DFIR Reference Frameworks
This repository is intended to provide a public reference to frameworks directly relevant to the DFIR community. It's common for the DFIR community to use terminology that isn't always well defined in the documentation they produce. This repository aims to help the DFIR community, and those reading information from the DFIR community, have a better understanding of defined terms and a more consistent approach to the language used in documentation.
Given the DFIR community is not a regulated industry, it's not common to find academic peer-reviewed papers for the majority of the topics below. For this reason, the Frameworks provided below are considered commonly used/accepted within the industry, or originate from well-known educational resrouces. This repository is not intended as a reference location to individual vendor methodologies. Any changes submitted need to show that the source meets these requirements.
Use of this Repository
You're welcome, and I encourage, you to use the references provided below. All I ask is if you find other useful references you drop me an Issue with the link and why you think it's useful, so I can add it for others to benefit from. Additoinally, if you really enjoy using these references, shoot me an email or a message just to let me know this was useful....that's it, enjoy.
Incident Response
| Description | Author | Link |
|---|---|---|
| Identification and Prevention of Cyber Activity | Lockheed Martin | The Cyber Kill Chain |
| Adversary Tactics and Techniques Categorisation | MITRE | ATT&CK Matrix |
| Sensitive Information Sharing/Classification | FIRST.org | Traffic Light Protocal |
| Event and Incident Vocabulary | Verizon | The Vocabulary for Event Recording and Incident Sharing (VERIS) |
| Detection Indicators Usefulness | David J Bianco | The Pyramid of Pain |
| Capabilities to Defend an Organization | Matt Swann | The Incident Response Hierarchy of Needs |
| DFIR Reporting | Lenny Zeltser | Report Template for Threat Intelligence and Incident Response |
| Incident Response Framework for OT Systems | Chris Sistrunk, Ken Proska, Glen Chason, Daniel Kapellmann | Introducing Mandiant's Digital Forensics and Incident Response Framework for Embedded OT Systems |
Malware Analysis
| Description | Author | Link |
|---|---|---|
| Malware Analysis Process | Lenny Zeltser | How You Can Start Learning Malware Analysis |
| Sharing Malware Samples | Lenny Zeltser | How to Share Malware Samples With Other Researchers |
Threat Intelligence
| Description | Author | Link |
|---|---|---|
| CTI Source Analysis/Assessment Framework | Sergio Caltagirone, Andrew Pendergast, Christopher Betz | The Diamond Model of Intrusion Analysis |
| CTI Likelihood and Confidence Taxonomies | MISP | MISP Estimative Language |
| CTI Structured Language | MITRE | Structured Threat Information Expression (STIX™) |
| Transport Framework for Sharing CTI | MITRE | Trusted Automated Exchange of Intelligence Information (TAXII™) |
| Assessing CTI Feeds Value | Kimberly K. Watson | Assessing The Potential Value Of Cyber Threat Intelligence (CTI) Feeds |
Proactive Response
| Description | Author | Link |
|---|---|---|
| Modeling Security Threats | Bruce Schneier | Attack Trees |
| Theat Modelling Framework | Microsoft | The STRIDE Threat Model |
| Vulnerability Scoring Framework | FIRST.org | Common Vulnerability Scoring System |
Threat Hunting
| Description | Author | Link |
|---|---|---|
| TTP-Based Hunting Methodology | MITRE | TTP-Based Hunting |
| Cyber Threat Hunting Model | Dan Gunter | A Practical Model for Conducting Cyber Threat Hunting |
| Threat Hunting Scenarios | @ThreatHuntProj | The Threat Hunting Project |
Insider Threat
| Description | Author | Link |
|---|---|---|
| Detecting and Identifying Insider Threats and Methodology | CISA | Detecting and Identifying Insider Threats |
| Whitepaper on Behaviour Indicators of Insider Threats | Eric D. Shaw, Ph.D. and Harley V. Stock, Ph.D | Behavioral Risk Indicators of Malicious Insider Theft of Intellectual Property: Misreading the Writing on the Wall |
| An Insider Threat Indicator Ontology Research Papaer | Carnegie Mellon University | An Insider Threat Indicator Ontology |
| Insider Threat Detection Case Study | NATO | Insider Threat Detection Study |
| Insider Threat Detection and Approach from CrowdStrike | Venu Shastri - CrowdStrike | Detecting Insider Threat Indicators |
| Insider Threat Detection for the Cloud | Dave Shackleford | How to Build a Detection and Response Strategy for Insider Threats |
Digital Forensics
| Description | Author | Link |
|---|