This is about … .
Metrics
You need to answer the following questions:
Foundational Metrics
Scope. Visibility. Functionality Metrics.
Operational Metrics
Number of hunted items vs number of incidents Number of open hunting investigations vs number of closed based on defined SLAs Number of hunted items based on environment and business criticality Detecting time Number of total hypothesized vs verified hypothesis Number of hunts based on the TI feeds Number of automated procedures vs manual procedures Duration of each hunting process end to end (categorized based on automated and manual) Total relevant threat actors specific to an industrial, directly targeted the organization vs number of defined procedures and used cases Total number of reported hunts vs number of open and closed issues based on hunting (remediation) Duration of remediation from the time the hunt has been reported effectiveness) Used technique for hunting (% of technique’s effectiveness) Data source used for each hunt Type of finding and root cause analysis (e.g., broken process, system malfunction, human error, misconfiguration, data breach, and other cyber incident categories) Type of vulnerability
Number of incidents identified proactively (vs. reactively) Trend, Comparison
Number of vulnerabilities identified proactively (vs. vulnerability assessments) Trend, Comparison
Dwell time of proactively discovered incidents (vs. reactively) Trend, Comparison
Containment time of proactively discovered incidents (vs. reactively) Trend, Comparison
Effort per remediation of proactively discovered incidents (vs. reactively) Trend, Comparison
Data coverage (data types and coverage of estate) Percentage
Hypotheses per MITRE ATT&CK tactic Pie Chart
Hunts per MITRE ATT&CK tactic Pie Chart
Incidents per MITRE ATT&CK tactic Pie Chart
Percentage of successful hunts that result in a new detection analytic or rule Service Level
Sensitivity and specificity of analytics or rules derived from hunts (true & false positive rates) Service Level
ð BTFM
Get the number of incidents by priority
Get the number of alerts by priority (time limit)
Methodologies
STRIDE
PASTA
VAST
Trike
CVSS
Attack Trees
Security Cards
hTMM
Microsoft SDL
References
Expand …
[1] Peiris, Chris; Pillai, Binil; Kudrati, Abbas. Threat Hunting in the Cloud (p. 59). Wiley. Kindle Edition. Methods, Methodologies, and Tools for Threat Modelling with Case Study - https://scindeks-clanci.ceon.rs/data/pdf/1821-3251/2020/1821-32512001056H.pdf
https://threatmodeler.com/threat-modeling-methodologies-overview-for-your-business/
https://www.exabeam.com/information-security/threat-modeling/
https://radiumhacker.medium.com/threat-modelling-frameworks-sdl-stride-dread-pasta-93f8ca49504e
Guide to Cyber Threat Modeling, Feb 2021
Experiences Threat Modeling at Microsoft, Adam Shostack, http://ftp.informatik.rwth-aachen.de/Publications/CEUR-WS/Vol-413/paper12.pdf
https://reciprocity.com/blog/top-threat-modeling-methodologies/
https://www.insightsforprofessionals.com/it/security/threat-modeling-frameworks
THREAT MODELING: A SUMMARY OF AVAILABLE METHODS https://apps.dtic.mil/sti/pdfs/AD1084024.pdf
https://sansorg.egnyte.com/dl/cOvi7JZdRU
https://www.sans.org/blog/threat-modeling-hybrid-approach/
https://www.sans.org/blog/practical-risk-analysis-and-threat-modeling-spreadsheet/
Experiences Threat Modeling at Microsoft, Adam Shostack, http://ftp.informatik.rwth-aachen.de/Publications/CEUR-WS/Vol-413/paper12.pdf
Quantitative Threat Modeling Method
https://www.simplilearn.com/what-is-threat-modeling-article
Combining - https://www.insightsforprofessionals.com/it/security/threat-modeling-frameworks