Plan a response
Organizations shouldn’t attempt to evict an intruder until they have a good working understanding of the topology of the intrusion. Similarly, the method through which an intruder is evicted, and vulnerabilities remediated should be planned rather than executed in an ad hoc manner.
The red team most likely has fallback strategies. A well-planned response counters attacker fallback strategy. A purely reactive response can turn into “whack a mole” where the attacker has a counter move up their sleeve, including becoming stealthier to make it seem as though they have been evicted to the network when what they’ve done in reality is moved laterally to a new compromised host and temporarily ceased activities while they wait out the blue team’s countermeasures.
From an organizational perspective while time is of the essence in terms of evicting the intruder, in most real-world situations the intruder is only detected long after they have infiltrated the network. This means that it’s unlikely that substantively more harm will occur in the time it takes for the blue team to formulate an effective response than would occur if the blue team responded in an immediate and ad hoc manner.
Microsoft Future Ready: Fundamentals of Enterprise Security
Microsoft Future Ready: Fundamentals of Enterprise Security
Reach your personal and professional goals
Unlock access to hundreds of expert online courses and degrees from top universities and educators to gain accredited qualifications and professional CV-building certificates.
Join over 18 million learners to launch, switch or build upon your career, all at your own pace, across a wide range of topic areas.
