Mandiant has done thousands of IR investigations across multiple industry types and networks. In each case, the customer was either altered by a third party about the breach or discovered something “not quite right” in the network. In several cases the alerts the customer discovered led to discovery of a targeted attacker in the environment - and a subsequent incident response investigation.
In this presentation, we will use international case examples Mandiant investigated to take a closer look at how the breach was discovered and what security lessons can be learned from the alerts - for example how a performance monitor on a domain controller spiked, which led to discovery of credential harvesting. The take away will be actionable in many environments.