We urgently need the approach outlined in this book to gain traction in our industry. We need a "common operating picture" or a shared understanding of the current situation among the incident response team members, and that warrants allocating resources to disseminating intelligence products horizontally among technical consumers in addition to what has traditionally been viewed as management reporting.
4. "The RFI Process." From page 193: "A request for intelligence (RFI) is a specialized product meant to answer a specific question, often in response to a situational awareness need." Bottom line up front: Please read this, and then consider implementing it when you can. (But probably soon, because although it''s not a new concept, it is a proven, useful one that we would do well to adopt in information security.)
5. "Building an Intelligence Program." This is the title of chapter eleven. By the time the reader has progressed through the previous chapters, she will have developed a solid understanding of the core principles and components of the disciplines of Incident Response and Intelligence, how they converge in the concept of Intelligence-Driven Incident Response, and why it is important to undergird our approach to cyber defense with these time-tested methodologies. The authors lay out a series of considerations, clearly cognizant and respectful of budgetary and resource constraints faced by every reader. The questions posed are realistic and informative.
6. Appendix A: "Intelligence Products." Developing an understanding of what this entails and how it can enable & transform cyber defense is, in my opinion, worth the price of the book on its own.
The foreword by Rob Lee, Founder of Harbinger Security and DFIR Lead at SANS Institute, is a fascinating glimpse into the historical context around cyber intrusions. This historical perspective is provided by a current industry leader who remains on the front lines of this fight while developing a new generation of Digital Forensics and Incident Response (DFIR) professionals, myself included. Rob''s observation from the foreword says a lot: "I wish I had this book 20 years ago in my first intrusion cases while investigating Russian hackers during Moonlight Maze. Luckily, we have this book today, and I can now point to it as required reading for my students who want to move beyond tactical response and apply a framework and strategy to it all that works."
I’d recommend diving into a copy of this book as soon as you can. "Intelligence-Driven Incident Response" has the potential to transform security teams and organizations by educating, influencing, and guiding them. And, considering the current state of the cyber threat environment, it couldn’t have come at a better time.