Scott Roberts is a Senior Development Lead in the InfoPath team at Microsoft Corporation. Scott has been a developer on the InfoPath team since the initial inception of the product and was one of four developers who worked on the prototype for what later would become the InfoPath form template designer.
Meer over de auteursIntelligence-Driven Incident Response
Outwitting the Adversary
Paperback Engels 2023 2e druk 9781098120689Samenvatting
Using a well-conceived incident response plan in the aftermath of an online security breach enables your team to identify attackers and learn how they operate. But only when you approach incident response with a cyber threat intelligence mindset will you truly understand the value of that information. In this updated second edition, you'll learn the fundamentals of intelligence analysis as well as the best ways to incorporate these techniques into your incident response process.
Each method reinforces the other: threat intelligence supports and augments incident response, while incident response generates useful threat intelligence. This practical guide helps incident managers, malware analysts, reverse engineers, digital forensics specialists, and intelligence analysts understand, implement, and benefit from this relationship.
In three parts, this in-depth book includes:
- The fundamentals: Get an introduction to cyberthreat intelligence, the intelligence process, the incident response process, and how they all work together
- Practical application: Walk through the intelligence-driven incident response (IDIR) process using the F3EAD process: Find, Fix, Finish, Exploit, Analyze, and Disseminate
- The way forward: Explore big-picture aspects of IDIR that go beyond individual incident response investigations, including intelligence team building
Specificaties
Lezersrecensies
Inhoudsopgave
Foreword to the First Edition
Preface
Why We Wrote This Book
Who This Book Is For
How This Book Is Organized
Conventions Used in This Book
O’Reilly Online Learning
How to Contact Us
Acknowledgments
I. The Fundamentals
1. Introduction
Intelligence as Part of Incident Response
History of Cyber Threat Intelligence
Modern Cyber Threat Intelligence
The Way Forward
Incident Response as a Part of Intelligence
What Is Intelligence-Driven Incident Response?
Why Intelligence-Driven Incident Response?
Operation SMN
SolarWinds
Conclusion
2. Basics of Intelligence
Intelligence and Research
Data Versus Intelligence
Sources and Methods
Models
Using Models for Collaboration
Process Models
Using the Intelligence Cycle
Qualities of Good Intelligence
Collection Method
Date of Collection
Context
Addressing Biases in Analysis
Levels of Intelligence
Tactical Intelligence
Operational Intelligence
Strategic Intelligence
Confidence Levels
Conclusion
3. Basics of Incident Response
Incident-Response Cycle
Preparation
Identification
Containment
Eradication
Recovery
Lessons Learned
The Kill Chain
Targeting
Reconnaissance
Weaponization
Delivery
Exploitation
Installation
Command and Control
Actions on Objective
Example Kill Chain
The Diamond Model
Basic Model
Extending the Model
ATT&CK and D3FEND
ATT&CK
D3FEND
Active Defense
Deny
Disrupt
Degrade
Deceive
Destroy
F3EAD
Find
Fix
Finish
Exploit
Analyze
Disseminate
Using F3EAD
Picking the Right Model
Scenario: Road Runner
Conclusion
II. Practical Application
4. Find
Actor-Centric Targeting
Starting with Known Information
Useful Information During the Find Phase
Using the Kill Chain
Goals
Victim-Centric Targeting
Using Victim-Centric Targeting
Asset-Centric Targeting
Using Asset-Centric Targeting
Capability-Centric Targeting
Using Capability-Centric Targeting
Media-Centric Targeting
Targeting Based on Third-Party Notification
Prioritizing Targeting
Immediate Needs
Past Incidents
Criticality
Organizing Targeting Activities
Hard Leads
Soft Leads
Grouping Related Leads
Lead Storage and Documentation
The Request for Information Process
Conclusion
5. Fix
Intrusion Detection
Network Alerting
System Alerting
Fixing Road Runner
Intrusion Investigation
Network Analysis
Live Response
Memory Analysis
Disk Analysis
Enterprise Detection and Response
Malware Analysis
Scoping
Hunting
Developing Hypotheses
Testing Hypotheses
Conclusion
6. Finish
Finishing Is Not Hacking Back
Stages of Finish
Mitigate
Remediate
Rearchitect
Taking Action
Deny
Disrupt
Degrade
Deceive
Destroy
Organizing Incident Data
Tools for Tracking Actions
Purpose-Built Tools
Assessing the Damage
Monitoring Lifecycle
Creation
Testing
Deployment
Refinement
Retirement
Conclusion
7. Exploit
Tactical Versus Strategic OODA Loops
What to Exploit
Gathering Information
Information-Gathering Goals
Mining Previous Incidents
Gathering External Information (or, Conducting a Literature Review)
Extracting and Storing Threat Data
Standards for Storing Threat Data
Data Standards and Formats for Indicators
Data Standards and Formats for Strategic Information
Process for Extracting
Managing Information
Threat-Intelligence Platforms
Conclusion
8. Analyze
The Fundamentals of Analysis
Dual Process Thinking
Deductive, Inductive, and Abductive Reasoning
Analytic Processes and Methods
Structured Analytic Techniques (SATs)
Target-Centric Analysis
Conducting the Analysis
What to Analyze
Enriching Your Data
Leverage Information Sharing
Developing Your Hypothesis
Evaluating Key Assumptions
Things That Will Screw You Up (aka Analytic Bias)
Accounting for Biases
Judgment and Conclusions
Conclusion
9. Disseminate
Intelligence Customer Goals
Audience
Executive Leadership Customer
Internal Technical Customers
External Technical Customers
Developing Customer Personas
Authors
Actionability
The Writing Process
Plan
Draft
Edit
Intelligence Product Formats
Short-Form Products
Long-Form Products
The RFI Process
Automated Consumption Products
Establishing a Rhythm
Distribution
Feedback
Regular Products
Conclusion
III. The Way Forward
10. Strategic Intelligence
What Is Strategic Intelligence?
The Role of Strategic Intelligence in Intelligence-Driven Incident Response
Intelligence Beyond Incident Response
Red Teaming
Vulnerability Management
Architecture and Engineering
Privacy, Safety, and Physical Security
Building a Frame with Strategic Intelligence
Models for Strategic Intelligence
The Strategic Intelligence Cycle
Setting Strategic Requirements
Collection
Analysis
Dissemination
Moving Toward Anticipatory Intelligence
Conclusion
11. Building an Intelligence Program
Are You Ready?
Planning the Program
Defining Stakeholders
Defining Goals
Defining Success Criteria
Identifying Requirements and Constraints
Think Strategically
Defining Metrics
Stakeholder Personas
Tactical Use Cases
SOC Support
Indicator Management
Operational Use Cases
Campaign Tracking
Strategic Use Cases
Architecture Support
Risk Assessment/Strategic Situational Awareness
Strategic to Tactical or Tactical to Strategic?
Critical Information Needs
The Intelligence Team
Building a Diverse Team
Team and Process Development
Demonstrating Intelligence Program Value
Conclusion
Index
About the Authors
Rubrieken
- advisering
- algemeen management
- coaching en trainen
- communicatie en media
- economie
- financieel management
- inkoop en logistiek
- internet en social media
- it-management / ict
- juridisch
- leiderschap
- marketing
- mens en maatschappij
- non-profit
- ondernemen
- organisatiekunde
- personal finance
- personeelsmanagement
- persoonlijke effectiviteit
- projectmanagement
- psychologie
- reclame en verkoop
- strategisch management
- verandermanagement
- werk en loopbaan