The DFIQ project (GitHub, website) is an open source collection of questions that analysts should ask during certain types of investigations. There’s a simple tagging system that allows a unique question to be associated with platforms, primitives like file or network knowledge, and of course MITRE ATT&CK techniques. Questions are used in the context of scenarios, which are effectively types of incidents.

Example: Cloud Project Compromise Assessment

alt

I’m not sure I can overstate the importance or utility of this project. DFIQ scenarios, facets, and questions are key ingredients used in incident response playbooks, and to have them organized and publicly available is an asset to the DFIR and cybersecurity communities.

Categories:

Updated: