Last updated at Tue, 25 Apr 2023 23:16:40 GMT

Welcome, book clubbers! Our next digital book club meeting will be Thursday, April 5, 2018 at 8 PM EST. Register here (required):

First-timer? Don’t have the book? No problem. We’ll be summarizing the plot and the takeaways from the book as a whole next time, so new folks are welcome and encouraged to join in. Reminder: Our book club is for people who are interested in learning about threat intel for the first time as well as those who are seasoned pros. Don’t let lack of experience scare you away! We’re open to all knowledge levels.

For those who want to catch up, here’s the recap of our first meeting.

“These hackers undermine the openness that lets us do science together.”

March 14: Content review

In last week’s threat intel book club meeting, Rebekah Brown led us through the middle section of The Cuckoo’s Egg and posited some new questions for discussion and reflection. Our intrepid investigator, Cliff Stoll, continued to track down the hacker who was breaking into his beloved Lawrence Berkeley Labs. He’s built valuable relationships with staff from telecommunications companies, and though he’s traced the hacker to several locations in Germany, he isn’t having a ton of luck getting help from the federal government. He and his (it must be said) brilliant partner Martha come up with a plan to lure the hacker in—and it works.

“I’d been gathering facts, not interpreting them.”

Discussion questions

  • Cliff has started the basics of ACH—analysis of competing hypotheses—when he is trying to understand where the hacker comes from. There were a number of factors he used to form his hypotheses, some of which were facts (e.g., time of day activity occurred, Unix command types) and some of which were assumptions (e.g., cost of dialing, the experience level of the hacker). Capturing this information and analyzing it in a structured manner is a good way to interpret new information, or to seek out missing information. More information on ACH here. What methods do YOU use to capture and analyze information?
  • In last week’s meeting, we touched on a fundamental tension: The government wanted to keep people out, but the universities needed to let people in. Their scientific research relies on collaboration, and their networks needed to facilitate that. How do we balance the need for security with the need for open access? Do we still struggle with these problems today?
  • Cliff kept wonderful documentation, and his logbook is one of the staples throughout the entirety of The Cuckoo’s Egg. Where do we stand on documentation—not just for incident response, but in everyday processes and procedures? What are some of the best methods to document work?
  • There are varying opinions on how important the individual hacker is—not just to this case but to security in general. Some people in the book thought knowing about the hacker as an individual (gender, age, habits, proficiency, etc) was key, but some seemed to view catching hackers and conducting security as mutually exclusive tasks. How has threat intelligence changed people’s perception of the adversary? What are some pros and cons about it? Do you think we can or should separate incident response from securing computers?


  • Collaboration and communication are critical.
  • Leveraging experts in other fields works to your advantage.
  • Document everything!
  • Use structured analytic methods to counteract bias (e.g., ACH).
  • Finding a support system—both professionally and personally—is key to managing stress during high-intensity investigations.

As always, we want to hear from you. Sound off in the comments, and join us for the next edition of threat intelligence book club on April 5!