Chapter 7. Exploit

If you focus solely on the enemy, you will ignore the threat.

Colonel Walter Piatt

After the Find, Fix, and Finish phases, it is common for the final incident-response report to be delivered and the responders to move on to the next matter requiring their attention. But that is not where this book ends. Throughout the course of the investigation, incident-response teams gather a lot of data on attackers, look for additional information from within their networks, and take actions that have an impact on the attacker’s operations. Now, we need to gather all of that data, analyze it for intelligence value, and integrate it into not only detection and prevention methods but also more strategic-level initiatives such as risk assessments, prioritization of efforts, and future security investments. You now have to engage the intelligence portion of the F3EAD cycle: Exploit, Analyze, and Disseminate.

It is no secret why most security teams stop short of completing the F3EAD cycle: It’s hard enough to generate intelligence, but managing it is a whole new series of headaches. Dealing with processes, timing, aging, access control, and formats is enough to make anyone’s head spin. And yet, as undeniably complex as these problems are, they have to be addressed head-on. Properly extracting and capturing information about an incident and ensuring that it is followed up on can mean the difference between truly remediating an adversary’s access to your network and simply delaying ...