Support Incident Response

Learning Objectives

After completing this unit, you’ll be able to:

Describe how threat intelligence analysts support incident response.
Explain how to determine who was behind an incident.
Explain the importance of reviewing security incidents to pinpoint harmful behaviors.

Threat Intelligence and Incident Response

Incident response is an organization’s process of reacting to IT threats such as cyberattacks, security breaches, and server downtime. To learn more about responding and recovering from incidents, check out the Get Started with Security Operations trail. So, why are we talking about incident response? Because these teams have similar goals and typically work very closely together.

Threat intelligence analysts support incident responders by working to prevent security incidents, handle the ones that sneak through, and ensure the organization is covered either way. As a threat intelligence analyst, you stop attackers in their tracks by detecting emerging and known threats before an attack happens. You might provide intelligence about specific malware families and infrastructures used to attack organizations in your sector, to allow your company, who has not yet been breached, to put in place appropriate defenses. You have an understanding of the attacker mindset because you analyze how they behave and thus, are able to detect them before they can inflict damage.

Through threat hunting, you work to find intruders earlier in the attack chain, so you are alerted to suspicious activity as soon as it happens, and can investigate and respond before critical data is compromised. In summary, you monitor, hunt, and remediate attack, while incident responders respond when an attack happens.

Determining Who Is Responsible

Attribution means determining an action was caused by a person or group of people. Through attribution, analysts seek to understand malicious cyber activity in a timely manner to several levels of granularity, ranging from the broad category of adversary through to specific states and individuals.

However, attribution is very difficult, requiring intelligence sources that are reliable and accurate. Hackers have a lot of technical tools at their disposal to cover their tracks. And even when you figure out how an attacker conducted an attack, it can be much harder to figure out who that attacker is. This is because unlike a normal crime, with cybercrime there is no physical person to observe and see whose hands are on the keyboard.

Attribution can be useful if done correctly. Even higher level attribution, like determining the adversary group or geographic location of an attack can be helpful in understanding your adversary and their motivation. For businesses who have experienced an attack, it’s vital that they focus on improving their capabilities and technologies to learn to defend themselves in the future. However, attribution can be useful to an organization in understanding who is targeting them and how they succeed in the prevention of future attacks.

Most organizations are good at collecting threat intelligence, but they struggle to operationalize it, and use it for threat attribution. Threat intelligence analysts help support the incident response team in conducting investigations to attribute the incident to specific threat actors in order to gain a complete picture of the attack, and to help ensure the attackers are brought to justice. These cyber attribution efforts are often conducted in conjunction with official investigations conducted by law enforcement organizations. As a threat intelligence analyst, just like a detective sleuthing out who commited a crime, you may be asked to try to attribute the attack to a given source, whether a person, or a computing resource.

Image of a threat intelligence analyst using a magnifying glass to look for clues on a computer that can lead them to who perpetrated a crime.

There are a variety of ways to determine who is behind an attack when investigating cyberthreats. As a threat intelligence analyst, you try to link suspicious activity to the individual or group with primary operational responsibility for the malicious action. Or you may tie a specific actor to a real-world sponsor such as a political organization, nation-state or a non-political entity. You look at the tactics, techniques, and procedures (TTPs) used by a threat group. These include how reconnaissance, planning, exploitation, command and control, and exfiltration or distribution of information was performed, in order to link the incident to a known threat actor. You also use technical forensics to study specific indicators left behind in an incident to try to trace activity back to a known or new organized actor.

Reviewing Security Incidents

As your organization responds to an incident, and if possible attributes it, it’s critical that you and incident responders perform proper digital forensic investigations to be able to confidently determine how the incident was executed, how to properly defend yourself, and if any data was impacted. As a threat intelligence analyst, you review the historical timeline of the attack to:

Identify the TTPs and attacker infrastructure used in the attack.
Perform additional hunting or evaluation of potential new detection methods based on the artifacts left behind in the attack
Evaluate incidents in full context, including supporting the incident response team in determining where additional preventative measures can be taken to keep users safe.

You then build what you have learned back upstream into enterprise monitoring and prevention mechanisms. You also consider if this incident changes your threat profile and what that means for your longer term security strategy. A successful program requires constant vigilance, modifications, and reevaluation; your work here is never done. Hooray job security!

Knowledge Check

Ready to review what you’ve learned? The following knowledge check isn’t scored—it’s just an easy way to quiz yourself. To get started, drag the description in the left column next to the matching category on the right. When you finish matching all the items, click Submit to check your work. If you’d like to start over, click Reset.

Sum It Up

In this module, you’ve been introduced to methods for identifying threats, and how to investigate them. You’ve learned more about how to identify malicious activity, and respond to incidents and adapt.

Along with the information you reviewed in the Threat Intelligence module, you should now have a better understanding of what it takes to be a threat intelligence analyst. You can learn more about the in-demand cybersecurity skills necessary to get a job in threat intelligence, or another field, and learn more about security practitioners by visiting the Cybersecurity Learning Hub on Trailhead.