Unpacking the Power of Intelligence-Driven Incident Response: Lessons from Scott J. Roberts & R. Brown’s Book

What is the book about?

This book explains why and how developing an intelligence-driven incident response strategy. With a focus on proactive methods for identifying and mitigating possible risks before they may cause harm, the book covers a variety of issues including threat intelligence, incident detection, and response preparation.

What is Intelligence-Driven Incident Response?

It is a proactive approach to incident response that leverages threat intelligence to detect and respond to security incidents more effectively.

Effectively is the key term, in fact the world has become more and more interconnected and attackers are developing increasingly sophisticated methods of attack. So it has become essential to understand the strategies and objectives of adversaries to be truly prepared to respond more quickly.

As is clearly explained in the book:“Intelligence-driven incident response does not end when the intrusion is understood and resolved, but generates information that will continue to feed the intelligence cycle.”

The 3 main takeaways I learned from this book:

1. Trying to collect as much data as possible without being clear what questions you are trying to answer is a waste of time.

As is pointed out in the book, the first stage of the intelligence cycle is precisely to define the direction of one’s research and only then to collect the data in order to carry out a comprehensive analysis.In fact, intelligence allows incident responders to prioritize the most critical threats and allocate resources consequently. This helps ensure that the most important issues are addressed first.

2. Defense does not have to be passive, there are also active defense strategies.

Usually the concept of defense is associated with the expectation of being attacked and responding promptly, but defenders have the option of adopting an active defense approach based on the D5 model of deny, disrupt, degrade, deceive, and destroy. For example, Deny means “a simple action, such as implementing a new firewall rule to block an attacker’s command and control or shutting down access to a compromised email account. The key to denial is preemptively excluding a resource from the malicious actor.” A particularly advanced form of proactive defense is Deceive, which as explained in the book : “ Deceive active defense action is based on the counterintelligence concept of deliberately feeding attackers false information with the hopes they’ll treat it as truth and make decisions based on it.”

3. Organizing, analyzing, and storing data during a security incident is critical.

During the madness of a security incident, it can become complicated to keep the information gathered during activities up-to-date and well-written. However, the very data collected, analyst observations and exchanges are one of the key elements in trying to prevent similar attack vectors from being reused.

What did I appreciate about this book? Do I recommend it?

I really liked the concise and clear style adopted by the authors to explain all the concepts that allows both technical and non-technical people to have a comprehensive overview of intelligence-driven incident response (IDIR). I also really appreciated that a careful analysis of the F3EAD cycle has been provided; the fact that a chapter has been devoted to each phase of the cycle allows readers to fully understand the concepts and begin to understand how these processes could be improved in one’s organization.

Yes, I absolutely recommend it as a read for both beginners and experts in the field who perhaps want to have a book that covers all these topics and offers interesting food for thought!