Indicators of compromise are more accurately indicators of possible compromise. When you see a likely DGA (domain generation algorithm) DNS query pop-up, a hit on your threat-intel list, a weird process lineage combination from host logs, an unrecognized DLL loaded, or PowerShell being run by an end-user – you’re seeing indicators of possible compromise.
It takes investigation to determine if it’s just innocently weird or if it’s part of an actual attack? That one event is just one of a cascade of connected events, and to determine if it’s an actual attack you need to be able to follow that deterministic chain of events in both directions of time. What happened before and after event?
In this webinar, we will present a sophisticated but typical attack that begins with a spearfishing email, installs a remote-administrative tool, and then uses pass-the-hash and related techniques to spread laterally to other systems, all the while communicating with its C&C server.