Scoping an Intrusion using Identity, Host, and Network Indicators

Second webcast of a two-part series, this webcast covers post identification activities. The techniques covered here could also be used for initial identification, but theyre discussed here as though there is already an initial identification which can be used. The effort discussed herein, then, is to effectively determine the scope of an intrusion.

Defenders fail to discover the full extent of adversary infrastructure. Defenders claim containment without thoroughly searching for adversary. Defenders limit the scope of searching for adversary capability and infrastructure for only known items instead of accepting that the adversary isnt limited to using the tactics and techniques weve discovered. In fact, its in the adversarys interest to have heterogeneous capability to persist through discovery of one tactic or technique. Adversaries reuse infrastructure because there is a cost of resources and complexity to maintain multiple parallel infrastructures. A single infrastructure is frequently good enough since defenders arent consistently thorough in intrusion scope discovery or eradication.

This webcast highlights techniques for scoping an incident once discovered, and the sources available on the network and endpoints for identification of adversary infrastructure.