Cybersecurity is a vast field, and, as we all know, it’s hard to judge a book by its cover. That’s why our security researchers here at Splunk have put together this list, so you can know exactly what’s worth reading and why. In this comprehensive guide featuring more than 20 reads, we’ve categorized everything into three categories:
Whether you’re a security-obsessed professional or an avid reader who enjoys the wild histories behind modern conflict, there’s something in this list for you.
(For more security recommendations, check out Monthly Staff Picks for Security Reading, the best Security/InfoSec conferences to attend and must-listen security podcasts.)
The books in this section are for newbies and experts alike.
Author: Andy Greenberg
General subject: Tracking the Kremlin’s role in the disruptive NotPetya cyberattack
ISBN #: 9780525564638
Ideal audience: Anyone interested in learning more about one of the most devastating cyberattacks in history and how it relates to the war in Ukraine.
Why we like it: Sandworm provides a historical overview of Kremlin state-sponsored cyberattacks targeting Eastern Europe. The details surrounding the 2017 NotPetya attack provide context for the current war in Ukraine and demonstrate how conflict can spill into the cyber domain. Since this book was published, the NotPetya attack has also reshaped cyber insurance, setting a legal precedent for what constitutes an act of war — this could invalidate insurance claims stemming from nation-state attacks.
Author: Kim Zetter
General subject: Stuxnet, a virus intended to sabotage Iran’s nuclear program
ISBN #: 9780770436193
Ideal audience: This book is for anyone interested in learning how malware can be used as an offensive weapon with kinetic effects to achieve political aims.
Why we like it: This thoroughly researched book was written by one of the world’s top cybersecurity journalists, Kim Zetter. It tells the story of how security experts examined code and pieced together clues to uncover a sophisticated malware campaign designed to cause physical damage and subvert Iran’s nuclear program. I highly recommend this book if you’re interested in industrial control systems (ICS) security.
Author: Cliff Stoll
General subject: Computers, espionage, history
ISBN #: 9781416507789
Ideal audience: Anyone can enjoy this book, even if you aren’t too familiar with computers.
Why we like it: The Cuckoo’s Egg is a first-person account of tracking down digital spies. More than 20 years after this book’s publication, many of the issues it addresses are still relevant today, such as: digital espionage, privacy and security. This book is a classic and should be at the top of your list if you have not read it.
Author: Ben Buchanan
General subject: Cyberattacks, geopolitics, statecraft, history
ISBN #: 9780674987555
Ideal audience: Anyone interested in learning more about nation-state cyberattacks.
Why we like it: Published in 2020, The Hacker and The State examines the intersection of geopolitics and cyberattacks in the form of data breaches, election interference and even undersea cable taps and underground nuclear sabotage. The author Ben Buchanan examines how geopolitical competition has evolved over the years to reshape national security priorities. The book’s description sums it up:
“The nation that hacks best will triumph.”
Author: Bruce Schneier
General subject: Data, privacy, security
ISBN #: 9781416507789
Ideal audience: Anyone concerned about data privacy and corporate surveillance.
Why we like it: In Data and Goliath, Bruce Schneier not only details all of the ways our personal data is collected and sold on the internet, but he also offers solutions to help counter government and corporate surveillance in order to protect privacy online.
Author: Thomas Rid
General subject: History, espionage, disinformation
ISBN #: 978-1250787408
Ideal audience: Readers who want to better understand espionage and disinformation operations throughout history.
Why we like it: We hear the word disinformation used frequently to describe online influence operations and troll farms, but the history of disinformation campaigns extends back decades, if not longer. From the Russian Revolution to the Cold War, political warfare has frequently included tactics of deception and some other non-conventional strategies to influence the public and political leaders.
Author: Brian Krebs
General subject: Cybersecurity, cybercrime
ISBN #: 9781492603238
Ideal audience: Anyone who has ever received a spam email — that is, everyone.
Why we like it: From harvesting usernames and passwords, to rogue online pharmacies, Spam Nation shows the lengths some cybercriminals will go to steal and profit from your information. Author and investigative journalist Brian Krebs does a great job of explaining where those emails in your spam folder originate.
As the book points out — you don’t even have to click on these malicious emails to be at risk. I recommend reading this book if you’d like to learn strategies to protect yourself online.
Authors: Renee Dudley, Daniel Golden
General subject: Ransomware
ISBN #: 9780374603304
Ideal audience: Enthusiasts of real-life technological thrillers.
Why we like it: Ransomware is a billion-dollar business as well as a top concern for organizations of all sizes. This brand-new book is garnering attention for making non-security nerds pay attention to this issue through the story of a “band of misfits” who team up to fight back against cybercriminals.
Author: Tom Standage
General subject: The Internet, Popular History
ISBN #: 9781620405925
Ideal audience: History buffs
Why we like it: “We think the Internet is this new thing and there has never been any revolution like it before, but this book shows how similar the Internet revolution was to the advent of the telegraph, including a chapter on codes, ciphers, and criminals. It's popular history, so pretty easy to read, too.” – David Bianco, Staff Security Strategist at Splunk
Now let’s move into the “textbooks” of security. These practical and technical books give you real-world experience that's particularly useful for security and InfoSec professionals.
Authors: Jeff Bollinger, Brandon Enright, Matthew Valites
General subject: Information Security, Incident Response, Security Monitoring
ISBN #: 9781491949405
Ideal audience: CISOs and security operations center (SOC) managers, engineers and analysts.
Why we like it: This is one of the best writings on how to modernize your security operations. The book covers use cases including:
You’ll learn things like how to staff a modern SOC and run it with the “playbook” mindset along with how to understand what a customer is trying to protect and what to do when incidents happen. The book includes basic and advanced ways to query data to improve detections and fidelity of playbooks.
Authors: Chris Sanders, Jason Smith
General subject: Cybersecurity, Network Security Monitoring
ISBN #: 9780124172081
Ideal audience: Current and aspiring security analysts.
Why we like it: This is a fundamental guide for learning the concepts of network security monitoring (NSM). Analysts should prepare for when — not if — their networks are breached so that they can respond quickly and effectively. Through collection, detection and analysis, this book teaches analysts about each stage of the NSM cycle with real-world examples and insights from seasoned professionals. If you are new to NSM analysis, this is a perfect book to get started.
Authors: Kathryn Knerler, Ingrid Parker, Carson Zimmerman
General subject: Structuring a Security Operations Center
ISBN #: 9798985645040
Ideal audience: Executives, SOC managers and security analysts
Why we like it: This book, updated in 2022, outlines SOC structures. It will help security-savvy people better understand how SOCs are designed, particularly in the Public Sector (DoD/IC). In one review of the book, Drew Church, a Staff Security Strategist at Splunk said,
"In 2016 I started a full-court press into educating myself on HOW the upper echelon of successful organizations ‘do’ security. A colleague of mine made me aware of the book titled ‘10 Strategies of a World-Class Cybersecurity Operations Center’ and I was enamored. It really glued together the ‘why’ and ‘how’ of the organizations I'd seen in my work. In March 2022, The MITRE Corporation published a second edition that encompasses a total of 11 strategies. For anyone interested in the structure of a security program with actionable insights, start reading it today."
Authors: Ben Clark, Nick Downer
General subject: Cybersecurity, penetration testing
ISBN #: 9781075091834
Ideal audience: Red Team operators
Why we like it: This book features a fantastic list of how-to's for Linux, Windows, networking, RDBMS, security tool syntax, web, programming, wireless and more. Version 2 comes with more than 290 new commands and techniques that have been updated to work against modern operating systems. A Splunker once said of The RTFM:
“If you had 10% of this book memorized and knew where to use it, you'd be a wizard. I actually carry this in my bag at all times now.”
Authors: Niels Ferguson & Bruce Schneier
General subject: Cybersecurity, cryptography
ISBN #: 9780471223573
Ideal audience: Anyone with an interest in cryptographic algorithms
Why we like it: “I know it's 20 years old now, but this is a guide for developers implementing cryptography in their code, or for people who want to understand the basics. The book covers not just the cryptographic algorithms themselves, but how they are used in real-world systems.” — David Bianco, Staff Security Strategist at Splunk
Authors: Jay Jacobs, Bob Rudis
General subject: Data analysis and visualizations
ISBN #: 9781118793725
Ideal audience: Anyone who wants to uncover hidden patterns in data to prevent breaches and cyberattacks.
Why we like it: Data analysis and visualization are two very powerful tools to improve decision making and measure the effectiveness of security methods. This book is great because it includes real-world examples of how to analyze security data along with hands-on exercises. I recommend this book if you’re looking for a guide on how to use data to detect malware and correlate security events.
Authors: Stuart McClure, Joel Scambray, George Kurtz
General subject: Cybersecurity
ISBN #: 9780071780285
Ideal audience: Security professionals
Why we like it: The Hacking Exposed series is an excellent resource for any security professional. The seventh edition of Network Security Secrets and Solutions includes new visual maps along with a “countermeasures cookbook.” The book also includes case studies and techniques that show you how to:
Of course, reading isn’t limited only to books. Academic articles and research papers are an important part of the cybersecurity landscape. In fact, every month I roundup what Splunkers are actually reading and recommend these to our global community. (You can see all previous months here.)
Here are some articles that stand the test of time…
Author: Mandiant Intelligence Center
General subject: APT, China, Espionage
Ideal audience: Cyber threat intelligence (CTI) analysts
Why we like it: Released in 2013, Mandiant’s APT1 report was groundbreaking in its dissemination of threat intelligence for a public audience. Detailed information about threat actors and their network infrastructure was previously kept secret and stored in classified networks. Despite the controversy upon its publication, the paper proved pivotal in the growth of threat intelligence collection and information sharing within the cybersecurity community.
Author: David Bianco
General subject: Threat detection, organizing IOCs
Ideal audience: Blue teams, CTI analysts
Why we like it: Following the release of Mandiant’s APT1 report, David Bianco (who is now a member of Splunk’s SURGe team) realized that the report’s indicators of compromise (IOCs) were not being used effectively. To illustrate the concept that not all indicators are created equal in threat detection, Bianco created the Pyramid of Pain.
The pyramid orders IOCs based on how much pain they will cause adversaries when you deny those indicators to them. The Pyramid of Pain is a great conceptual model for using cyber threat intelligence to effectively detect threats.
(The Pyramid of Pain)
Authors: Sergio Catagirone, Andrew Pendergast, Christopher Betz
General subject: Threat intelligence, intrusion analysis
Ideal audience: CTI analysts
Why we like it: The basic premise of this paper is that for every intrusion event, there are four core features: adversary, infrastructure, capability and victim — each representing a point on a diamond. Analysts can use the Diamond Model to better conceptualize intrusion activity, leading to improved event classification, threat intelligence integration, and forecasting of adversary events. This paper is valuable because it establishes an underlying method that can be repeated time and again for intrusion analysis.
(The Diamond Model)
Author: Lockheed Martin Corporation
General subject: Cyber kill chain
Ideal audience: Any security practitioner
Why we like it: The Cyber Kill Chain framework has been around for many years and explains the steps adversaries take to gain access to a network and exploit vulnerabilities. The seven steps of the Cyber Kill Chain (Reconnaissance, Weaponization, Delivery, Exploitation, Installation, Command & Control, and Actions on Objectives) are intended to help analysts visualize the attack process and enrich their understanding of the tactics, techniques and procedures (TTPs) used by adversaries.
Author: Joe Slowik
General subject: Threat hunting
Ideal audience: Threat hunters, blue teams
Why we like it: In one review of this white paper, Sydney Howard, Principal Threat Hunter at Splunk said:
"Everyone talks about threat hunting, but few organizations have people dedicated to the function. This white paper provides a thorough overview into requirements to establish a successful threat hunting program at your organization. I particularly like the call out that the threat hunting process is iterative rather than linear. This can be key for growth as you build upon previous work to truly mature your threat hunting program."
Author: Robert M. Lee
General subject: ICS/SCADA cybersecurity
Ideal audience: Anyone interested in securing industrial control systems
Why we like it: It can be difficult to know where to start when learning about careers in cybersecurity, which is why I appreciate blog posts like this one that compile the resources needed to get started. Robert M. Lee is one of the leading minds in ICS/SCADA security, so this list is a great place to start for anyone interested in pursuing this career path.
Author: Katie Nickels
General subject: Cyber threat intelligence
Ideal audience / who it’s for: Aspiring CTI analysts
Why we like it: Not only is Katie Nickels an instructor for the SANS Institute’s Cyber Threat Intelligence course, she also wrote up a free self-study plan for aspiring CTI analysts. It’s packed full of papers, videos and ideas to ponder. I highly recommend starting with this guide if you are pursuing a career in the field of cyber threat intelligence.
Author: John Sakellariadis
General subject: Ransomware
Ideal audience: CTI analysts, blue teams
Why we like it: This 2022 issue brief from The Atlantic Council explains how the threat of ransomware has grown considerably over the last several years. The paper examines the transition from automated ransomware campaigns to more targeted extortion operations between 2016 and 2019. The author John Sakellariadis advocates for payment transparency from victims in order to measure the true cost of these attacks.
You’ve reached the end of our roundup of top security books and articles to read. With more than 20 recommendations here, this list should keep you busy for a while! For another topic, check out our DevOps recommended books.
See an error or have a suggestion? Please let us know by emailing ssg-blogs@splunk.com.
This posting does not necessarily represent Splunk's position, strategies or opinion.
The Splunk platform removes the barriers between data and action, empowering observability, IT and security teams to ensure their organizations are secure, resilient and innovative.
Founded in 2003, Splunk is a global company — with over 7,500 employees, Splunkers have received over 1,020 patents to date and availability in 21 regions around the world — and offers an open, extensible data platform that supports shared data across any environment so that all teams in an organization can get end-to-end visibility, with context, for every interaction and business process. Build a strong data foundation with Splunk.