Patient zero: Identify the source of an attack
In this scenario, an organization is alerted to a suspected breach. It seeks to find the initial point of an attack to isolate the source. The organization must quarantine the compromised entities to prevent the spread of the attack to other parts of the organization.
Objectives
To solve the problem in these investigations, the organization has these objectives:
- Determine the type of attack.
- Identify the initial entry point of the threat.
- Get details about the malicious payload.
- Understand how the malicious payload was disseminated beyond the point of entry.
Investigation
Use the tools on the Forensics tab to help you investigate.
- Use free-form search to search for symptomatic attributes that are associated with malicious payload.
- Use content categories to filter out content that isn't relevant to the investigation.
- Examine suspect content that is flagged by the product.
- Use Digital Impressions and visualizations to explore extended relationships of the malicious payload, perpetrator, or target.
- Use data pivoting and follow data linkages to identify patient zero.
- Use Surveyor to see a timeline of activities so that you can retrace an attack.