Using a well-conceived incident response plan in the aftermath of an online security breach enables your team to identify attackers and learn how they operate. But only when you approach incident response with a cyber threat intelligence mindset will you truly understand the value of that information. In this updated second edition, you'll learn the fundamentals of intelligence analysis as well as the best ways to incorporate these techniques into your incident response process.

Each method reinforces the other: threat intelligence supports and augments incident response, while incident response generates useful threat intelligence. This practical guide helps incident managers, malware analysts, reverse engineers, digital forensics specialists, and intelligence analysts understand, implement, and benefit from this relationship.

In three parts, this in-depth book includes:

• The fundamentals: Get an introduction to cyberthreat intelligence, the intelligence process, the incident response process, and how they all work together
• Practical application: Walk through the intelligence-driven incident response (IDIR) process using the F3EAD process: Find, Fix, Finish, Exploit, Analyze, and Disseminate
• The way forward: Explore big-picture aspects of IDIR that go beyond individual incident response investigations, including intelligence team building

Table of Contents

• Part I. The Fundamentals

Chapter 1. Introduction

Chapter 2. Basics of Intelligence

Chapter 3. Basics of Incident Response

• Part II. Practical Application

Chapter 4. Find

Chapter 5. Fix

Chapter 6. Finish

Chapter 7. Exploit

Chapter 8. Analyze

Chapter 9. Disseminate

• Part III. The Way Forward

Chapter 10. Strategic Intelligence

Chapter 11. Building an Intelligence Program

Welcome to the exciting world of intelligence-driven incident response! Intelligence—specifically, cyber threat intelligence—has a huge potential to help network defenders better understand and respond to attackers’ actions against their networks.

With the first edition of Intelligence-Driven Incident Response, our goal was to demonstrate how intelligence fits into the incident-response process and make the case for taking what seemed to be at the time, a novel approach to understanding adversaries and reducing the time it takes to detect, respond to, and remediate intrusions. In the years that have passed since the first edition was released, we have seen tremendous growth in the field, both in numbers and capabilities. Our goal in this second edition is to continue to grow along with the community, adding in additional techniques, methods, lessons learned, and case studies to help more seamlessly integrate these concepts into the critical work that is being done every day to secure the technology that we rely on every day.

Wherever you are in your journey, whether you are just starting in cybersecurity, are transitioning from another security domain into cyber threat intelligence, or are a seasoned professional, we hope you find this book a valuable tool to help you in your mission of making the world a more secure place.

Why We Wrote This Book

In recent years, we have seen a transition from approaching incident response as a standalone activity to viewing it as an integral part of an overall network security program. At the same time, cyber threat intelligence is rapidly becoming more and more popular, and more companies and incident responders are trying to understand how to best incorporate threat intelligence into their operations. The struggle is real—both of us have been through these growing pains as we learned how to apply traditional intelligence principles into incident-response practices, and vice versa—but we know that it is worth the effort. We wrote this book to pull together the two worlds, threat intelligence and incident response, to show how they are stronger and more effective together, and to shorten the time it takes practitioners to incorporate them into operations.

Who This Book Is For

This book is written for people involved in incident response, whether their role is an incident manager, malware analyst or reverse engineer, digital forensics specialist or intelligence analyst. It is also for those interested in learning more about incident response. Many people who are drawn to cyber threat intelligence want to know about attackers—what motivates them and how they operate—and the best way to learn that is through incident response. But it is only when incident response is approached with an intelligence mindset that we start to truly understand the value of the information we have available to us. You don’t need to be an expert in incident response, or in intelligence, to get a lot out of this book. We step through the basics of both disciplines in order to show how they work together, and give practical advice and scenarios to illustrate the process.

About the Author

Rebekah Brown has spent more than two decades working in the intelligence analysis community; her previous roles include NSA network warfare analyst, Operations Chief of a United States Marine Corps cyber unit, and a U.S. Cyber Command training and exercise lead. Rebekah has helped develop threat intelligence and security awareness programs at the federal, state, and local level, as well as at multiple Fortune 500 companies.

Scott J Roberts is a security leader, analyst, software developer, and author. He is Head of Threat Research for Interpres Security and has led security teams and project in the defense industrial base, GitHub, Apple, Splunk, and most recently Argo AI. He is also a student and researcher at Utah State University, where he is focused on Anticipatory Intelligence, tackling emergent problems in national and cybersecurity. Scott J Roberts has served as an Advisory Committee for SANS CTI & DFIR Summits. Along with Rebekah Brown, he authored O'Reilly's Intelligence-Driven Incident Response and has spoken at numerous industry events on incident response and cyber threat intelligence. Scott J Roberts is passionate about improving security via automation, especially on macOS, and developing open and closed source tooling in Python, Go, & Swift.