Why do many #DFIR reports lack about network forensics? I don't think finding the C2 address is enough. Why don't you create a timeline using the network data? Like 👇
"C2 comm started with 5min sleep, then was changed to 10sec and data transfer was observed during this period...
11
7
6
106
Because 9 times out of 10 this data doesn’t exist in the clients environment. Lucky to get Windows event logs that haven’t rolled…
2
19
Our perspective is colored by being third-party IR teams. Orgs that have good network telemetry are generally mature enough to have working IR capability in-house and so would never call us.
Feb 2, 2022 · 2:17 AM UTC
1
4



