Chapter 2: Further Reading — Threat Landscape and Attack Taxonomy

An annotated bibliography of essential resources for deepening your understanding of the threat landscape, threat actors, attack frameworks, and threat intelligence. Resources are organized by topic, with annotations explaining their relevance.

Threat Landscape and Intelligence Reports

Verizon Data Breach Investigations Report (DBIR)

Available annually at verizon.com/dbir

The single most important annual publication for understanding the threat landscape. Based on analysis of tens of thousands of real incidents, the DBIR provides data-driven insights into which attack patterns are most common, which industries are most targeted, and which defenses are most effective. Referenced extensively in this chapter. Read it every year.

CrowdStrike Global Threat Report

Available annually at crowdstrike.com

CrowdStrike's annual threat report provides detailed analysis of nation-state and criminal threat groups, including attribution, techniques, and targeting patterns. Particularly strong on APT group analysis and the ransomware ecosystem. An excellent complement to the Verizon DBIR.

Mandiant M-Trends Report

Available annually at mandiant.com

Mandiant's report focuses on advanced threats and incident response trends. Provides essential data on dwell time, initial access vectors, and adversary post-compromise behavior. The M-Trends data on median dwell time (referenced in Section 1.4.4) comes from this report.

Microsoft Digital Defense Report

Available annually at microsoft.com

Microsoft's unique position — operating one of the largest cloud platforms, email services, and endpoint ecosystems — gives them unparalleled visibility into the threat landscape. Their annual report provides perspectives on nation-state activity, cybercrime trends, and defensive insights that complement other vendors' reports.

Frameworks and Standards

MITRE ATT&CK

Available at attack.mitre.org

The authoritative reference for adversary behavior taxonomy. Bookmark this and spend significant time exploring the Enterprise matrix, technique descriptions, and threat group profiles. The ATT&CK Navigator (mitre-attack.github.io/attack-navigator/) is essential for visualization and engagement planning. Start with the "Getting Started" resources on the ATT&CK website.

Lockheed Martin Cyber Kill Chain

Available at lockheedmartin.com/en-us/capabilities/cyber/cyber-kill-chain.html

The original 2011 paper by Eric Hutchins, Michael Cloppert, and Rohan Amin that introduced the Kill Chain model. Reading the original paper (rather than summaries) provides deeper insight into the defensive implications and the "intelligence-driven computer network defense" philosophy that the Kill Chain was designed to support.

OWASP Top 10

Available at owasp.org/www-project-top-ten/

The canonical list of the most critical web application security risks. Updated periodically, the OWASP Top 10 defines the vulnerability classes that ethical hackers must test for in web application engagements. Essential background for the web-specific attack vectors discussed in Section 2.5.2.

NIST Cybersecurity Framework (CSF) 2.0

Available at nist.gov/cyberframework

While primarily a defensive framework, the CSF provides the structure within which many organizations manage cybersecurity risk. Understanding the CSF's Identify, Protect, Detect, Respond, and Recover functions helps pentesters understand how their work fits into the client's overall security program.

Books on Specific Threat Actors and Attacks

Sandworm: A New Era of Cyberwar and the Hunt for the Kremlin's Most Dangerous Hackers by Andy Greenberg (2019)

Doubleday. ISBN: 978-0385544405

A gripping investigation into Russia's Sandworm group (GRU Unit 74455), responsible for attacks on Ukraine's power grid, the NotPetya destructive malware, and interference in the 2016 U.S. elections. Greenberg's reporting brings nation-state threats to life and demonstrates the real-world impact of APT operations. Essential reading for understanding the geopolitical dimension of the threat landscape.

This Is How They Tell Me the World Ends: The Cyberweapons Arms Race by Nicole Perlroth (2021)

Bloomsbury Publishing. ISBN: 978-1635576054

A comprehensive account of the zero-day exploit market and the global cyberweapons trade. Perlroth traces the evolution from individual vulnerability researchers to nation-state stockpiling of cyber weapons. Directly relevant to the discussion of vulnerability brokers and the gray hat ecosystem in Sections 1.3 and 2.5.3.

Countdown to Zero Day: Stuxnet and the Launch of the World's First Digital Weapon by Kim Zetter (2014)

Crown. ISBN: 978-0770436179

The definitive account of Stuxnet — the U.S.-Israeli cyberweapon that destroyed Iranian nuclear centrifuges. Zetter's meticulous reporting covers the technical sophistication of the attack, the geopolitical context, and the precedent it set for state-sponsored cyber operations. A landmark case in understanding nation-state threat actors.

The Cuckoo's Egg: Tracking a Spy Through the Maze of Computer Espionage by Clifford Stoll (1989)

Doubleday. ISBN: 978-0385249461

A classic account of Stoll's detection and investigation of a German hacker breaking into U.S. military systems in 1986. Despite its age, the book illustrates fundamental principles of threat detection, adversary tracking, and the importance of anomaly detection that remain relevant today.

Ransomware and Cybercrime

Chainalysis Crypto Crime Reports

Available annually at chainalysis.com

Chainalysis tracks cryptocurrency flows associated with cybercrime, providing authoritative data on ransomware payments, money laundering, and the criminal cryptocurrency ecosystem. Their data on ransomware payment volumes (referenced in Section 2.1.2) is the most reliable available.

CISA Stop Ransomware Resources

Available at cisa.gov/stopransomware

The U.S. Cybersecurity and Infrastructure Security Agency maintains a comprehensive collection of ransomware-related advisories, tools, and best practices. Includes alerts on specific ransomware groups and their techniques. Essential reference for pentesters whose clients face ransomware risk.

Tracers in the Dark: The Global Hunt for the Crime Lords of Cryptocurrency by Andy Greenberg (2022)

Doubleday. ISBN: 978-0385548090

Investigative journalism covering how law enforcement agencies learned to trace cryptocurrency transactions to identify and arrest cybercriminals. Relevant to understanding the ransomware ecosystem and the limits of cryptocurrency's anonymity.

Supply Chain Security

CISA Supply Chain Risk Management Resources

Available at cisa.gov/supply-chain

Official U.S. government guidance on supply chain security, including the ICT Supply Chain Risk Management (SCRM) Task Force publications. Provides frameworks for evaluating and mitigating supply chain risks.

Google SLSA (Supply-chain Levels for Software Artifacts)

Available at slsa.dev

A framework for ensuring the integrity of software build processes — directly addressing the type of attack that made SolarWinds possible. Understanding SLSA helps pentesters evaluate the security of their clients' software supply chains.

Threat Intelligence

Intelligence-Driven Incident Response by Scott J. Roberts and Rebekah Brown (2017)

O'Reilly Media. ISBN: 978-1491934944

The best book on applying threat intelligence to security operations. Covers the intelligence lifecycle, analysis techniques, and practical application. While focused on incident response, the principles are directly applicable to intelligence-driven penetration testing.

FIRST (Forum of Incident Response and Security Teams) Resources

Available at first.org

FIRST coordinates global incident response and hosts the most important conferences in threat intelligence sharing. Their Traffic Light Protocol (TLP) for information sharing classifications is widely used in the threat intelligence community.

Available at misp-project.org

An open-source threat intelligence platform for sharing, storing, and correlating indicators of compromise. Understanding MISP helps pentesters work with threat intelligence data during engagement planning.

Online Resources and Continuous Learning

CISA Alerts and Advisories

Available at cisa.gov/news-events/cybersecurity-advisories

Real-time advisories about actively exploited vulnerabilities and ongoing campaigns. Subscribe to alerts to stay current with the evolving threat landscape. Many advisories include MITRE ATT&CK mappings.

Recorded Future Blog

Available at recordedfuture.com/blog

Recorded Future is one of the leading threat intelligence firms. Their blog publishes detailed analysis of threat groups, campaigns, and trends. Excellent for understanding how threat intelligence is produced and consumed.

The DFIR Report

Available at thedfirreport.com

Publishes detailed analyses of real intrusions, from initial access through actions on objectives. Each report maps the attack to MITRE ATT&CK techniques and provides IOCs. Exceptional for understanding how attacks unfold in practice.