“I think if you break it down into 6 categories you can begin to answer some of the questions. As you begin to answer these questions you should be building detection to help identify additional compromised assets, internal movement or the adversary attempting to regain access.
1. How did they get in?
2. How are they able to persist in your network?
3. How are they getting out?
4. How long were they able to persist in your network?
5. What did they do once they gained access?
6. What needs to be contained, investigated and remediated?
Full article here.
Just a brief post, that I signed up for PWK and the corresponding OCSP certification. Super excited for this course and the unique challenge many people have said it is. Can’t wait!
I will post more, of what i can, as the course starts, and i start working through the lab.