When responding to a security incident, does your organization have a process to identify and examine other potential targets for indicators of compromise and evidence of attacker persistence?
Explanation
During a security incident, attackers often compromise multiple systems or accounts to maintain access even if the initial entry point is discovered.
This question assesses whether your organization conducts lateral investigation beyond the initially identified compromised system to detect the full scope of the breach.
For example, if a server is compromised, your team should examine other servers in the same network segment, systems that share credentials, or systems that communicate with the compromised host.
Evidence could include an incident response playbook that documents the process for lateral investigation, logs showing examination of related systems during past incidents, or reports from previous incident investigations that demonstrate how other potential targets were identified and examined.
Implementation Example
Review other potential targets of the incident to search for indicators of compromise and evidence of persistence
ID: RS.AN-08.328
Context
- Function
- RS: RESPOND
- Category
- RS.AN: Incident Analysis
- Sub-Category
- An incident's magnitude is estimated and validated
Related questions
- Does your organization have a documented process for investigating notifications from security detection systems?
- Does your organization have a formal process to assess and document the impact of security incidents?
- Does your organization have a documented process for reconstructing the chronological sequence of security incidents, including all affected assets and resources?
- Does your incident response process include identification and analysis of vulnerabilities, threats, and threat actors involved in security incidents?
- Does your organization conduct root cause analysis to identify systemic issues when investigating security incidents?
- Does your organization utilize cyber deception technologies to gather intelligence on attacker behavior and tactics?

