CHAPTER 14Proactive Activities
Incident response is, by its very nature, a reactive activity. We respond to incidents as they are detected to understand and mitigate their impact. The defense of your network, however, is an active, not passive, activity. Incident response provides a critical role in the prevent‐detect‐respond cycle of active network defense. When not engaged in an incident, your team should be enhancing your defenses through proactive activities such as hunting for adversaries who may already be in your environment and emulating adversary behavior to test and improve your preventive and detective controls.
Threat Hunting
Those tasked with finding and defeating evil cannot go about their mission passively. Police officers do not simply sit around a police station waiting for calls reporting an emergency. Instead, they actively patrol their area of responsibility and seek out crimes that may be in progress. Similarly, those tasked with defending a network cannot wait for a detective control to trigger an alert; they must actively hunt for evidence of malicious behavior within their environment on an ongoing basis. This process is known as threat hunting.
Proactively searching for evidence of adversary activity provides several benefits to the organization. Most obviously, if an adversary is detected, appropriate steps can be taken to respond to and mitigate that threat. In addition, the act of hunting through evidence sources such as log data, system memory, ...
Become an O’Reilly member and get unlimited access to this title plus top books and audiobooks from O’Reilly and nearly 200 top publishers, thousands of courses curated by job role, 150+ live events each month,
and much more.
Read now
Unlock full access