Further Reading: The Threat Landscape

Curated, annotated resources to deepen this chapter. Each entry notes which learning path it serves most (🛡️ SOC, 🏗️ Engineer, 📋 GRC, 📜 Cert) and its citation tier. Start with the suggested order; you do not need to read everything before Chapter 3. The single most valuable thing you can do after this chapter is spend an hour clicking through the live MITRE ATT&CK matrix — make that first.

Suggested order

  1. Open MITRE ATT&CK (attack.mitre.org) and click through one tactic column and a couple of technique pages — see the tactic → technique → procedure hierarchy as a living thing, not a definition.
  2. Read the Verizon DBIR "Summary of Findings" to ground the actor taxonomy and motivations in data (who actually attacks whom, and why).
  3. Skim the CISA advisory on the SolarWinds / Orion compromise to see a real intrusion described in ATT&CK terms by the government.
  4. Read the original Lockheed Martin kill-chain paper for the model's source and reasoning.
  5. Keep an ATT&CK Navigator layer and a Security+/CISSP glossary nearby as references, not read-throughs.

Standards & primary frameworks (Tier 1)

  • MITRE ATT&CK (attack.mitre.org). 🛡️🏗️📜 The field's shared knowledge base of adversary tactics and techniques, free and continuously updated. You will use it for the rest of your career; we return to it in detection engineering (Chapter 22) and the case studies (Chapter 40). Browse the Enterprise matrix and one group page.
  • MITRE ATT&CK Navigator (mitre-attack.github.io/attack-navigator). 🛡️ A free tool for visualizing coverage and adversary technique sets on the matrix — the practical way to build the "coverage map" this chapter describes; you will use it to find detection gaps in Chapter 22.
  • Lockheed Martin, Intelligence-Driven Computer Network Defense (the "Cyber Kill Chain" paper), Hutchins, Cloppert, Amin. 🛡️📋 The original source of the kill-chain model and the "break any link" reasoning this chapter is built on. Short, foundational, and clarifies what the model was designed for.
  • Verizon, Data Breach Investigations Report (DBIR) (annual). 🛡️📋 The best evidence base for who attacks, why, and how — actor categories, motivations (overwhelmingly financial), and the dominant vectors. Confirms that the boring causes (credentials, phishing) dominate the exotic ones. Read the summary of findings.
  • CISA advisories on the SolarWinds / Orion supply-chain compromise (Cybersecurity and Infrastructure Security Agency). 🛡️🏗️📋 The authoritative public description of the campaign and its mitigations, written in ATT&CK terms. The canonical primary source for this chapter's anchor case (Tier 1 for the government account; treat any specific internal numbers elsewhere as Tier 2).
  • NIST SP 800-30 Rev. 1, Guide for Conducting Risk Assessments (threat-source and threat-event taxonomy). 📋📜 Connects this chapter's actor/threat vocabulary to the formal risk process you will build in Chapter 27; its appendices catalog threat sources and events.
  • MITRE, Common Attack Pattern Enumeration and Classification (CAPEC) and the CWE it links to. 🏗️ A complementary catalog of attack patterns (CAPEC) and software weaknesses (CWE); useful when you reach application security (Chapters 12–13) and want to connect attacker techniques to the flaws they abuse.

Threat intelligence & adversary reporting (Tier 1 / Tier 2)

  • Mandiant / Google Cloud threat-intelligence reporting (e.g., the M-Trends annual report). 🛡️📋 A leading incident-response firm's data on dwell time, attacker behavior, and APT activity — excellent for understanding the espionage end of the spectrum and how intrusions are actually discovered. (Tier 1 as a named, reputable source; treat specific year-over-year figures as reported, Tier 2.)
  • CISA Known Exploited Vulnerabilities (KEV) Catalog and alerts. 🛡️🏗️ A live feed of what attackers are exploiting right now — concrete evidence that threat is about what is actually used, not theory. We use KEV for prioritization in Chapter 23.
  • MITRE ATT&CK Groups pages. 🛡️ Profiles of tracked adversary groups and the techniques attributed to them — the practical bridge from "threat-actor taxonomy" to "which techniques should we detect?" Read the page for a financially motivated group and one for an espionage group and compare their TTPs.
  • Vendor and ISAC threat reports for your sector (e.g., financial-sector information-sharing). 📋🛡️ Threat intelligence is most useful when it is about your sector; sector ISACs and reputable vendor reports tell a bank which actors and campaigns realistically target banks. (Tier 2: quality varies by source; prefer named, well-sourced reporting.)

Books (Tier 1)

  • Chapple, M., & Seidl, D., CompTIA Security+ Study Guide. 📜 Thorough, exam-aligned coverage of threat actors, attributes, motivations, the kill chain, and threat intelligence — an excellent companion for certification candidates working through this chapter.
  • Harris, S., & Maymí, F., CISSP All-in-One Exam Guide. 📜📋 Broader and deeper on threat modeling, STRIDE, and security operations; use the relevant domains alongside this chapter for a management-track view.
  • Roberts, S. J., & Brown, R., Intelligence-Driven Incident Response. 🛡️📋 A practical treatment of threat intelligence, the intelligence cycle, and using adversary knowledge to drive detection and response — the natural next step from this chapter's IoC/TTP/intel vocabulary toward Chapters 22 and 24.
  • Anderson, R., Security Engineering (3rd ed.). 🏗️ Deep, opinionated chapters on adversaries, attacker economics, and how real systems fail — excellent context for why economically rational attackers behave as they do. Dip into the relevant chapters now.

Free online & talks (Tier 1 / Tier 2)

  • The MITRE ATT&CK Getting Started materials and "ATT&CK for the rest of us" style talks. 🛡️🏗️ Short introductions to using ATT&CK for detection and threat-informed defense without boiling the ocean — directly counters the "turn the whole matrix green" pitfall in this chapter.
  • Reputable retrospectives and timelines of the SolarWinds campaign (government, the affected vendor, and major incident-response firms). 📋🛡️ Read at least two independent accounts and notice where they agree and where details are hedged — practice the "read a breach honestly" discipline this chapter's Case Study 2 models. (Tier 2: specifics vary by retelling; anchor on the CISA account above.)
  • Talks on ransomware operations and the initial-access-broker economy (reputable conference recordings). 🛡️📋 Ground the "cybercriminals are economically rational" claim in how the criminal ecosystem actually functions — affiliates, brokers, and double extortion (which we develop in Chapter 35).

Tools to explore (in your own lab only)

  • A STRIDE-lite worksheet for a system you own. 🏗️📋 The best first practice needs no software: run the six STRIDE categories against your own email account or a small app, tying each threat to an actor and a kill-chain stage, exactly as Meridian's team did in §2.6.
  • ATT&CK Navigator layers. 🛡️ Build a layer for the techniques of one adversary group, then a second layer for "detections you think you have," and compare — a hands-on preview of the coverage-mapping work in Chapter 22.

⚖️ Authorization & Ethics reminder: Several of these resources describe attacker techniques in detail. Study them to defend; apply any active technique only to systems you own or are explicitly authorized to assess (Chapter 39). Reading ATT&CK makes you a better defender — it is not a to-do list for someone else's network.