Not exactly a traditional information security book, Confidential by John Nolan is definitely one I would recommend to anyone on the protective/intelligence side of cyber. You won’t get details of different ways to breach technical systems or develop IoCs for your SIEM – but there are so many tomes on those subjects.
What Confidential does do exceptionally well, aside from providing a comfortable and entertaining read, is address the human side of things. While most of us in cyber are unlikely to encounter industrial espionage (hopefully), social engineering is a common attack vector and Confidential covers it more thoroughly than most.
The first third of the book focuses on what should be a familiar topic – elicitation of information from human sources – which is always useful to read about. If you have a threat intel team working to actively collect intelligence then this really should be in their office library. Covering a dozen elicitation techniques in reasonable depth gives anyone an effective starter toolbox, and the base knowledge to go out and find more specialist tools as needed.
Part two focuses on source identification – while this is most likely the least relevant of the sections I would still highly recommend reading, especially if your cyber department has any ties to a competitive intelligence/counter-intelligence function or any responsibility for training staff in not giving away the crown jewels at conference bars and networking events.
There is a wealth of knowledge here which, with a little imagination, can be applied to finding human vulnerabilities inside (and outside the company), profiling and identifying threat actors and groups, and piecing together snippets of information to better understand competitors.
“…the internet is perhaps the single fastest, most economical and wide-ranging source-identification and development means available.”
The third and final section is probably the most useful in cyber – though I recommend reading the whole book through both to provide context and because it is a very enjoyable read. The third section covers protecting your information and trade secrets – again from a very human rather than technical standpoint – but almost everyone in cyber is well aware that most vulnerabilities boil down to people rather than technology (or at least the easiest ones to exploit). Given the opportunity, I would be making this section mandatory reading for everyone in a company – and passing it out to suppliers and partners. Along with Kevin Mitnick’s Art of Deception, this is definitely one of the simplest ways to teach people about both threats and defence.
The appendices are worth a read in their own right and provide supplementary material on each of the sections as well as a brief discussion on the ethics of competitive intelligence, and some sample paperwork which with a little work would be very useful for your threat intel knowledgebase.
“…no matter how abrasive one’s boss or business rival, it’s also highly undesirable to try and plant explosive-laden cigars or poisonous doughnuts in front of them.”
My own copy of the book is now stuffed full of notes, markers and highlighted passages where I have found something either interesting, valuable, or just entertaining. It is written casually rather than as an academic textbook and is a very comfortable read over a cup (or several) of coffee – though there may be the occasional sideways glance if you leave the dust cover on. With side boxes running through the author’s experiences from the governmental intelligence world and contrasting the two, short snippets from cases worked on and of course annotated extracts from Arthur Conan Doyle’s Sherlock Holmes (definitely worth a read – I’ll be going through my own copy with a fine-toothed comb after this) I would recommend anyone in cyber, and certainly in Intel, grab one of the copies available and dive in,
Subjects: competitive intelligence, elicitation