In times of distress and attack there are heroes who come and deal with the situation. This is the Incident Response (IR) team! On this day, Juan Ortega coming from the reputable Warner Brothers Security team has come to give a workshop on how to identify, analyze, and remediate compromises on a network.
You may be thinking what the difference is between Attacks and Compromises are? The simple answer is when dealing with Indicators of Attacks; you are typically focusing on identifying the attacker while an attack is in process. Indicators of Compromise are similar but it deals more with the aftermath of an attack with questions asked such as “What happened?”
Through the workshop, we learned about some Indicators of Compromise that would be very useful in an IR situation. Some indicators could be Unusual Outbound Network Traffic, HTML Response Sizes, Unusual DNS Requests, etc. To find these anomalies, tools like FireEye and Wireshark could be used. With these same tools and others, you can analyze the data and determine how the attack was performed. Once analyzed the threat can be remediated with closing of ports and other techniques to prevent the attacks from occurring once again.