You’re a security analyst investigating a confirmed intrusion on your corporate network. In your initial assessment you’ve learned that an external attacker has compromised a number of internal hosts, installed malicious software, and has had plenty of time to move laterally and send information back to her attack infrastructure. Initial isolation and containment has been performed, and your task now is to map out the full scope of the compromise and produce an exhaustive timeline of attacker activities so that a full impact assessment and root cause analysis can be performed. Looking at log files and host-specific information is helping you piece this together, but you need a way to discover additional internal compromised hosts and external attacker hosts by analyzing communications. Without this you won’t be certain that you have your arms around the full extent of the intrusion.In today’s security landscape, analysts find themselves in this high-pressure scenario much more frequently than they would prefer (their preference being never). And when they are in this situation, they enter a world of uncertainties. They are continually surrounded by questions like:
- Did we manage to identify and block all of the attacker’s infrastructure?
- Did we find all the affected internal hosts?
- What data or intellectual property did the attacker get to and were they able to exfiltrate it?
- Did the attacker go through us to attack another party?
- Are there any hidden infections, backdoors, or stealthy communication pathways we haven’t found yet?
- And on and on…