How do we use threat intelligence when responding to a security incident?
While the Blue Team works primarily on the defense system, they do collaborate with the incident response team by providing the right data that can lead them to find the root cause of the issue. If we use the previous example from Security Center, we could just hand it that search result and it would be good enough. But knowing the system that was compromised is not the only goal of incident response.
At the end of the investigation, you must answer at least the following questions:
• Which systems were compromised?
• Where did the attack start?
• Which user account was used to start the attack? Did it move laterally?
° If it did, what systems were involved in this movement?
• Did it escalate privilege?
° If it did, which privilege account was compromised?
• Did it try to communicate with command and control?
° If it did, was it successful?
° If it was, did it download anything from there?
° If it was, did it send anything to there?
• Did it try to clear evidence?
° If it did, was it successful?
These are some key questions that you must answer at the end of the investigation, and this can help you to truly bring the case to a close, and be confident that the threat was completely contained and removed from the environment.
Cybersecurityworld 