Retrospective review of information gained from an operation .
Analysis is used to aggregate, examine, and evaluate the results of an operation. Analysis is useful for improving the defender's security posture through the synthesis of operational data. Additionally, analysis can be used to turn data into actionable intelligence about an adversary’s motivators, behaviors, tactics, and techniques.
Defenders can use analysis to gain insight into adversary activity and thus inform detection and analytics refinements. Reviewing the execution of an operation also provides feedback for the team to improve the quality of future operations. Finally, Analysis activities ensure that each operation is informed by the successes and learns from the failures of past operations.
|Distill Intelligence||Turn raw data gained during an operation into actionable intelligence.||SAC0008|
|Hotwash||Review the retrospective of operational activities.||SAC0006|
|Inform Threat Model||Update existing threat models based on intelligence gained during engagement operation.||SAC0009|
|Refine Operation Activities||Update and improve the implementation of operational activities to better achieve the strategic goal.||SAC0007|