Just as I did with SIEM and DLP, I wanted to explore the process (practice, procedure, workflow) side of network forensics tooling. So, my question is the same: what processes/practices are absolutely essential for an effective use of a network forensics tool?
I can think of a few off the top of my head:
- incident response process (and, yes, I cringe as I am writing this as it is so painfully obvious)
- indicator analysis process which essentially means investigating a clue reported by a 3rd party, logs, NIPS alerts, etc
- process for defining and refining capture policies
- process for defining and refining detection alerts (if the tools is utilized for monitoring)
- data exploration process aimed at understanding what is going on, was going on, which may be based on a threat hypothesis or other suspicions (see additional details on this here)
Other ideas!? Do you think #5 is the same as #2 perhaps?
P.S. BTW, check out this great piece called “The Security Processes You Must Get Right.”