As we saw in Chapter 1, Classifying Threats, attributing actions to threat actors is an important cybersecurity task. Additionally, pinpointing machines that were targeted is important to the containment idea from the NIST incident response plan guidelines from Chapter 7, Roles and Responsibilities During an Incident. This is particularly important if the target has actually been compromised.
In this section, we will learn how to describe the retrospective analysis method to find a malicious file or to identify compromised hosts in a network based on reports that arise from network monitoring tools and threat analyses. This will be, specifically, in the guise of an AMP threat grid, which we saw in Chapter 1, Classifying Threats. This links to objectives 4.5 and 4.6 in the 210–255 topic list:
4.5 Describe the retrospective analysis method to find a malicious file, provided file analysis report
4.6 Identify potentially compromised hosts within the network based on a threat analysis report containing malicious IP address or domains
In the aftermath of an incident, the CSIRT will be receiving a multitude of analysis reports. Rapid operator analysis can be the difference between having to contain and recover one host or every host on the network.