Incident response is, by its very nature, a reactive activity. We respond to incidents as they are detected to understand and mitigate their impact. The defense of your network, however, is an active, not passive, activity. Incident response provides a critical role in the prevent‐detect‐respond cycle of active network defense. When not engaged in an incident, your team should be enhancing your defenses through proactive activities such as hunting for adversaries who may already be in your environment and emulating adversary behavior to test and improve your preventive and detective controls.

Threat Hunting

Those tasked with finding and defeating evil cannot go about their mission passively. Police officers do not simply sit around a police station waiting for calls reporting an emergency. Instead, they actively patrol their area of responsibility and seek out crimes that may be in progress. Similarly, those tasked with defending a network cannot wait for a detective control to trigger an alert; they must actively hunt for evidence of malicious behavior within their environment on an ongoing basis. This process is known as threat hunting.

Proactively searching for evidence of adversary activity provides several benefits to the organization. Most obviously, if an adversary is detected, appropriate steps can be taken to respond to and mitigate that threat. In addition, the act of hunting through evidence sources such as log data, system memory, ...