ABSTRACT
This chapter discusses the process of characterizing, scoping, and investigating attacker activity with the goal of eviction and recovery. Skilled incident responders seem to innately know where to look for the next piece of information but have historically lacked a general model that can be used to tie all of this together. At the most basic level an attack can be categorized based on its level of targeting. Human-operated attacks can be broken down into phases based on techniques employed by the attacker. Reconnaissance is a tactic used by an attacker to discover available forms of access, authorization checks, exploitable vulnerabilities, and opportunities for credential theft prior to initial access. Resource development is all about creating or obtaining any capability required for an attack against the victim. Persistence acts as insurance for the attacker ensuring their ability to maintain control over the compromised entity in the event of a response action.
