Leveraging threat intelligence to investigate suspicious activity
At this point, there is no more doubt that the use of threat intelligence to help your detection system is imperative. Now, how do you take advantage of this information when responding to a security incident? While the Blue Team works primarily on the defense system, they do collaborate with the incident response team by providing the right data that can lead them to find the root cause of the issue. If we use the previous example from Security Center, we could just hand it that search result and it would be good enough. But knowing the system that was compromised is not the only goal of an incident response.
At the end of the investigation, you must answer at least the following questions:
- Which systems were compromised?
- Where did the attack start?
- Which user account was used to start the attack?
- Did it move laterally?
- If it did, what were the systems involved in this movement?
- Did it escalate privilege?
- If it did, which privilege...