Threat hunting, flow chart, MDR

1. Threat Hunting
Finto Thomas

2. Hunting aims to detect threat actors early in
the cyber kill chain by investigating the IT
environment for signs of an intrusion. However,
unlike an alert-driven investigation, threat
hunting is a proactive activity that begins with a
hypothesis to verify (hypothesis-driven
investigation).

10. IOC IOA
Alert Driven Hypothesis Driven
Custom
Watchlist
Threat Intel
MDR
Team
CarbonBlack
Response Cloud
Ticketing Tool
IBM IRIS
Privacy
Committee
Incident Mgt
Team
Resolver Team
EventsSensors Offences
Inciden
t ?
Incident P3
Remediation
P1 / P2 Incident
management
Process
Privacy
Inciden
t ?
Privacy In
management
Process
Hypothesis
Hunting
SR ticket
Manual hunt
P1 or P2
P3 or P4
Yes
No
ERS - IRIS
* IRIS Engagement is Optional
KEDB

11. Hypothesis Creation
Threat Intel -
Public / Etihad specific
Hypothesis Review and
Qualifying with EY
Service Request for
Hypothesis hunting
Incident Creation
True
Positive ?
Required
Hypothesis
update?
Required
to repeat
same hunt
?
High
Priority
Incident ?
Is it privacy
Incident ?
Is MDR
team
resolved?
Validate Remediation
Update and Track
Hypothesis records
Engage IRIS Team
(If required )
Engage Resolver team
Engage Privacy Incident
management
Engage incident
managemt Team
Yes
Yes
Yes
Yes
Update and Track Hunt
Calendar
Yes
No
No
No
Yes
No
No
No