Intelligence-Driven Incident Response
Outwitting the Adversary
A practitioner's guide to wiring threat intelligence into the incident response loop, built around the F3EAD cycle rather than tool-of-the-week tutorials.
As an Amazon Associate we earn from qualifying purchases. The link above is sponsored.
- Authors
- Scott J. Roberts,Rebekah Brown
- Published
- 2023
- Publisher
- O'Reilly Media
- Pages
- 343
- Language
- English
Prerequisites
Working familiarity with the incident response lifecycle and basic network and host forensics. You should already know what an IOC is before you open this.
Read this if
IR analysts and CTI practitioners who want a shared process language, and team leads building an intel capability from scratch.
Skip this if
Anyone hunting for hands-on tooling labs or detection engineering recipes. This is process and analytic tradecraft, not a hands-on lab manual.
Key takeaways
- F3EAD gives incident response and intelligence a single, repeatable loop instead of two disconnected workflows.
- Good intelligence is a product with a consumer; if no decision changes, the analysis was overhead.
- Attribution and the kill chain are tools for action, not trophies to collect.
Notes
Strongest where it forces you to treat intelligence as a process with feedback, not a feed you subscribe to. The 2nd edition modernizes the examples and tightens the analytic chapters, though some readers will find the conceptual scaffolding heavier than the concrete payoff. Read it for the operating model, not for a step-by-step playbook.
What to read before
What to read before Intelligence-Driven Incident Response →Beginner · 2019
Foundations of Information Security
Jason Andress' compact tour of the field: confidentiality / integrity / availability, identification and authentication, network and OS controls, written for newcomers and adjacent disciplines.
Beginner · 2021
How Cybersecurity Really Works
Sam Grubb's gentle, exercise-driven introduction for non-specialists who need a working mental model of attacker behaviour and basic defence.
Intermediate · 2014
Incident Response and Computer Forensics
Luttgens, Pepe, and Mandia's working playbook for running an enterprise IR engagement: pre-engagement readiness, evidence acquisition, network and host forensics, and the project-management discipline that separates a controlled response from a panic.
What to read next
What to read after Intelligence-Driven Incident Response →Intermediate · 2014
Incident Response and Computer Forensics
Luttgens, Pepe, and Mandia's working playbook for running an enterprise IR engagement: pre-engagement readiness, evidence acquisition, network and host forensics, and the project-management discipline that separates a controlled response from a panic.
Advanced · 2020
Building Secure and Reliable Systems
Google's site-reliability and security teams jointly write down what it actually takes to build systems that are both safe and dependable, from threat models and design reviews to rollback culture and crisis response.
Advanced · 2023
Security Chaos Engineering
Kelly Shortridge and Aaron Rinehart on treating security as a property of complex adaptive systems: instead of preventing failure, you continuously simulate it, and design the organization to learn from each result.
Explore similar books
Alternatives to Intelligence-Driven Incident Response →Intermediate · 2014
Incident Response and Computer Forensics
Luttgens, Pepe, and Mandia's working playbook for running an enterprise IR engagement: pre-engagement readiness, evidence acquisition, network and host forensics, and the project-management discipline that separates a controlled response from a panic.
Intermediate · 2021
Designing Secure Software
Loren Kohnfelder, the original PKI author, on how to weave security thinking through requirements, design, implementation and operations rather than bolt it on at the end.
Intermediate · 2014
Threat Modeling
Adam Shostack's practitioner-oriented introduction to threat modeling: STRIDE, attack trees, and how to fit the practice into a real software-development lifecycle.