Cyber threat hunting: Lessons learned
Feedback
This is the final step of the process that analyzes all steps of the hunt
All parties involved in he hunt provide their feedback for the different stages
Examples:
Was the hypothesis defined well?
Was the outcome achieved?
Were identified data sources relevant?
Were the techniques used appropriate for the hunt?
Were there any visibility gaps?
Lessons learned
After execution of the hunt, analyze all steps of the hunt to determine what worked well and what improvements if any are needed to strengthen the threat hunting process
All parties involved in the hunt should provide feedback for the relevant phases
Scope
What do we think of the quality of scope?
Were systems correctly identified?
Were data sources relevant?
Did hypothesis development capture all analytical questions?
Were drivers for hypothesis development helpful?
Could we have done anything different?
Formulate
How well did we identify relevant data sources?
Did analysis techniques support the hunt?
Were tools identified correctly and were they helpful?
Execute
How well did we conduct the data analysis?
Did we need to consider additional data sets?
Were analysis techniques executed well?
Did we need additional analysis techniques?
Were tools adequate for analysis?
Last updated