Incident response is a well-organized approach used in organizations’ IT departments in order to combat and manage the aftermath of a cyberattack or a security breach. The purpose of using incident response is to get out of the nightmare that includes limiting the damage and reducing the costs and recovery time of the incident. The people who perform incident response are called Computer Security Incident Response Team (CSIRT) and they follow company’s Incident Response Plan (IRP).
Data is a raw material, which is often unstructured, extracted in massive quantity, and requires processing before calling it an information and actionable intelligence. A good example is the Indicators of Compromise (IoCs). A big list of domain names or IP addresses can be ingested into the SIEM system to identify whether this list contains any malicious IP or not. If any suspicious IP is detected, then we can term this data as an actionable intelligence which has been evaluated from reliable sources, processed and enriched. Now, it can be used to identify trends, attack profile, and possible threats. In this article, we will see how data is gathered, processed, and act as an actionable delivery.
Threat hunting is the practice of iteratively and proactively hunting for threats or Advanced Persistent Threats (APT) that are launched by adversaries. Unlike traditional security systems such as antivirus program, firewalls, or SIEM, who use a reactive approach to threats, threat hunting utilizes a proactive approach to pursuing threats even before they compromise organization’s network or IT infrastructure.