{"id":3030,"date":"2018-04-15T03:38:30","date_gmt":"2018-04-15T03:38:30","guid":{"rendered":"https:\/\/hackmethod.com\/?p=3030"},"modified":"2018-12-18T21:57:26","modified_gmt":"2018-12-18T21:57:26","slug":"dfir-vs-hunt","status":"publish","type":"post","link":"https:\/\/hackmethod.com\/dfir-vs-hunt\/","title":{"rendered":"Digital Forensics &#038; Incident Response vs Hunt"},"content":{"rendered":"<p>Gone are the days of defense solely relying on systems being patched. The model of hiding behind firewalls like the Greeks in Troy.&nbsp; This has been proven, time and time again, to be as faulty in Cyber as it was in the days of old. There aren&#8217;t many hard definitions in Cyber, so here&#8217;s Hackmethod&#8217;s take on a popular topic that&#8217;s been brought up around the water cooler for the past few days.<\/p>\n<p><!--more--><\/p>\n<h4><span style=\"text-decoration: underline;\"><strong>DFIR<\/strong><\/span><\/h4>\n<p>Digital Forensics &amp; Incident Response, or DIFR (pronounced: Dee-Fur), is a term used to describe response to malicious activity in Cyber. For Hackmethod, DIFR is typically conducted when an indicator of compromise (IOC) is known or an event\/alert is triggered on the network\/ host Intrusion Detection Systems.&nbsp; Basically, it is like someone calling police when a crime has been committed and kicks off an investigation to find said criminal. This is referred to as being reactive.&nbsp; How this works in a nutshell is, certified DIFR analysts will take, at the least, static data such as memory&nbsp; scrapes, PCAP of the traffic, HDD images, and logs to reconstruct the event.&nbsp; They will find breadcrumbs and follow it all the way to the end.<\/p>\n<h4><strong><span style=\"text-decoration: underline;\">Cyber Threat Hunting<\/span><\/strong><\/h4>\n<p>Cyber Threat Hunting, or Hunting, for short is used to describe seeking out an adversary without a warning indicator.&nbsp; This is referred to as being proactive. Hunting constantly seeks out threats to the network\/host regardless of actually receiving an indicator. Keeping with the police analogy, this is similar to the policing strategy of &#8220;hot spotting&#8221;, where police will increase their presence in higher crime areas trying to catch criminals in the act. Having said that, Hunting should not be confused with standard defense strategies, it&#8217;s focused on a threat and the risk that threat poses to the target.<\/p>\n<p><code>Risk = (threat x vulnerabilities x probability x impact)\/countermeasures<\/code><\/p>\n<p>Overall, when combined with red-teaming, intelligence and threat modeling hunting can be an extremely effective method to help reduce attack surfaces and deny threat actors the ability to create effects on your network.<\/p>\n","protected":false},"excerpt":{"rendered":"<p>Gone are the days of defense solely relying on systems being patched. The model of hiding behind firewalls like the Greeks in Troy.&nbsp; This has been proven, time and time again, to be as faulty in Cyber as it was in the days of old. There aren&#8217;t many hard definitions in Cyber, so here&#8217;s Hackmethod&#8217;s [&hellip;]<\/p>\n","protected":false},"author":1,"featured_media":5364,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"_et_pb_use_builder":"","_et_pb_old_content":"","_et_gb_content_width":"","jetpack_post_was_ever_published":false,"_jetpack_newsletter_access":"","_jetpack_dont_email_post_to_subs":false,"_jetpack_newsletter_tier_id":0,"_jetpack_memberships_contains_paywalled_content":false,"_jetpack_memberships_contains_paid_content":false,"footnotes":""},"categories":[113],"tags":[],"class_list":["post-3030","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-hunt"],"jetpack_featured_media_url":"https:\/\/i0.wp.com\/hackmethod.com\/wp-content\/uploads\/2018\/04\/dfirvshunt-1086x496.png?fit=1086%2C496&ssl=1","jetpack_sharing_enabled":true,"jetpack_shortlink":"https:\/\/wp.me\/p5zY4D-MS","_links":{"self":[{"href":"https:\/\/hackmethod.com\/wp-json\/wp\/v2\/posts\/3030","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/hackmethod.com\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/hackmethod.com\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/hackmethod.com\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/hackmethod.com\/wp-json\/wp\/v2\/comments?post=3030"}],"version-history":[{"count":5,"href":"https:\/\/hackmethod.com\/wp-json\/wp\/v2\/posts\/3030\/revisions"}],"predecessor-version":[{"id":5365,"href":"https:\/\/hackmethod.com\/wp-json\/wp\/v2\/posts\/3030\/revisions\/5365"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/hackmethod.com\/wp-json\/wp\/v2\/media\/5364"}],"wp:attachment":[{"href":"https:\/\/hackmethod.com\/wp-json\/wp\/v2\/media?parent=3030"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/hackmethod.com\/wp-json\/wp\/v2\/categories?post=3030"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/hackmethod.com\/wp-json\/wp\/v2\/tags?post=3030"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}