防御者的优势：激活网络防御指南

The Defender’s AdvantageTheDefender’sAdvantageA guide to activating cyber defense Table of Contents Foreword6 Introduction9What is Cyber Defense?13Intelligence provides a guiding light19Activating the Threat Intelligence Lifecycle20Planning and direction21Collection23Analysis23Production25Dissemination27Feedback28Key intelligence services29Understanding the threat landscape30Vulnerability prioritization30Security operations integration31Brand Intelligence32The Cyber Threat Profile32Developing a cyber threat profile33Operationalizing intelligence across the Cyber Defense functions37 Detecting and investigating malicious activity41 Detection engineering43Aligning detections to attacker tactics, techniques, and procedures44Logging driven by TTPs45Pursuit of fidelity46Detection optimization47Automation strategy48Detection tooling strategy50Personnel strategy52 Responding to compromise55 Initial triage55Data collection and analysis57Decision points and next steps58Playbook review60Investigation lifecycle62Core activities of the investigation phase62The cyclical nature of the investigation62Dual pathways from analysis63Crafting a comprehensive attacker timeline64Incorporating modern enhancements64Incident remediation65Containment68Eradication70Security enhancement72Testing response plans74Investigation accelerators74 Leveraging attacker intelligence76IOC hunting automation76Incident Response Retainers77 Targeted testing and validation of controls and operations79 Managing the attack surface81Understanding the components of security validation83Intelligence-led validation87Validating the effectiveness of controls88Validating the effectiveness of operations and staff90Validate and enhance the detection engineering lifecycle97Manage organizational vulnerabilities98Informing organizational risk100Identify gaps in cyber defenses102Identify environmental and configuration drift104 Hunting for active threats107 Goals of threat hunting107Developing a threat hunt program108Programmatic considerations108Capability considerations110Threat hunt pipeline111Threat intelligence considerations111Threat modeling and visibility mapping113Hypothesis development115Performing threat hunts116Developing detection use cases through hunting121 Coordinating Cyber Defense through Mission Control123 Overcoming challenges126Fostering alignment and resiliency127Promoting empowerment and accountability127Facilitate agility and expertise128Drive responsibility and transparency129Resource management and staffing129Strengthening organizational security posture132Developing and maintaining processes and procedures132Incorporating metrics and trending136Commanding the crisis: Leadership in major incident management138Incident and crisis communications138 Activating Cyber Defense143 Stakeholder buy-in143Staffing considerations144Leveraging accelerators145Engaging Managed Services146Flexible consumption models147 Conclusion 149 Foreword The importance of cybersecurity cannot be overstated No organization today is immune to cyber threats. Attackers target large andsmall organizations across all industry verticals for any number of reasons—most notably espionage and cybercrime. Even the most security matureorganizations are at risk. Attackers are increasingly leveraging zero-dayvulnerabilities and other tactics to evade even the best detections, andtraditional threats such as phishing continue to evolve and adapt in order toremain effective. For organizations, a security breach can be devastating and costly. The impactcan be everything from data and intellectual property theft to financial lossesto reputational harm—and often a mix of several. Further, attacks on criticalinfrastructure, financial institutions, and government organizations, as well ascyber-physical warfare seen in global conflicts, can threaten our way of life. Defenders equipped with cybersecurity tools and technologies, threatintelligence, and robust processes serve as guardians, protecting the confi-dentiality, integrity, and availability of information and systems. Throughoutmy career with Mandiant and now Google Cloud, I have observed thatorganizations that are well prepared with robust cyber defenses are signi-ficantly more effective at reducing the impact of security breaches and mayeven be able prevent some attacks from being successful. In my view, the best way to defend against adversaries is to leverage intel-ligence to better understand their tradecraft, and infuse it into all aspects of acyber defense program, including hunting, detection, response, remediation,and validation. When aligned to the organization’s overall security mission,these functions create a framework—a well-organized set of core capabilities—required to be ready for modern threats. On top of all this, organizations must feel confident in their cyber defenses andreadiness if they want to effectively protect data, employees, and even our wayof life. Part of this confidence comes wh