After mulling it over for a while, though, I realized that the entire process really boiled down to a set of questions that the analyst needs to have answers for.
- Was this an actual attack?
- Was the attack successful?
- What other assets were also compromised?
- What activities did the attacker carry out?
- How should my organization respond to this attack?