1. Identify the type of attack that is taking placed based on the network traffic you have observed.
undefined
2. Identify the potential patient zero or point of compromise; this is the first point of observable compromise.
undefined
3. Undertake a more in-depth traffic analysis to detect anomalies or other points of interest.
undefined
4. Attribution of the compromise to a machine within the internal network, a group, or a person.
undefined
5. Recommendation to the Forensic Investigations Team as to which endpoints to image and investigate as part of further analysis.
