Authentication “Authentication is crucial from a tracking perspective. When considering authentication, you should ask yourself how the attacker established identity to the system, which identities are compromised, and what are our administrative identities. If an attacker has a credential during an incident, this needs to be part of your recovery investigation. It’s also important to track any identities you come across during your investigation as potentially compromised.”

Backdoors “Backdoors refer to how the attacker is controlling the system. The attacker can use a publicly exposed interface or a piece of malware installed on the machine, such as a trojan, dropper, or downloader. The goal is to determine the mechanism the attacker used to control the endpoint during the incident. If it’s a piece of malware, it can typically be uniquely identified by its hash, while a PowerShell script’s launch string may contain the actual attack.”

Communication “Communication refers to the communication path between the attacker and the system. This can be an inbound connection to a publicly exposed service, a reverse shell, or communication back to a known command and control channel. Phishing technically involves a control channel.”

Data "Data is the last category. Data may be encrypted, obfuscated, or stolen. The goal is to determine what data was affected and how it was affected. From a data perspective, it’s important to track any data exfiltrated from the network. "

What sensitive information was stolen (Confidentiality) or tempered (Integrity) or made unavailable (Availability)