11 Responding to findings
This chapter covers
- Concluding a threat-hunting expedition
- Communicating the discoveries and with whom
- Handing the findings over to other teams
So far in this book, we’ve had multiple successful threat-hunting expeditions, leading to interesting discoveries. This chapter describes the appropriate timing (when) and approach (how) for passing these findings to the incident-response team. Then it discusses engagement models for threat hunters, sharing examples from real-life hunting expeditions. The chapter focuses more on response than on threat-hunting activities.
To demonstrate, we’ll conduct a simple threat-hunting expedition with a new hypothesis emphasizing the postdiscovery phase of the hunt. During the expedition, we’ll discover other problems that are not directly connected to the hypothesis but are significant enough to report and resolve. Finally, we’ll record the details of the expedition in an incident case, which can serve as a critical artifact for recording our findings and handing the case to the incident-response team.
11.1 Hunting dangerous external exposures
It’s crucial not only to uncover threats but to also respond to them properly. Threat hunting is a proactive security practice that plays a key role in the overall incident-response process.