Essential Cybersecurity Reading

There are many resources out there for anyone interested in learning about cybersecurity. Nearly anyone can become a self-taught hacker. While everyone has their own list, this is mine. Here are the books and documents that I believe every cybersecurity analyst should read. I hate recreating the wheel and believe these texts represent my perspectives on the subjects.

What started it all for me...

The very first book that really put things together for me in cybersecurity was Intrusion Signatures and Analysis by Stephen Northcutt, et. al. Although dated by 2018 standards, the fully expressed analytical approach is what sets this book apart and fully appreciated in this current world of PowerPoint education. I recommend it highly for any new analyst just starting out, even in 2018.

Threat Modeling

Cyber security risk is largely dependent on the extent to which software is able to mitigate threats. But what are those threats? Is it a foreign nation state? A hacker in their mother's basement? Software flaws are the primary target of cyber security attacks to facilitate the ultimate criminal objective. Therefore, the threats have to be identified and addressed from a software perspective starting from the design stage through maintenance. Threat Modeling: Designing for Security successfully defines the high-level categories of threats to software: Spoofing, Tampering, Repudiation, Information Disclosure and Elevation of Privilege (STRIDE). Once you internalize the concepts of STRIDE, it can be immediately applied and used to organize an assessment of the security posture of a software system (e.g. mobile, desktop, web, APIs).

Incident Handling

There are various books, articles and recipes out there on the tactical cybersecurity incident handling process. In my experience, only the U.S. Department of Defense ("DoD") has documented a reasonably comprehensive process known as the Cyber Incident Handling Program, Chairman of the Joint Chiefs of Staff Manual 6510.01B. Although specific to the high-level processes of the U.S. DoD, it provides extensive explanation and training on the processes of incident response, response and collaboration. Below is an edited version containing only those respective sections:

  • Enclosure D - Cyber Incident Analysis
  • Enclosure E - Cyber Incident Response
  • Enclosure F - Collaboration with Other Strategic Communities

Although it is recommended that you read the entire document to see how a fully documented incident handling program is structured, these three enclosures will be especially beneficial to junior analysts as they ascertain the "big picture" of incident handling and to senior analysts who need reaffirmation of their processes.

m651001 - enc D to F.pdf

Incident Response

Along the same lines as the "Cookbook" O'reilly series, the Blue Team Handbook: Incident Response Edition gets straight to the point by providing task-oriented information ranging from incident response planning to specific commands to run on the command line. The high-level discussions on procedures also help the reader put the technical actions into the context of the overall strategy for response. Although this is targeting a "Blue Team" audience, most of the techniques described are information gathering techniques a "Red Team" could definitely benefit from and executed immediately.

Intelligence

Consistently investigating, documenting and reporting on cyber security events and incidents occurring in your organization are critical activities in the cybersecurity defense lifecycle. Only through a methodic approach of analysis and documentation will you be able to identify advanced and long-term indicators, cyber security trends, threats and adversarial objectives. In addition, through this "intelligence-driven" approach, you will be able to develop more effective and long-lasting defense mitigations. This paper by Lockheed Martin titled Intelligence-Driven Computer Network Defense, applies human intelligence analysis techniques to the analysis of cyber security indicators to deduce intention and attribution of a criminal. As with the threat modeling text mentioned above, internalizing this approach to analyzing indicators of compromise will help you understand and address even the most advanced cyber security threats.

Programming

There are several books out there that will teach you the basics of computer programming. If you are in this line of work, it is expected that you know a few and can learn languages on your own as needed. The "Cookbook" series and "Pocket References" by O'reilly have been especially helpful to me over the years. By focusing on how to accomplish a specific task in the code examples, you are quickly brought up to speed on the language while being able to accomplish your task. Task-oriented programming has always been the best way to learn, therefore here is the Python Cookbook book that I recommend. Your diligence, patience, tenacity and this book will help you automate many cyber security tasks including log, file and traffic analysis.

Cybersecurity Program and Risk Management

"This voluntary Framework consists of standards, guidelines, and best practices to manage cybersecurity-related risk. The Cybersecurity Framework’s prioritized, flexible, and cost-effective approach helps to promote the protection and resilience of critical infrastructure and other sectors important to the economy and national security." NIST.gov. There is no cybersecurity-related framework that has been as comprehensive and so readily adopted by government, business, finance and healthcare organizations to manage their cybersecurity programs. Nearly every regulated industry is either adopting it directly or mapping their controls to the Framework's categories. This is a required read for every member of your organization's information and cybersecurity team.

Cybersecurity Workforce and Education

Cybersecurity training is occurring at all different levels, including elementary, middle and high schools, community colleges, universities, and trade schools. For many years, it has been elusive and subjective when defining all the different roles involved in cybersecurity and their associated capabilities. NIST's National Initiative for Cybersecurity Education (NICE) Cybersecurity Workforce Framework provides a viable solution. It defines nearly every role and the expected knowledge, skills and abilities for each role. This can be leveraged by organizations with cybersecurity requirements to plan training, specify employee requirements and more consistently define job roles and responsibilities. NIST also provides a spreadsheet version and an online search site to help you locate and isolate the cybersecurity roles you are are interested in.

Security Operations Center

There is only one text that I am aware that best describes the true structure and workflow of a CERT-level cybersecurity operations center: MITRE's Ten Strategies of a World-Class Cybersecurity Operations Center. That's all I have to say about this one...it's that good.