Intelligence-Driven Incident Response: Outwitting the Adversary by Scott J Roberts & Rebekah Brown

Intelligence-Driven Incident Response: Outwitting the Adversary by Scott J Roberts & Rebekah Brown

Author:Scott J Roberts & Rebekah Brown [Roberts, Scott J]
Language: eng
Format: azw3
Publisher: O'Reilly Media
Published: 2017-08-21T04:00:00+00:00


Gathering Information

Depending on how you manage your incident-response data, it is entirely possible that the most difficult part of the Exploit phase will be finding the important bits of intelligence from the investigation. When it comes to gathering incident-response data, we have seen it all — from elaborate systems, to Excel spreadsheets, to Post-It notes with IP addresses stuck to a whiteboard. There is no wrong way to gather that data, but if you want to be able to extract it so that it can be analyzed and used in the future, there are certainly some ways to make the process easier.

When you are dealing with exploiting information from a previous incident, you are often limited in the data that you have available. One of the goals of intelligence-driven incident response is to ensure that the incident-response process captures the information needed for intelligence analysis, but if you are just beginning the process of integrating operations and intelligence, you may not have been able to influence what information was gathered (yet). A good starting point for the Exploit phase is to understand exactly what you have available. We have found that the information that is currently available usually falls into one of two categories: high-level information, and technical details such as malware analysis.

If you have only high-level information in the form of a narrative about the incident, you will be looking at extracting strategic-level details, as opposed to if you have access to detailed malware analysis, from which you can extract tactical-level details about the malware’s functionality. Initially, you may have access to only one level of information or the other, but ideally, as you implement this process in your organization, you will be able to gather both the technical details of an incident as well as the strategic information on the information targeted and what the impact was. Being able to combine information across all the levels is one of the things that makes intelligence most powerful.



Download



Copyright Disclaimer:
This site does not store any files on its server. We only index and link to content provided by other sites. Please contact the content providers to delete copyright contents if any and email us, we'll remove relevant links or contents immediately.