The sudden drop to zero is most likely to be an example of link failure. A denial-of-service

attack could result in this type of drop but is less likely for most organizations. High bandwidth

consumption and beaconing both show different traffic patterns than shown in this example.

During an incident recovery effort, patching priority should be placed on systems that

were directly involved in the incident. This is one component of remediating known issues

that were actively exploited.

Signature-based attack detection methods rely on knowing what an attack or malware looks like. Zero-day attacks are unlikely to have an existing signature, making them a poor choice to prevent them. Heuristic (behavior) detection methods can indicate compromises despite the lack of signatures for the specific exploit. Building a well-designed and segmented network can limit the impact of compromises or even prevent them. Leveraging threat intelligence

to understand new attacks and countermeasures is an important part of defense against zero-day attacks.

The Windows registry, Master File Tables, and INDX files all contain information about files, often including removed or deleted files. Event logs are far less likely to contain information about a specific file location.

Since Emily’s organization uses WPA3 Enterprise, users must authenticate to use the wireless network. Associating the scan with an authenticated user will help incident responders identify the device that conducted the scan.

Normally, forensic images are collected from systems that are offline to ensure that a complete copy is made. In cases like this where keeping the system online is more important than the completeness of the forensic image, a live image to an external drive using a portable

forensic tool such as FTK Imager Lite, dd, or similar is the correct choice.

When Nmap returns a response of “filtered,” it indicates that Nmap cannot tell whether

the port is open or closed. Filtered results are often the result of a firewall or other network

device, but a response of filtered does not indicate that a firewall or IPS was detected.

When Nmap returns a “closed” result, it means that there is no application listening at

that moment.