Gone are the days of defense just being patching. The model of hiding behind firewalls like the Greeks in Troy have been proven to be as faulty in Cyber as it was in the days of old. There aren’t many hard definitions in Cyber, so here’s my take on a popular topic that’s been brought up around the water cooler for the past few days.
Digital Forensics Incident Response or DIFR (pronounced: Dee-Fur) is a term used to describe response to malicious activity in Cyber. In my opinion, DIFR is conducted when an indicator of compromise is known or an event/alert triggered. It’s basically someone calling police when there is an armed robbery happening. Usually DIFR will take static data such as forensic scrapes, PCAP and logs to reconstruct the event. Once the event is
By comparison Cyber Threat Hunting or Hunting for short is used to describe seeking out an adversary without a warning indicator. Hunting constantly seeks out threats to the network regardless of actually receiving an indicator. This is similar to the policing strategy “hot spotting” where police will increase their presence in higher crime areas. Hunting is not to be confused with standard defense strategies, it’s focused on a threat and the risk that threat poses to the target.
Risk = (threat x vulnerabilities x probability x impact)/countermeasures
When combined with red-teaming, intelligence and threat modeling hunting can be an extremely effective method to reduce attack surfaces and deny threat actors the ability to create effects on your network.