There’s only one line in this I disagree with (a little):

“You must, of course, figure out the kind of who — you don’t want to just fix the symptom and leave untouched the cause…”

Actually, you don’t really need to know who — just how they did it and how you can stop it from happening again. This is frequently true in security matters (of course, not on a nation-state level), but very true in infosec.

Assume you have enemies — in fact, assume everyone is your enemy — and you don’t care who is the immediate problem. “Threat intelligence” is mostly bogus except to the degree it can tell you how the attacker is coming at you or when.

Who he is won’t matter after he’s dead…