The more information I have to begin with, the better. The first thing I do is take note of the LAN segment range (which is usually provided), so I’m aware of the known-good endpoints/IP addresses in the client’s network. I customized WireShark based on his suggestions, and find it extremely helpful in gathering relevant information. I’m working through the PCAP challenges provided by Brad at, which focuses on analyzing Windows-based malware-infected network traffic. And even though the incident may have happened weeks, months, or even years ago, I still treat the incident as though it happened today. Even though I’m not yet employed as a professional, I still tackle it with seriousness and urgency, as though it happened to my client’s network. Identification is the second step of the incident response process. It’s another day, and I am excited investigate another PCAP file on WireShark.
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |