Cyber threat hunting: Lessons learned

Feedback

This is the final step of the process that analyzes all steps of the hunt

All parties involved in he hunt provide their feedback for the different stages

Examples:

• Was the hypothesis defined well?

• Was the outcome achieved?

• Were identified data sources relevant?

• Were the techniques used appropriate for the hunt?

• Were there any visibility gaps?

Lessons learned

After execution of the hunt, analyze all steps of the hunt to determine what worked well and what improvements if any are needed to strengthen the threat hunting process

All parties involved in the hunt should provide feedback for the relevant phases

Scope

What do we think of the quality of scope?

• Were systems correctly identified?

• Were data sources relevant?

• Did hypothesis development capture all analytical questions?

• Were drivers for hypothesis development helpful?

• Could we have done anything different?

Formulate

• How well did we identify relevant data sources?

• Did analysis techniques support the hunt?

• Were tools identified correctly and were they helpful?

Execute

• How well did we conduct the data analysis?

• Did we need to consider additional data sets?

• Were analysis techniques executed well?

• Did we need additional analysis techniques?

• Were tools adequate for analysis?