Professional Documents
Culture Documents
(Download PDF) Intelligence Driven Incident Response Outwitting The Adversary 1St Edition Scott J Roberts Online Ebook All Chapter PDF
(Download PDF) Intelligence Driven Incident Response Outwitting The Adversary 1St Edition Scott J Roberts Online Ebook All Chapter PDF
https://textbookfull.com/product/cybersecurity-incident-response-
how-to-contain-eradicate-and-recover-from-incidents-eric-c-
thompson/
https://textbookfull.com/product/data-driven-treatment-response-
assessment-and-preterm-perinatal-and-paediatric-image-analysis-
andrew-melbourne/
https://textbookfull.com/product/working-with-christian-servant-
leadership-spiritual-intelligence-the-foundation-of-vocational-
success-1st-edition-gary-e-roberts-auth/
https://textbookfull.com/product/the-nature-of-human-
intelligence-robert-j-sternberg/
A Lynching in Little Dixie The Life and Death of James
T Scott ca 1885 1923 Patricia L Roberts
https://textbookfull.com/product/a-lynching-in-little-dixie-the-
life-and-death-of-james-t-scott-ca-1885-1923-patricia-l-roberts/
https://textbookfull.com/product/beginning-artificial-
intelligence-with-the-raspberry-pi-1st-edition-donald-j-norris/
https://textbookfull.com/product/the-cambridge-handbook-of-
intelligence-2nd-edition-robert-j-sternberg/
https://textbookfull.com/product/the-cambridge-handbook-of-
intelligence-2nd-edition-robert-j-sternberg-2/
https://textbookfull.com/product/crooked-outwitting-the-back-
pain-industry-and-getting-on-the-road-to-recovery-1st-edition-
cathryn-jakobson-ramin/
Intelligence-
Driven Incident
Response
OUTWITTING THE ADVERSARY
The O’Reilly logo is a registered trademark of O’Reilly Media, Inc. Intelligence-Driven Incident Response,
the cover image, and related trade dress are trademarks of O’Reilly Media, Inc.
While the publisher and the authors have used good faith efforts to ensure that the information and
instructions contained in this work are accurate, the publisher and the authors disclaim all responsibility
for errors or omissions, including without limitation responsibility for damages resulting from the use of
or reliance on this work. Use of the information and instructions contained in this work is at your own
risk. If any code samples or other technology this work contains or describes is subject to open source
licenses or the intellectual property rights of others, it is your responsibility to ensure that your use
thereof complies with such licenses and/or rights.
978-1-491-93494-4
[LSI]
Table of Contents
Foreword. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . ix
Preface. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . xiii
2. Basics of Intelligence. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9
Data Versus Intelligence 10
Sources and Methods 11
Process Models 14
OODA 14
Intelligence Cycle 17
Using the Intelligence Cycle 21
Qualities of Good Intelligence 23
Levels of Intelligence 24
iii
Tactical Intelligence 24
Operational Intelligence 24
Strategic Intelligence 25
Confidence Levels 25
Conclusion 26
iv | Table of Contents
Scenario: GLASS WIZARD 57
Conclusion 57
5. Fix. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 79
Intrusion Detection 80
Network Alerting 80
System Alerting 85
Fixing GLASS WIZARD 87
Intrusion Investigation 89
Network Analysis 89
Live Response 95
Memory Analysis 96
Disk Analysis 97
Malware Analysis 98
Scoping 101
Hunting 102
Developing Leads 102
Testing Leads 102
Conclusion 103
Table of Contents | v
6. Finish. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 105
Finishing Is Not Hacking Back 105
Stages of Finish 106
Mitigate 107
Remediate 109
Rearchitect 112
Taking Action 113
Deny 113
Disrupt 114
Degrade 115
Deceive 115
Destroy 116
Organizing Incident Data 116
Tools for Tracking Actions 117
Purpose-Built Tools 119
Assessing the Damage 120
Monitoring Life Cycle 121
Conclusion 122
7. Exploit. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 123
What to Exploit? 124
Gathering Information 125
Storing Threat Information 126
Data Standards and Formats for Indicators 126
Data Standards and Formats for Strategic Information 130
Managing Information 132
Threat-Intelligence Platforms 133
Conclusion 135
8. Analyze. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 137
The Fundamentals of Analysis 137
What to Analyze? 139
Conducting the Analysis 141
Enriching Your Data 142
Developing Your Hypothesis 146
Evaluating Key Assumptions 147
Judgment and Conclusions 150
Analytic Processes and Methods 150
Structured Analysis 151
Target-Centric Analysis 153
Analysis of Competing Hypotheses 155
Graph Analysis 157
vi | Table of Contents
Contrarian Techniques 158
Conclusion 160
9. Disseminate. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 161
Intelligence Consumer Goals 162
Audience 162
Executive/Leadership Consumer 163
Internal Technical Consumers 165
External Technical Consumers 167
Developing Consumer Personas 168
Authors 171
Actionability 172
The Writing Process 174
Plan 174
Draft 174
Edit 176
Intelligence Product Formats 178
Short-Form Products 178
Long-Form Products 182
The RFI Process 191
Automated Consumption Products 195
Establishing a Rhythm 199
Distribution 200
Feedback 200
Regular Products 201
Conclusion 202
Index. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 249
Over 20 years ago, I was involved in my first large scale intrusion by a nation state
actor from Russia called Moonlight Maze. My job for the Air Force Office of Special
Investigations was to aid in data collection, interception, and analysis of adversary
activity that occurred on the network and compromised systems. We learned through
analyzing multiple attacks across many targets that this adversary was not going away
by only “pulling the plug” from the back of the hacked systems. The enemy was
extremely patient. Once they detected our response measures, they would persist in
not reaccessing the same target for weeks. The attackers would ensure survival by hit‐
ting more than one target across the network and leave back doors on many systems.
Across multiple intrusions by the same attackers, the task force started to put
together a playbook on who this adversary was, how they operated, and what they
were after. This playbook helped inform the defenses of many DoD locations world‐
wide. What was one of the outcomes of the Moonlight Maze intrusion? The scope
and urgency of the attacks led to the formation of the Joint Task Force–Computer
Network Defense (JTF-CND) that later became the gestation of U.S. Cyber Com‐
mand.
We learned a lot from these advanced attacks in the late ’90s. First and foremost, we
learned that to detect the adversary, we had to learn from the enemy. Early on we dis‐
covered tools and practices that would allow us to pinpoint the same adversary on
other networks. The information that helped inform our defenses and detect specific
attackers became the formation of, likely, the most significant information security
development since the intrusion detection system and the firewall: cyber-threat intel‐
ligence.
Having responded to hundreds of incidents through my career in the DoD, US Gov‐
ernment, Mandiant, and my own company, the one thing we always rely on is that
incident responders’ primary objective is to use the opportunity to learn about the
adversaries attacking you. With this information, we can observe another network
and assess if the same enemy compromised them. This intelligence lays the bedrock
for our approach to proper information security and defensive posturing against
ix
these specific threats. Organizations aren’t likely to be hit by any hacker, they are
likely part of a group, and they have your organization’s name on a hit list. Without
cyber-threat intelligence as the primary consumer of incident-response data, the
security defenses could never improve and reduce the dwell time for the adversaries
inside the networks they’re compromising.
Threat intelligence was vital to intrusions over 20 years ago, starting with the story
told in the Cuckoo’s Egg, written by Cliff Stoll, and has been ever since. But somehow,
most organizations are still learning to adopt the same principles. Part of the reason is
the failure of proper resources that groups can follow. Another factor is bad advice
from security vendors. Lucky for us, this book now exists and steps the reader
through proper threat-intelligence concepts, strategy, and capabilities that an organi‐
zation can adopt to evolve their security practice. After reading this book, your oper‐
ations can grow to become an intelligence-driven operation that is much more
efficient than ever in detecting and reducing the possible impact of breaches that will
occur.
As the SANS Institute’s Digital Forensics and Incident Response Curriculum Director
and Lead, I have been discussing the importance of proper threat assessment and
intelligence for many years. Many argued that it was a “nice to have” and “not as
important” as stopping the adversary until analysts started to learn there was little
they could do to eliminate an adversary without it.
I have advised many executives over the years that money would be better spent on
developing proper threat intelligence than on vendor hardware that will likely not
detect the next intrusion without being fed indicators learned and extracted as a part
of the threat-intelligence analytical process. Part of that advice came from listening to
conversations with the authors of this book, Scott and Rebekah.
Scott and I worked together at Mandiant and have remained friends ever since. I reg‐
ularly follow up with him over the years and am an avid reader of his papers and arti‐
cles. Scott is currently one of our instructors for the SANS Institute’s Cyber Threat
Intelligence course (FOR578). Listening to Scott present on this topic for many years
is always a breath of wisdom that is equivalent to hearing Warren Buffet give financial
advice. I can hear Scott’s voice in my head as I read his thoughts pouring off the pages
in this book.
Similar to my background, Rebekah is former military and worked across the board
in cyber operations. She is formerly the Cyber Unity Operations Chief for the U.S.
Marine Corp. She was also a cyber-operation exercise planner in the DoD, a network
warfare analyst while at the NSA, and worked to create threat intelligence in Fortune
500 companies and across information security vendors. Rebekah’s knowledge is on
point and intuitive. She knows and understands this space like no other, having lived
it by working inside and outside the DoD (both Intel and cyber communities) and
across many companies. Rebekah has provided cyber-threat intelligence briefs at the
x | Foreword
White House, based on her theories of coordinated defensive and offensive cyber
operations. Getting to know Rebekah has been amazing and enlightening, especially
as I continue to learn how traditional intelligence methods are applied to cyber-
operations analysis. I am also proud to highlight that Rebekah is also a course author
and instructor for the SANS Institute’s Course in Cyber Threat Intelligence
(FOR578).
Together, Scott and Rebekah have put together their thoughts on paper in one of the
most informed cyber-operations strategy guides you could ever pick up. You should
consider making this book mandatory reading for all cyber analysts in your organiza‐
tion. This book is at the top of my recommended reading list for any cyber security
analysts old and new. The ideas expressed in this book don’t solve technical chal‐
lenges, hacking tactics, or configuring security defenses, but instead, focuses on con‐
cepts, strategy, and approaches that indeed work at improving the posture, detection,
and response inside the security operations of your organization.
One of the most important chapters of the book for cyber-security management to
read is how to build an intelligence program. Watching Scott and Rebekah go
through this with many organizations has been impressive. Organizations that have
benefited from their knowledge understand that “threat intelligence” is not a buzz‐
word, and their approaches and requirements to step through is worth the read sev‐
eral times over.
For those who are security analysts, the book’s main content steps an analyst through
the intricacies of proper incident-response approaches, utilizing a threat intelligence
mindset. Once exposed to the information contained in this book, it will permanently
change the way you approach cyber security in your organization. It will transition
you from being an average analyst into one with advanced operational skills that will
continue to pay off throughout your career.
I wish I had this book 20 years ago in my first intrusion cases while investigating Rus‐
sian hackers during Moonlight Maze. Luckily, we have this book today, and I can now
point to it as required reading for my students who want to move beyond tactical
response and apply a framework and strategy to it all that works.
— Rob Lee
Founder, Harbingers Security/DFIR
Lead, SANS Institute
Foreword | xi
Preface
xiii
Who This Book Is For
This book is written for people involved in incident response, whether their role is an
incident manager, malware analyst, reverse engineer, digital forensics specialist, or
intelligence analyst. It is also for those interested in learning more about incident
response. Many people who are drawn to cyber threat intelligence want to know
about attackers—what motivates them and how they operate—and the best way to
learn that is through incident response. But it is only when incident response is
approached with an intelligence mindset that we start to truly understand the value of
the information we have available to us. You don’t need to be an expert in incident
response, or in intelligence, to get a lot out of this book. We step through the basics of
both disciplines in order to show how they work together, and give practical advice
and scenarios to illustrate the process.
xiv | Preface
Conventions Used in This Book
The following typographical conventions are used in this book:
Italic
Indicates new terms, URLs, email addresses, filenames, and file extensions.
Constant width
Used for program listings, as well as within paragraphs to refer to program ele‐
ments such as variable or function names, databases, data types, environment
variables, statements, and keywords.
Constant width bold
Shows commands or other text that should be typed literally by the user.
Constant width italic
Shows text that should be replaced with user-supplied values or by values deter‐
mined by context.
O’Reilly Safari
Safari (formerly Safari Books Online) is a membership-based
training and reference platform for enterprise, government,
educators, and individuals.
Preface | xv
Both the Axiom Group attacks and Operation Aurora were information-seeking,
espionage-related attacks, but nation-state sponsored attackers aren’t the only thing
that incident responders have to worry about. Financially motivated criminal activity
is also evolving, and those actors are also working hard to stay ahead of defenders
and incident responders.
Conclusion
Despite the many advances in the computer security field, attackers continue to
adapt. We are often surprised to hear about breaches where the attackers were loiter‐
ing in a network for years before they were identified, or even worse, where the
attackers are able to get back in undetected and reinfected a target after the incident-
response process is complete. Intelligence-driven incident response allows us to learn
from attackers; to identify their motivations, processes, and behaviors; to identify
their activities even as they seek to outwit our defenses and detection methods. The
more we know about attackers, the better we can detect and respond to their actions.
We have reached the point where a structured and repeatable process for implement‐
ing intelligence in the incident-response process is necessary, and this book aims to
provide insight into that process. Throughout this book, we provide various models
and methods that can be viewed as the tools of intelligence-driven incident response,
as well as the background as to why these models are beneficial in incident
response. There is no one-size-fits-all approach. In many cases, the incident or the
organization will dictate which specific combination of models and approaches fits
best. Understanding the foundational principles of intelligence and incident response
as well as the specific methods for integrating them will allow you to build a process
for intelligence-driven incident response that will work for you and to develop that
process to meet the needs of your organization.
Conclusion | 7
Another random document with
no related content on Scribd:
is most independent on either side of the body; or, in other words, in
those whose functions are most highly differentiated and whose
innervation is most cortical (from the motor centres in the cerebral
cortex). Those muscular groups, on the other hand, whose action is
usually or necessarily simultaneously bilateral or associated across
the median line—or, in other words, whose innervation is largely
spinal or subcortical—are least paralyzed; while the purely automatic
or reflex muscular apparatuses, those having a strictly spinal or
sympathetic innervation, are not at all affected.
(b) Spinal Hemiplegia.—In this type the face and head are normal,
excepting in some cases the iris; the extremities and trunk are more
or less paralyzed on one side, the loss of power being more evenly
distributed (i.e. less distal) than in hemiplegia of cerebral origin.
Often there is also anæsthesia, and this is always on the other side
of the median line, involving more or less of the whole side. The
coincidence of these symptoms below the head indicates positively
that the lesion is in the spinal cord, involving one of its lateral halves.
Where there is no anæsthesia, care must be taken not to confound
the condition with that in which a cerebral lesion causes paralysis of
one arm and leg (combined brachial and crural monoplegia).
(f) The various internal organs, the viscera, supplied with striped or
unstriped muscular fibres, may be paralyzed.
(g) The muscular coat of the vascular system beyond the heart may
be paralyzed in extensive or limited areas—the so-called vaso-motor
paralysis. This may assume hemiplegic or monoplegic or localized
forms.
(c) Paraplegic spasm is also shown in tonic and clonic forms. Partial
tonic spasm of this distribution, with paresis of the legs, causes the
gait or attitude known as tetanoid or spastic. The four extremities
may be in this state of mixed paresis and contraction, as observed in
some very young children whose cerebral motor area is probably
undeveloped or ill-developed, or which has been damaged shortly
after birth by meningeal hemorrhage.
(e) Inco-ordination more or less of the ataxic form often affects the
muscles of articulation, phonation, and deglutition, giving to the
symptoms dysarthria, dysphonia, and dysphagia. Dysarthria and
dysphagia are probably often caused by lesions of the insula and
subjacent white substance, as well as by those affecting the
oblongata. There are two recent autopsies which would indicate that
there may be a cerebral cortical centre for phonation laryngeal
movements: in the ventral extremity of the right third frontal gyrus—a
part homologous to the speech centre on the left side of the brain. In
some cases, however, dysphonia and aphonia indicate a lesion of
the laryngeal nerves or of the oblongata (nucleus of NN. x. and xi.).
(f) Doubtless the internal muscular organs and the blood-vessels are
frequently the seat of inco-ordinate or quasi-ataxic movements, but
our present knowledge of these conditions amounts to very little.
Diagram illustrating the Arc for Reflex Action. The centripetal and
centrifugal paths, the receptive and terminal organs of the arc, are shown
connected with the spinal centre, which is a portion of central gray matter
containing ganglion cells. The inhibitory cerebral influence is constantly
exerted in health to moderate reflexes.
First, in the eye. In case of atrophy of the optic nerve the pupillary
reflex is lost, the reflex action failing because the receptive surface
and efferent nerve are injured. In certain cases of spinal disease
(posterior spinal sclerosis) the same pupillary immobility is observed
(the Argyll-Robertson pupil); and in this case the lesion either affects
indirect efferent spinal fibres destined for the iris, or it is situated in
the centre for the reflex action—viz. the gray matter of the lobus
opticus. There may be loss of pupillary reflex due to injury of the
direct efferent fibres of the arc (paralysis of the motor oculi, N. iii.).
Lastly, the iris itself may be so diseased as to be incapable of
contracting, though it receive the reflex impulse properly; the lesion
is then in the terminal organ of the arc.
Second, the patellar tendon reflex. In a healthy individual, sitting at
ease with one leg thrown over the other (knee over knee), upon
tapping the ligamentum patellæ of the overhanging or free leg a
contraction of the quadriceps muscle occurs, causing a visible
forward movement of the leg and foot. This is the well-known patellar
reflex or knee-jerk. The arc in this case consists of the ligamentum
patellæ with its included sensory fibres as receptive organs, sensory
(afferent) fibres of the crural nerve, a segment of the lumbar gray
matter of the cord as centre, motor (efferent) fibres of the crural
nerve, supplying the quadriceps extensor femoris, which is the
terminal organ. Theoretically (vide Fig. 1), we can conceive of
numerous abnormal conditions of parts of this arc which would lead
to abolition of the patellar reflex, but in practice the following are the
principal lesions to be thought of: Disease (sclerosis) of the posterior
root-zones of the lumbar enlargement of the cord, as exhibited in the
pre-ataxic stage of tabes; disease of the posterior roots themselves
through meningitis or meningo-myelitis, as in diphtheritic ataxia;
lesion of the nervous centre, as is frequently observed in cases of
infantile poliomyelitis; a lesion of the crural nerve, involving its
efferent or afferent fibres, or both sets of fibres, would produce the
same result, as would also, lastly, a severe myositis or cancerous
infiltration of the quadriceps muscle.
FIG. 2.
Diagram and Table showing the Approximate Relation to the Spinal
Nerves of the Various Sensory and Reflex Functions of the Spinal Cord
(after Gowers).