Threat Hunting Process

To establish the Process for threat hunting initiatives and routine tasks in Corporate Group

Scope

This Process applies to Cyber Analysts and all, including but not limiting to collected logs collected in SIEM and others servers, network devices, external storage media, applications, that contain or transmit Corporate Group’s information.

This Process applies throughout the Corporate Group as part of the information security management system framework.

Process Diagram

Procedures of Process

No.
Procedure
Description
Result
Responsible
Time limits

1.

Create Hypothesis

Hypothesis created to detect threat in Corporate Group network. Hypothesis may arise:

  • Intelligence,

  • Environmental Anomalies,

  • Expert Intuition,

  • Past Incidents,

  • Other sources.

Created and documented hypothesis to detect threat

Cyber Analyst

Daily

2.

Collect Data

Data gathered from multiple sources, including human intelligence, imagery, electronic sources, intercepted signals, or publicly available sources.

Gathered data for processing

Cyber Analyst

Within 1 hour for PCI DSS infrastructure Unlimited for not PCI DSS infrastructure

3.

Process Data

Data processed into a comprehensible form. That could include: - translating it from a foreign language,

  • decrypting it,

  • sorting data based on how reliable or relevant it is,

  • other.

Processed data for analysis

Cyber Analyst

Within 2 hours for PCI DSS infrastructure Unlimited for not PCI DSS infrastructure

4.

Analysis

Contradictory data evaluated against each other, and the patterns and implications of inconclusive or insufficient data considered.

Analysed data

Cyber Analyst

Within 2 hours for PCI DSS infrastructure Unlimited for not PCI DSS infrastructure

5.

Documentation

Documented assessment and report that summarize the data for decision.

Documented assessment

Cyber Analyst

Within 2 hours for PCI DSS infrastructure Unlimited for not PCI DSS infrastructure

6.

Whitelisting

Create new rules in detection system to whitelist false positive.

Whitelisted false positive

Cyber Analyst

Within 2 hours for PCI DSS infrastructure Unlimited for not PCI DSS infrastructure

Process Review and Update

This Process must be maintained in accordance with the Information Security Policy.

Revision History

Version
Author
Approved By
Revision date
Approval date

0.1

GK

2023-05-20

2023-05-23

0.2

DM

2023-11-02

2023-11-02

0.3

GK

DM

2024-09-10

2024-09-10

PreviousInformation Security Management System Improvement Standard

Last updated