1a. Understand the environment

Teams must establish a thorough understanding of their environment, which can be difficult because of the constant change. This makes the frequency of auditing an environment crucial, as well as repeatability and speed. To this end, automating as much of the process as possible will make it more feasible.

This step is well documented and practiced within IT management, but its value specific to security, threat hunting, and detection engineering is often underestimated or outright ignored.

Teams should regularly review and maintain:

• Physical asset lists

• Network diagrams

• Logical and physical partitioning

• User accounts and hostnames

• Software applications and versions

• Administrator accounts and permissions

• Software updates and update cycle configurations and policies

• Cloud and remote services

• Business-to-business (B2B) and other expected external connections

• Ingress and egress VPN configurations

It is important to determine how to store this very sensitive data, which should also be properly secured.