Continuous improvement

TheHive supports continuous improvement by optimizing alert triage, case management and response.

• Alerts are quickly triaged, with true positives escalated to full cases for detailed analysis.
• Responders neutralize threats, applying relevant TTPs for incidents like phishing or malware.
• The internal Knowledge Base is updated with new findings, and case templates are refined based on lessons learned.

A large multinational company has a dedicated incident response team that handles a constant flow of security alerts. Their goal is not only to respond to incidents efficiently but also to continuously improve their processes based on real-world experiences and lessons learned.

1. Alert triage: The security team is regularly inundated with alerts from various detection systems. Each alert is triaged within TheHive, where analysts determine which alerts are false positives and which are true positives. Alerts that are identified as true positives are promoted to full Cases for further investigation, which ensures that the team focuses its efforts on genuine threats.
2. Case management and analysis: Once an alert is confirmed as a true positive, it is escalated into a Case within TheHive. The team begins a thorough analysis of the observables associated with the case, such as IP addresses, URLs or file hashes. Using TheHive’s analyzers, they determine whether these observables are malicious.Throughout the investigation, case enrichment occurs as analyzers provide additional context by cross-referencing observables with threat intelligence feeds, previous cases and known IOCs. It deepens the team’s understanding of the threat, revealing potential connections to broader attack patterns or known threat actors.As each task is completed, the findings are meticulously documented, ensuring a clear and traceable workflow. For example, if an analyzer flags a specific URL as malicious, this enriched information is logged in the case, prompting the team to take appropriate actions, such as isolating a compromised endpoint or updating blocklists.
3. Responders and TTPs application: Based on the analysis, the team activates appropriate responders to neutralize the threat. These actions could include isolating affected endpoints, blocking malicious IP addresses or triggering other defense mechanisms.
   Additionally, the team applies relevant TTPs depending on the nature of the case, such as specific actions for phishing incidents or malware outbreaks.
4. Knowledge Base update: Throughout the investigation, the team consults and updates the internal Knowledge Base within TheHive. This repository contains detailed procedures, historical cases and best practices.
   If a new phishing technique is discovered during the investigation, the team documents it in the Knowledge Base, ensuring that all members are aware of it for future incidents. Continuous documentation helps them stay updated with the latest threat landscape and improves their response strategies.
5. Lessons Learned and Case Template Evolution: After resolving the case, the team conducts a “lessons learned” session. The analysts review the incident, analyzing what worked well and what could be improved.
   If they identify gaps in their response process—such as a phishing technique that wasn’t accounted for in the existing Case templates—they update the templates accordingly. It ensures that future incidents are handled even more efficiently, with the latest knowledge and strategies baked into the response process.

By continuously refining their processes and tools, the incident response team becomes more effective over time. TheHive not only helps them manage and resolve incidents efficiently but also enables them to learn from each case.

The iterative process put in place on TheHive, that of triage, analysis, response and improvement ensures that the team is always evolving, better prepared for future threats and capable of handling even the most sophisticated cyber-attacks.