We modeled the Cybersecurity Canon after the Baseball or Rock & Roll Hall-of-Fame, except for cybersecurity books. We have more than 25 books on the initial candidate list, but we are soliciting help from the cybersecurity community to increase the number to be much more than that. Please write a review and nominate your favorite.
The Cybersecurity Canon is a real thing for our community. We have designed it so that you can directly participate in the process. Please do so!
Book Review by Canon Committee Member, Dawn-Marie Hutchinson: Advanced Persistent Threat Hacking: The Art and Science of Hacking Any Organization (2014) by Tyler Wrightson
In Advanced Persistent Threat Hacking, cybersecurity expert Tyler Wrightson reveals the instruments of attack needed to compromise any target in a well organized and easily digestible format. This book is a must read by both the technical cyber security professional and the board level executive seeking to further understanding of cyber security risks.
The book discusses the strategic issues that make all organizations vulnerable, providing noteworthy empirical evidence and supporting technical detail. Wrightson artfully describes the motives, methodologies and weaknesses that allow an attacker access to an organization, shedding light on both the technical and non-technical methods of hacking. The singular theme of the book is to highlight the relative ease with which an attacker can gain the necessary skill to perpetrate an attack.
Wrightson defines threats, motives and attack methodologies that are arguably foundational components of hacking and as applicable today as they were when we first began combating threats. The unique five-phased tactical approach to advanced persistent threat (APT) hacking is presented with real-world examples and hands-on techniques that are well understood by the ethical hacker community. Wrightson also provides perspectives around the role, strategies, tools and limitations of the penetration tester versus that of the APT actor, explaining why the threat actor is more effective at leveraging what one could argue are the same toolset. This book serves as a strong resource guide for both technical and non-technical audiences in building and defining security programs and strategies.
Wrightson provides empirical data that point to the imbalance of the defensive and offensive maneuvering and the relative costs to both, demonstrating that the attacker has the advantage in almost every circumstance. Enemies assaulting organizations have reduced the cost of attacking so significantly that it requires very few resources, time or skill to compromise an organization. Wrightson goes on to debunk the economic argument behind the goal of impermeability and sets the stage for valuable content surrounding the risk management process. The core competency of a business is not often security, neither is security the key revenue driver; therefore, decisions must be made relative to the cost of controls and the mitigation of risk such that the core business functions are not impaired. This section alone makes the book a must-read for security leadership, executives and boards of directors.
The book’s organization enhances readability for all audiences. Each section provides a high-level business discussion followed by a technological overview, data and examples. Additional, highly developed technical content is available further into the book, allowing the author to take the content deeper and provide additional value for the advanced cybersecurity professional. This broad accessibility of the content enhances its value to the cybersecurity community and provides the greatest value to non-technical stakeholders, who must become conversant in security as a matter of business necessity, and advances the discipline of cybersecurity.
The book creates a common understanding of existing vernacular around advanced persistent threats. By defining the APT by threat class – motive plus capability – the author paints a clear picture of the attacker and, ultimately, illuminates elements of the dark web to enable organizational conversation. The time the author takes to ensure that all readers are operating with the same understanding may be arduous to some, but it solidifies the book’s value as a communication vehicle for a broader audience and, subsequently, enhances future risk management discussions from the board level down.
Advanced Persistent Threat Hacking provided challenging and thought-provoking content in an easily digestible and palatable manner. I liked Wrightson’s approach, the layout of information, and the ways that he challenged existing viewpoints on the subject. I’m recommending this book for the Cybersecurity Canon because I think the vast majority of the strategies, tactics, techniques, tools and attacks defined in this book will remain effective instruments of compromise for the foreseeable future. Establishing the common language of advanced persistent threats and facilitating conversation among a broader audience make this book a must-read for the business executive and cybersecurity professional alike.