NOTE: Content here was initially forked from https://github.com/w00d33/w00d33.github.io. It is now being updated, reorganized, and restructured with new material as of 2024.
-
I interpret the incident response process as akin to the art of masonry. A network analyst scans the network landscape for anomalies, unusual traffic patterns, unauthorized connections, or other signs of compromise. Like a surveyor identifying quality stone deposits, the network analyst uncovers leads worth closer examination.
-
The process transitions to the host analyst or incident responder, assuming the role of the sculptor. Starting with a rough evidence, they refine their understanding through successive stages, employing increasingly precise tools and techniques.
-
As the “block” is progressively carved away, the picture of the compromise becomes clearer. Each step builds greater certainty about the attacker’s actions, culminating in a detailed “masterpiece” that maps the incident, its artifacts, and its impact.