Brown Rebekah - Intelligence-driven incident response outwitting the adversary

by Scott J Roberts and Rebekah Brown

Copyright 2017 Scott J. Roberts and Rebekah Brown. All rights reserved.

Printed in the United States of America.

Published by OReilly Media, Inc. , 1005 Gravenstein Highway North, Sebastopol, CA 95472.

OReilly books may be purchased for educational, business, or sales promotional use. Online editions are also available for most titles (http://oreilly.com/safari). For more information, contact our corporate/institutional sales department: 800-998-9938 or corporate@oreilly.com .

• Editors: Courtney Allen and Virginia Wilson
• Production Editor: Shiny Kalapurakkel
• Copyeditor: Sharon Wilkey
• Proofreader: Amanda Kersey
• Indexer: Judith McConville
• Interior Designer: David Futato
• Cover Designer: Karen Montgomery
• Illustrator: Rebecca Demarest

• August 2017: First Edition

The OReilly logo is a registered trademark of OReilly Media, Inc. Intelligence-Driven Incident Response, the cover image, and related trade dress are trademarks of OReilly Media, Inc.

While the publisher and the authors have used good faith efforts to ensure that the information and instructions contained in this work are accurate, the publisher and the authors disclaim all responsibility for errors or omissions, including without limitation responsibility for damages resulting from the use of or reliance on this work. Use of the information and instructions contained in this work is at your own risk. If any code samples or other technology this work contains or describes is subject to open source licenses or the intellectual property rights of others, it is your responsibility to ensure that your use thereof complies with such licenses and/or rights.

978-1-491-93494-4

[LSI]

Over 20 years ago, I was involved in my first large scale intrusion by a nation state actor from Russia called Moonlight Maze. My job for the Air Force Office of Special Investigations was to aid in data collection, interception, and analysis of adversary activity that occurred on the network and compromised systems. We learned through analyzing multiple attacks across many targets that this adversary was not going away by only pulling the plug from the back of the hacked systems. The enemy was extremely patient. Once they detected our response measures, they would persist in not reaccessing the same target for weeks. The attackers would ensure survival by hitting more than one target across the network and leave back doors on many systems. Across multiple intrusions by the same attackers, the task force started to put together a playbook on who this adversary was, how they operated, and what they were after. This playbook helped inform the defenses of many DoD locations worldwide. What was one of the outcomes of the Moonlight Maze intrusion? The scope and urgency of the attacks led to the formation of the Joint Task ForceComputer Network Defense (JTF-CND) that later became the gestation of U.S. Cyber Command.

We learned a lot from these advanced attacks in the late 90s. First and foremost, we learned that to detect the adversary, we had to learn from the enemy. Early on we discovered tools and practices that would allow us to pinpoint the same adversary on other networks. The information that helped inform our defenses and detect specific attackers became the formation of, likely, the most significant information security development since the intrusion detection system and the firewall: cyber-threat intelligence.

Having responded to hundreds of incidents through my career in the DoD, US Government, Mandiant, and my own company, the one thing we always rely on is that incident responders primary objective is to use the opportunity to learn about the adversaries attacking you. With this information, we can observe another network and assess if the same enemy compromised them. This intelligence lays the bedrock for our approach to proper information security and defensive posturing against these specific threats. Organizations arent likely to be hit by any hacker, they are likely part of a group, and they have your organizations name on a hit list. Without cyber-threat intelligence as the primary consumer of incident-response data, the security defenses could never improve and reduce the dwell time for the adversaries inside the networks theyre compromising.

Threat intelligence was vital to intrusions over 20 years ago, starting with the story told in the Cuckoos Egg, written by Cliff Stoll, and has been ever since. But somehow, most organizations are still learning to adopt the same principles. Part of the reason is the failure of proper resources that groups can follow. Another factor is bad advice from security vendors. Lucky for us, this book now exists and steps the reader through proper threat-intelligence concepts, strategy, and capabilities that an organization can adopt to evolve their security practice. After reading this book, your operations can grow to become an intelligence-driven operation that is much more efficient than ever in detecting and reducing the possible impact of breaches that will occur.

As the SANS Institutes Digital Forensics and Incident Response Curriculum Director and Lead, I have been discussing the importance of proper threat assessment and intelligence for many years. Many argued that it was a nice to have and not as important as stopping the adversary until analysts started to learn there was little they could do to eliminate an adversary without it.

I have advised many executives over the years that money would be better spent on developing proper threat intelligence than on vendor hardware that will likely not detect the next intrusion without being fed indicators learned and extracted as a part of the threat-intelligence analytical process. Part of that advice came from listening to conversations with the authors of this book, Scott and Rebekah.

Scott and I worked together at Mandiant and have remained friends ever since. I regularly follow up with him over the years and am an avid reader of his papers and articles. Scott is currently one of our instructors for the SANS Institutes Cyber Threat Intelligence course (FOR578). Listening to Scott present on this topic for many years is always a breath of wisdom that is equivalent to hearing Warren Buffet give financial advice. I can hear Scotts voice in my head as I read his thoughts pouring off the pages in this book.

Similar to my background, Rebekah is former military and worked across the board in cyber operations. She is formerly the Cyber Unity Operations Chief for the U.S. Marine Corp. She was also a cyber-operation exercise planner in the DoD, a network warfare analyst while at the NSA, and worked to create threat intelligence in Fortune 500 companies and across information security vendors. Rebekahs knowledge is on point and intuitive. She knows and understands this space like no other, having lived it by working inside and outside the DoD (both Intel and cyber communities) and across many companies. Rebekah has provided cyber-threat intelligence briefs at the White House, based on her theories of coordinated defensive and offensive cyber operations. Getting to know Rebekah has been amazing and enlightening, especially as I continue to learn how traditional intelligence methods are applied to cyber-operations analysis. I am also proud to highlight that Rebekah is also a course author and instructor for the SANS Institutes Course in Cyber Threat Intelligence (FOR578).

Together, Scott and Rebekah have put together their thoughts on paper in one of the most informed cyber-operations strategy guides you could ever pick up. You should consider making this book mandatory reading for all cyber analysts in your organization. This book is at the top of my recommended reading list for any cyber security analysts old and new. The ideas expressed in this book dont solve technical challenges, hacking tactics, or configuring security defenses, but instead, focuses on concepts, strategy, and approaches that indeed work at improving the posture, detection, and response inside the security operations of your organization.