Gone are the days of defense solely relying on systems being patched. The model of hiding behind firewalls like the Greeks in Troy. This has been proven, time and time again, to be as faulty in Cyber as it was in the days of old. There aren’t many hard definitions in Cyber, so here’s Hackmethod’s take on a popular topic that’s been brought up around the water cooler for the past few days.
Digital Forensics & Incident Response, or DIFR (pronounced: Dee-Fur), is a term used to describe response to malicious activity in Cyber. For Hackmethod, DIFR is typically conducted when an indicator of compromise (IOC) is known or an event/alert is triggered on the network/ host Intrusion Detection Systems. Basically, it is like someone calling police when a crime has been committed and kicks off an investigation to find said criminal. This is referred to as being reactive. How this works in a nutshell is, certified DIFR analysts will take, at the least, static data such as memory scrapes, PCAP of the traffic, HDD images, and logs to reconstruct the event. They will find breadcrumbs and follow it all the way to the end.
Cyber Threat Hunting
Cyber Threat Hunting, or Hunting, for short is used to describe seeking out an adversary without a warning indicator. This is referred to as being proactive. Hunting constantly seeks out threats to the network/host regardless of actually receiving an indicator. Keeping with the police analogy, this is similar to the policing strategy of “hot spotting”, where police will increase their presence in higher crime areas trying to catch criminals in the act. Having said that, Hunting should not be confused with standard defense strategies, it’s focused on a threat and the risk that threat poses to the target.
Risk = (threat x vulnerabilities x probability x impact)/countermeasures
Overall, when combined with red-teaming, intelligence and threat modeling hunting can be an extremely effective method to help reduce attack surfaces and deny threat actors the ability to create effects on your network.