Summary
It is impossible to analyze all network activities one by one. The CTI process is not always straightforward, and you are not guaranteed to find all the elements of the CTI frameworks. However, the logic is that if it happened, then the evidence is there. You just need to search deeper and ensure that the organization has data to help with the investigation. Refer to Chapter 7, Threat Intelligence Data Sources, for the data collection and minimum data requirements to start a CTI program (a centralized data system, raw packet data capturing and storing, and so on). Note that SIEM tools (for example, Splunk, IBM QRadar, AlienVault USM, McAfee ESM, and so on) and TI platforms (TIPs) (for example, IBM X-Force Exchange, MISP, FireEye Mandiant, AlienVault USM, and so on) make threat and intrusion analyses and dissemination simpler than the manual approach. However, although manual intrusion analysis is complex, it is often a fun investigation and rewarding process. Thus, an analyst...
