2 posts tagged with "process"

TL;DR​

The threat hunting process that currently exists can be used in parallel with another process called indicator life cycle.

Both cycles are based on the same, aiming at proactive detection of threats and behaviors in corporate networks, leaving aside the reactive approach which is increasingly being avoided.

This is because traditional incident response processes have a methodology based on working on an event that has taken place, whereas the indicator lifecycle and threat hunting process work from the perspective of working to prevent something from happening.

During this blog I will explain the indicator lifecycle and how it can be used in parallel with the threat hunting process, also presenting a case study at the end.

TL;DR​

Often DFIR teams must perform threat hunting actions to proactively identify anomalous behaviors in our networks or customers. However, on many occasions we do not know where to search or directly do not know which technologies we have to collect this information.

A Collection Management Framework (CMF) can help us in these situations. This is based on which information each data source gives us and which of these sources are available for hunting.