This phase is completed immediately following the primary stage. This phase deals with more of a monitoring capacity. At this point you have stopped all immediate threats and now need to know if anyone is trying to get back in. Monitoring web logs and VPN traffic is especially important as these are likely vectors a disgruntled employee could exploit as they no longer have internal access.
Monitoring
- Note all strange traffic and increased traffic
- Consider an IDS or other monitoring system to be alerted when such anomalies are occurring
- Ensure Firewall logs are monitored
- Pull Server logs and search for unauthorised attempts to escalate privileges or logon attempts
- Pull Remote Access logs and ensure there are no unauthorised logon attempts for known accounts or attacks on numerous accounts.
| 