SPOT: The Master Threat Hunting Database (MTHDB)
The Threat Hunt Team and Cyber Threat Intelligence (CTI) Connection
The Master Threat Hunting Database (MTHDB). The MTHDB is a defined repository that tracks Indicators of Compromise (IOC) that assist in determining who and what level of attack is deployed based upon such indicators, intelligence, patterns of attack, etc., that assists in formulating a better understanding of threat capabilities and motivations within the targeted IT environment. IOCs may be developed from internal experts, but there are several low-cost and no-cost solutions already deployed for the public and private sectors use for companies and agencies.
During initial analysis is performed in a triage manner to determine if immediate or high impact threats were detected, and if so, those are escalated using the established Incident Response Plan (IRP). The IR staff will be notified. If there are no findings, the CTI analysts Document the Findings and Updates the Case Status. This will include updates to the MTHDB in order to support ongoing trend analysis efforts. It is important that even events become part of the MTHDB record because while the event may have been determined to be reportable it may be a precursor of a future attack
The CTI Analysts are ultimately responsible for updating the MTHDB. It may take the form of a relational database or more advanced information sharing platform, for example, Microsoft’s Sharepoint®. It is the determination of company or agency leadership the resourcing to create, maintain, and support the long-term viability of an effective MTHDB.
The Threat Hunting team’s role is to collect the data and inputs of both a qualitative and quantitative nature to create a good database. Information is provided to the CTI Analysts during and after operations; however, the updating of the MTHDB should always be committed to the CTI team.
