Last updated at Tue, 25 Apr 2023 23:16:29 GMT

Last week, Rebekah Brown and I wrapped up The Cuckoo’s Egg with book club readers around the world. Dig through some blog archives to get a sense of how this book club got started and what we’ve discussed so far. Below is a recap of the book as a whole and the overarching themes and questions we’ve talked through on the calls.


  • Learn about the history and role of threat intelligence in information security.
  • Connect with a community of people interested in threat intelligence—including beginners and those without any background in infosec.
  • Apply learnings from the reading and discussion to our work and our daily lives.

Content review: The Cuckoo’s Egg

We were excited about this book because, as Rebekah illustrated over the course of our last three calls, the story tracks the first documented case of cyber-espionage. In the late 1980s, processes and tools for incident response and intrusion analysis were virtually non-existent, and the author, Cliff Stoll (an astronomer-turned-computer-wiz), was creating process on the fly as he tracked a hacker through his lab’s network and across the globe. Many of the methods Cliff used—and the problems he encountered—are still relevant and common today.

Plot points (Beware: Spoilers!)

  • The whole story starts with a tiny accounting error: Cliff gets curious and digs into a $0.75 billing discrepancy, only to discover a hacker has been logging onto his lab’s network using stolen accounts.
  • There was nothing in place to track the hacker, and there was no single place to track the hacker; Cliff and friends had to improvise, create their own information-sharing network, and pull other disciplines into the investigation. Cliff had to develop hypotheses and ways of testing them.
  • Eventually, the right co-investigators were identified at various telecommunications carriers (relationship-building FTW!), and the hacker is traced to Germany. However, Cliff doesn’t have a ton of luck getting help from the federal government, and the hacker continues to find ways to break into computers, even after system admins have been warned about the threat. Cliff and his partner (super lawyer) Martha set up honey docs for the hacker, hoping to keep him on the line long enough that they can complete a trace. Spoiler: It works!
  • Eventually, folks in DC start paying more attention. Cliff briefs intelligence agencies on the hacker and monitors the hacker’s activities while waiting for the arrest (side note: international relations are hard). The hacker—a West German resident—is finally caught, and in true blockbuster style, our hero and heroine, Cliff and Martha, decide to get married. Cue upbeat pop music as the credits roll!

Security myths we encountered in The Cuckoo’s Egg

  • Cliff didn’t believe a hacker could guess their archaic passwords.
  • The system administrator didn’t think anyone could create new users.
  • The belief that many networks were ‘isolated’ and therefore couldn’t be reached was evident at several points in the story.

“Let’s be a tad careful and change our important passwords.”


  • Understanding adversaries: “The hacker didn’t succeed through sophistication. Rather he poked at obvious places, trying to enter through unlocked doors. Persistence, not wizardry, let him through.”
  • The vulnerable nature of networks: “It doesn’t take brilliance or wizardry to break into computers. Just patience.”
  • The dilemma of disclosure: To publish or not to publish? “If you don’t publish, nobody will learn from your experience. The whole idea is to save others from repeating what you’ve done.”
  • Has the exchange of information (fundamentally) changed? “Hacking may mean that computer networks will have to have elaborate locks and checkpoints. Legitimate users will find it harder to communicate freely, sharing less information with each other.”

Discussion questions

  • What was the biggest challenge Cliff faced during the investigation?
  • How has reading this book changed your understanding of threat intelligence?
  • Have we gotten better or worse at dealing with incidents and system vulnerabilities over the past three decades?


Ultimately, there were a number of simple and critical points we pulled from the book:

  • Curiosity is key. A seemingly insignificant inconsistency kicked off the entire series of global events recounted in The Cuckoo’s Egg. Never underestimate the power of a keen mind and a beckoning rabbit hole.
  • Forensic data is invaluable—as was Cliff’s propensity for documentation.
  • Use the scientific method: Without the ability to formulate hypotheses and test them in a methodical way, we are, as Cliff said, “gathering facts, not interpreting them.”
  • Look outside the security domain for methods and insights. Being able to apply methodologies and practices from other disciplines enriches and expands threat intelligence capabilities.
  • Share information; build relationships; profit (at least intellectually). Cliff built a network of people who helped him succeed in his investigation, but also who supported him when he was stressed and stuck. Sharing information and breaking down silos was crucial to his overall success.

We’ll be sending out a survey with a request for feedback and asking folks to help us choose the next book in a couple of weeks. Stay tuned for more info about the next round of Threat Intelligence Book Club! We appreciate you.