SANS Institute – Information Security Reading Room
Gathering intelligence and log evidence to support an investigation often requires having an intimate knowledge of the details that may be available across a vast array of log sets and data sources. The analysts’ awareness of what log data is available and where it is stored increases readiness for incident response.
Unfortunately, malicious actors rarely allow adequate time to abundantly prepare before launching an attack that a security analyst must quickly identify, isolate, and defend. Newer analysts do not have the luxury of years of training before jumping into incident response. At best, a less experienced analyst or a contract consultant brought in to respond to an incident will have a general idea of the system data in the environment and a framework to approach investigations to help overcome implicit bias (Sanders, 2016). For an analyst, having a map or guide to a new environment provides an advantage that turns a broad search for artifacts into a focused hunt.