“Intelligence-Driven Incident Response” Notes
Intelligence-Driven Incident Response by Scott J. Roberts and Rebekah Brown is a helpful, informative guide to the theory and practice of cyber threat intelligence (CTI), teaching how to use intelligence to inform incident response (IR). Much of the book walks through the F3EAD model (a combination of the incident response and intelligence cycles).
According to the authors,
The purpose of this book is to demonstrate how intelligence fits into the incident-response process, helping responders understand their adversaries in order to reduce the time it takes to detect, respond to, and remediate intrusions. Cyber threat intelligence and incident response have long been closely related, and in fact are inextricably linked. Not only does threat intelligence support and augment incident response, but incident response generates threat intelligence that can be utilized by incident responders. The goal of this book is to help readers understand, implement, and benefit from this relationship.
This book is written for people involved in incident response, whether their role is an incident manager, malware analyst, reverse engineer, digital forensics specialist, or intelligence analyst. It is also for those interested in learning more about incident response. … You don’t need to be an expert in incident response, or in intelligence, to get a lot out of this book. We step through the basics of both disciplines in order to show how they work together, and give practical advice and scenarios to illustrate the process.
I read this because it was recommended in CTI expert Katie Nickels’ A Top 10 Reading List if You’re Getting Started in Cyber Threat Intelligence.
My notes follow.
This page contains one or more affiliate links. As an Amazon Associate, I earn from qualifying purchases.
Basics of Intelligence
- Direction: establish the question(s) that the intel is meant to answer
- Collection: gather as much data as possible from many sources
- Processing: make data usable (normalization, indexing, translation, enrichment, filtering, prioritization, visualization)
- Analysis: assess meaning and implication of data to answer question(s) from Direction phase
- Dissemination: share intel with relevant stakeholders
- Feedback: determine if intel successfully answered question(s)
Qualities of Good Intelligence
- Collection method (how info was collected)
- Date of collection
- Context (activities related to info, relationships between pieces of info, etc.)
- Addressing biases in analysis (confirmation, anchoring, etc.)
Levels of Intelligence
- Tactical: Low-level, highly perishable info that supports SecOps, IR. Includes IOCs, observables, granular TTPs. Customers: SOC analysts, CIRT investigators.
- Operational: More general than tactical intel, more specific than strategic intel. Includes info on campaigns, higher-order TTPs. Customers: senior DFIR analysts, other CTI teams.
- Strategic: Info for making serious decisions about risk assessments, resource allocation, organizational strategy. Includes trends, actor motivations, classifications. Customers: C-level executives and boards of directors.
Basics of Incident Response
- Hard data: info about technical aspects of network and systems
- Soft data: info about org behind network and systems
- Active: collecting by interacting directly with target
- Passive: collecting info without interacting directly with target, often by using third-party info service (DNS, WHOIS)
Actions on Objective
- Destroy: destroy physical or virtual item
- Deny: deny usage of a resource
- Degrade: degrade utility of resources or capabilities (usually C2)
- Disrupt: interrupt flow of info
- Deceive: deliver false info
Each event in diamond model can be categorized according to its phase in the kill chain.
Reasons to not hack back
- It’s difficult to accurately identify attacker (attribute the attack)
- It’s difficult to respond proportionately
- It serves limited purpose beyond sense of revenge
- It’s illegal in most countries
Benefits of active defense
- Disrupt attacker’s tempo
- Force attacker into making mistake, to expose them
Active defense capabilities
- Deny: preemptively exclude a resource from attacker
- Disrupt: actively exclude a resource from attacker
- Degrade: marginally reduce attacker’s resources while they’re being used
- Deceive: deliberately feed false info to attacker
- Destroy: harm attacker’s tools, infrastructure, operators
Intel and ops cycles feed into each other; each IR op leads to an intel op, and each intel op leads to an IR op.
- Find: determine threat(s) to address (Preparation phase of IR cycle)
- Fix: identify attacker’s presence in network (Identification phase of IR cycle)
- Finish: take decisive action against attacker (Containment, Mitigation, Eradication phase of IR cycle)
- Exploit: gather as much data as possible (Collection phase of intel cycle)
- Analyze: develop complete picture of attacker and TTPs (Analysis phase of intel cycle)
- Disseminate: share intel with relevant stakeholders (Dissemination phase of intel cycle)
By understanding who is capable of attacking the types of systems you’re protecting, you can focus on the indicators and tools that are useful for attacking your systems. Attackers tend to specialize in attacking certain types of systems.
FIR (Fast Incident Response) is an open source ticketing system for intelligence-driven IR.
- CybOX: building blocks for storing & sharing threat intel; made of observables (defined objects with stateful, measurable properties)
- STIX: possibly most commonly requested format for handling & receiving threat data; allows more contextual detail to be added to CyBOX objects
- TAXII: STIX transportation & sharing framework
MILE Working Group
- IODEF: framework for sharing incident info between response teams
- RID: transportation & sharing framework for IODEF & IODEF-SCI
- IODEF-SCI: framework for additional context around incident data
OpenIOC: Mandiant’s standard for capturing IOCs; interoperable with STIX.
VERIS: framework that captures info about incident’s actor, asset, action, attribute, timeline, impact; used to understand risk.
CAPEC: framework that captures attack pattern, including prerequisites, related weaknesses, related vulnerabilities, attacker steps.
Threat-Intelligence Platforms (TIPs)
- MISP: free; robust sharing
- CRITs: open source; developed by MITRE; designed to work with STIX & TAXII
- YETI: free; designed to enable organization & analysis of various CTI components in 1 place; can do some indicator enrichment
Most commercial TIPs have features similar to MISP, CRITs, YETI, but also manage system configuration, take responsibility for setup and hardware management, and offer support for troubleshooting or feature requests. They’re generally easier to set up and maintain.
Questions to determine what to analyze
- Why were we targeted?
- Who attacked us?
- How could this have been prevented?
- How can this be detected?
- Are there any patterns or trends that can be identified?
- Confirmation bias
- Anchoring bias
- Availability bias
- Bandwagon effect
- Mirroring (mirror-image bias)
Structured analysis takes the same general approach as the scientific method, but the testing and evaluation of the hypothesis isn’t as clear-cut as physical experiments.
- Determine question you’re going to answer.
- Collect data needed to generate hypothesis.
- Develop hypothesis(es).
- Evaluate key assumptions.
- Evaluate hypothesis.
- Red cell analysis (evaluate & question hypothesis, ideally by 3rd party)
- If red cell analysis determines hypothesis is unlikely, generate new hypothesis. Otherwise, determine confidence level of assessment.
Analysis of Competing Hypotheses (ACH)
Analysis of Competing Hypotheses is a method to determine most likely hypothesis among several.
- Identify hypotheses to consider.
- Make list of evidence for and against each hypothesis.
- Create matrix to evaluate whether each piece of evidence supports or refutes each hypothesis.
- Conduct initial analysis to refine matrix.
- Draw initial conclusions about likelihood of each hypothesis, focusing on disproving hypotheses.
- Analyze how much of your conclusion depends on a single piece of evidence.
- Report conclusions on likelihood of all hypotheses.
- Identify situations in which analysis would need to be reevaluated.
Graph analysis (aka association matrices, social network analysis, link analysis) is visual analysis to find patterns or relationships in info.
- Devil’s advocate
- “What if” analysis: see how other variables would change analysis
- Red team analysis: analyze how adversary would think/act
Writing for leadership
- Focus on intel necessary to make business decisions.
- Use intel to tell story of threat.
- Be brief, to the point.
Writing for technical consumers
- Focus on data.
- Be highly technical & descriptive, with references & research.
- Back up products with machine-consumable products (e.g., IOCs in STIX format, YARA signatures).
- Include method for accepting feedback, questions.
- Do provide info on adversary TTPs.
- Do ensure products contain easy-to-use IOCs, signatures (e.g., Snort, YARA).
- Do answer specific, relevant questions from consumer.
- Don’t give overly broad descriptions without meaningful details.
- Don’t use tools or methods that hinder copying info out of intel products.
- Don’t use vendor-specific formats.
- Don’t overclassify info.