Threat Intelligence Book Club: Round 2

Last Wednesday, Rebekah Brown and I hosted Rapid7’s inaugural threat intelligence book club meeting, where we dug into the first third of Cliff Stoll’s classic The Cuckoo’s Egg with what was (fortunately for us) deemed appropriate enthusiasm. A huge thanks to everyone who took the time to join us in exploring the world of 1980s threat intel; your passion, eloquence, and expertise were inspiring. For those who missed it, never fear—there’s a quick recap of Rebekah’s excellent discussion questions below, and you’re welcome to start another round of discussion in the comments.

Want to join us for the next meeting? Register here.

“When you are doing real research, you never know how much it’ll cost, how much time it’ll take, or what you’ll find. You just know there is unexplored territory and a chance to discover what is out there. ” - Cliff Stoll

Content review

To recap our initial post on what we’re hoping to achieve with this book club: These meetings are intended to help participants learn about the history and role of threat intelligence in information security, highlight aspects that are applicable to our jobs and our lives (including those whose professions and vocations have nothing to do with threat intelligence), and build deeper connections with a community of people interested in threat intelligence and its significance.

The book follows Cliff Stoll, a young astronomer-turned-programmer who chronicled the first documented case of cyber-espionage with panache, good humor, and an abiding respect for the scientific method. In our meeting, Rebekah noted that processes and tools for incident response and intrusion analysis were non-existent at the time Cliff wrote The Cuckoo’s Egg, but many of the problems he encountered and the methods he used are still common today.

Among the broad themes we identified:

  • The entire investigation started with a small anomaly...and a little bit of curiosity went a long way.
  • Information sharing was critical and required cross-disciplinary work, and the people involved had to develop their own information sharing network.
  • The importance of forensic data—in this case, a handwritten lab book—can’t be overstated.
  • Rigorous application of the scientific method is key to success throughout the story.

To see more real-time comments, check out #r7bookclub on Twitter. If you’re still on the fence about whether to read the book, it’s incredibly accessible to broad audiences and a genuinely fun read!

“Let’s be a tad careful and change our important passwords.” - The Cuckoo's Egg

Discussion questions

  • From the start, Cliff had to figure out how to tackle the problem he was facing, which morphed from an accounting error and fixing a bug in some software to tracking a hacker moving through his network as well as networks all over the country. The approach he took involved gathering data he knew was bad, but also analyzing data from all over, such as login histories, some social engineering, and even phone records. Does this approach still work today? What ways do we get started in modern threat intelligence?
  • Throughout the first few chapters we are introduced to a number of security myths or perceptions that security practitioners still run into today. Cliff didn’t believe that a hacker could guess their archaic passwords. The system administrator didn’t think anyone could create new users. They believed that many networks were isolated and couldn’t be reached. All of these have been proven to be myths, but now we can see some of the origins of these beliefs. How do you think perceptions have changed, and what can we do to continue to combat the myths?
  • Cliff was repeatedly told by other researchers and scientists to approach this problem like any type of research. Identify what you are trying to understand, gather the data, form hypotheses, and test them. Are there any issues you can see with this approach? How can this method work in time-sensitive situations?
  • Our audience brought their own experience to bear and added a few other questions: How do we get to ground truth in a complex modern computing environment? How would legality come into play today when conducting an investigation of this magnitude? When pondering the resources needed (including time) to approach a problem like a scientist, does it always come back to economics? And—my favorite—how would Cliff handle his OSINT?

Have thoughts? Sound off below.

For those who missed the first web meeting, never fear. Our next meeting will be Wednesday, March 14 at 4 PM EST: Register here. We’ll cover chapters 29-43, but as usual, don’t worry if you aren’t able to get through all the text. Cheers to another great discussion!