This repository is intended to provide a public reference to frameworks directly relevant to the DFIR community. It's common for the DFIR community to use terminology that isn't always well defined in the documentation they produce. This repository aims to help the DFIR community, and those reading information from the DFIR community, have a better understanding of defined terms and a more consistent approach to the language used in documentation.
Given the DFIR community is not a regulated industry, it's not common to find academic peer-reviewed papers for the majority of the topics below. For this reason, the Frameworks provided below are considered commonly used/accepted within the industry, or originate from well-known educational resrouces. This repository is not intended as a reference location to individual vendor methodologies. Any changes submitted need to show that the source meets these requirements.
| Description | Author | Link |
|---|---|---|
| Identification and Prevention of Cyber Activity | Lockheed Martin | The Cyber Kill Chain |
| Adversary Tactics and Techniques Categorisation | MITRE | ATT&CK Matrix |
| Sensitive Information Sharing/Classification | FIRST.org | Traffic Light Protocal |
| Event and Incident Vocabulary | Verizon | The Vocabulary for Event Recording and Incident Sharing (VERIS) |
| Detection Indicators Usefulness | David J Bianco | The Pyramid of Pain |
| Capabilities to Defend an Organization | Matt Swann | The Incident Response Hierarchy of Needs |
| DFIR Reporting | Lenny Zeltser | Report Template for Threat Intelligence and Incident Response |
| Description | Author | Link |
|---|---|---|
| Malware Analysis Process | Lenny Zeltser | How You Can Start Learning Malware Analysis |
| Sharing Malware Samples | Lenny Zeltser | How to Share Malware Samples With Other Researchers |
| Description | Author | Link |
|---|---|---|
| CTI Source Analysis/Assessment Framework | Sergio Caltagirone, Andrew Pendergast, Christopher Betz | The Diamond Model of Intrusion Analysis |
| CTI Likelihood and Confidence Taxonomies | MISP | MISP Estimative Language |
| CTI Structured Language | MITRE | Structured Threat Information Expression (STIX™) |
| Transport Framework for Sharing CTI | MITRE | Trusted Automated Exchange of Intelligence Information (TAXII™) |
| Assessing CTI Feeds Value | Kimberly K. Watson | Assessing The Potential Value Of Cyber Threat Intelligence (CTI) Feeds |
| Description | Author | Link |
|---|---|---|
| Modeling Security Threats | Bruce Schneier | Attack Trees |
| Theat Modelling Framework | Microsoft | The STRIDE Threat Model |
| Vulnerability Scoring Framework | FIRST.org | Common Vulnerability Scoring System |
| Description | Author | Link |
|---|---|---|
| TTP-Based Hunting Methodology | MITRE | TTP-Based Hunting |
| Cyber Threat Hunting Model | Dan Gunter | A Practical Model for Conducting Cyber Threat Hunting |
| Description | Author | Link |
|---|