Find, Fix, Finish: Generating Competitive Advantage With Threat Hunting
While there is some consensus about what exactly is meant by the term "threat hunting", most definitions are confined to the low-level act of searching for indicators or starting from a hypothesis. Because of this, the task itself often sits, blurred, between more traditional and well-defined roles in SOCs, Threat Intelligence, and even DFIR teams.
Rather than seek to re-define the term, I would instead like to introduce the audience to the idea of threat hunting as an operational art, alongside an effective and flexible methodology for arranging threat hunting activities. The F3EA process has gained very little public traction in the cybersecurity industry to date, but has proven to be optimally suited to guiding threat hunting operations at speed and scale.
Organizations and practitioners successfully integrating the F3EA process might find that it helps establish threat hunting as a niche in it's own right and dramatically increases the competitive advantage of defenders seeking to maintain control of large distributed networks.