Scoping and Confirming an Incident

An alert arrives from a detection source, an endpoint detection and response platform, a SIEM correlation rule, a network intrusion detection system, or a threat intelligence feed match. The first question is whether the alert is a false positive. Triage, covered in the detection and triage topic, handles the initial classification. When triage concludes that an alert is potentially genuine, it passes to scoping.

Scoping begins with the initial indicator of compromise. Every IoC has a host context (which system generated it?), a time context (when did it occur?), and an identity context (which account or process was involved?). These three dimensions are the anchors for the first expansion: what else happened on that host at that time, what other systems did that account authenticate to, and what network connections did the involved process make?

The expansion from a single IoC to a fuller picture typically proceeds in concentric rings. First ring: the host where the IoC was observed. Second ring: accounts authenticated from or to that host in the relevant time window. Third ring: other hosts those accounts authenticated to. Fourth ring: data stores those hosts can reach. Each ring requires querying different log sources and can be completed in parallel by multiple analysts if the team is large enough.

Lateral movement is how an attacker turns a foothold on one system into access to many. Common techniques include pass-the-hash, pass-the-ticket, remote service exploitation, abuse of administrative shares, and living-off-the-land use of built-in tools such as PsExec, WMI, or PowerShell remoting. Each technique leaves different forensic traces, and knowing which traces to look for in which log source is the practical core of lateral movement tracing.

The investigation proceeds by chaining: find an authentication event on the source host, look for the corresponding logon event on the destination host, then repeat from the destination. In cloud environments, the equivalent is tracing IAM role assumptions and API calls in cloud audit logs. AWS CloudTrail, Azure Activity Log, and GCP Cloud Audit Logs all record who called which API from where, giving responders the same chain-following capability as Windows event logs in an on-premises environment.

Corroboration is critical at each step. An authentication event in a Windows log is confirmed by a corresponding network flow between the two hosts in firewall or NetFlow data. A suspicious process on an endpoint is confirmed by a DNS query or outbound connection in proxy logs. When two independent sources agree, the responder can move forward with confidence. When only one source shows evidence, the finding should be marked as probable rather than confirmed and additional sources should be queried.

A timeline is a chronological list of every attacker action that has been identified and corroborated, with the timestamp, the host, the account, and the action recorded for each entry. Building it requires collecting timestamps from multiple log sources that may use different time zones, different precision levels (seconds vs milliseconds), and different formats. Time normalisation, converting all timestamps to UTC before merging, is a prerequisite step that is easy to neglect under pressure and expensive to fix later.

The timeline serves several purposes. First, it reveals the initial access vector: the earliest event in the chain is the entry point. Second, it shows dwell time: the gap between the first attacker action and the first detection event. Third, it identifies the sequence of compromise: attackers generally follow a recognisable pattern (initial access, discovery, privilege escalation, lateral movement, objective), and seeing the sequence helps predict what actions may have occurred in log gaps. Fourth, it becomes the factual basis for breach notification and any legal or regulatory reporting.

Timeline tools range from simple spreadsheets to dedicated timeline platforms such as Plaso (log2timeline), which ingests raw log files from many sources and outputs a normalised timeline. In complex incidents involving hundreds of systems, automated timeline generation is essential. In smaller incidents, a structured spreadsheet with columns for timestamp (UTC), host, source log, account, and action description is sufficient. The format matters less than the discipline of recording every finding with its source and timestamp before drawing conclusions.

Once lateral movement tracing has identified the systems the attacker touched, each system must be assessed for what data it holds. The combination of system scope and data scope defines the incident's impact classification. An attacker who accessed three workstations holding no sensitive data presents a different risk profile from an attacker who accessed one database server holding customer payment records, even if the lateral movement pattern was identical.

Affected-asset mapping produces a list of every host, account, and cloud resource the attacker accessed. Affected-data mapping asks what data was on those assets and whether the attacker had the access rights to read, copy, or exfiltrate it. This second question requires checking file access logs, database query logs, email access logs, and cloud storage audit events. Absence of evidence of exfiltration is not evidence of absence: if the attacker had read access to a file share and no detailed file-access logging was enabled, the honest answer is that exfiltration cannot be ruled out.

Data mapping has direct legal implications. In the European Union, the General Data Protection Regulation (GDPR) requires notification to supervisory authorities within 72 hours of becoming aware of a personal data breach that is likely to result in risk to individuals. In India, the Digital Personal Data Protection Act 2023 imposes breach notification obligations on data fiduciaries. In the United States, breach notification rules vary by sector and state but many require notification within 30 to 72 hours of discovery. None of these clocks start until the organisation knows that personal data was involved, which is why data scoping is time-critical.

The declaration threshold is the criteria that converts a suspected event into a formally declared incident. This threshold should be defined in the organisation's IR plan before any incident occurs, not negotiated in real time under pressure. Typical threshold criteria include: confirmed malicious activity as opposed to a misconfiguration or user error, evidence that the activity reached a system or account of defined sensitivity, or an estimated impact above a defined minimum (measured in affected records, affected systems, or potential financial exposure).

When the threshold is met, declaration triggers a formal set of actions: a case number is assigned, an incident coordinator takes ownership, the IR team is notified according to the escalation matrix, management and legal counsel are briefed, and the evidence preservation chain-of-custody begins. In some jurisdictions and sectors, the clock for external notification starts at declaration or at the point of awareness, which may precede declaration. IR plans should be explicit about which definition of awareness triggers the regulatory clock.

Two failure modes are common. The first is declaring too early, before scoping has established that the activity is genuine and significant. Early declaration mobilises expensive resources and can generate premature external communications that are later retracted. The second is declaring too late, typically because responders want to be certain before escalating. Late declaration allows an attacker to continue operating and may start a regulatory notification clock from an artificially late reference point. The balance is to declare when the evidence makes genuine malicious activity more probable than not, while treating the declaration as the beginning of a formal investigation, not the conclusion.

The most consequential scoping error is premature containment. A responder who isolates or reimages the initially compromised host before completing lateral movement tracing destroys the local forensic evidence, tips off the attacker that they have been detected, and leaves all other compromised systems untouched. The correct sequence is: scope first, contain simultaneously across all identified systems. Short-term containment techniques are designed to be applied in a coordinated way once scoping is complete, not piecemeal as each compromised system is discovered.

A second error is confirmation bias in timeline construction. Responders who form an early hypothesis about the attack scenario tend to note evidence that confirms the hypothesis and underweight evidence that contradicts it. The discipline to avoid this is to record all findings in the timeline regardless of whether they fit the current narrative, and to explicitly note unexplained observations rather than rationalising them away. An unexplained event in a compromised environment is a finding, not a distraction.

A third error is treating the absence of exfiltration evidence as a confirmed absence of exfiltration. Organisations without detailed file-access or data-loss-prevention logging cannot determine whether data was copied or exfiltrated, only that they have no record of it. This distinction matters for breach notification: many regulatory frameworks impose notification obligations based on what could have been accessed, not only what was demonstrably taken. The forensic readiness and toolkits topic covers the logging and evidence preservation practices that close this gap prospectively.

A fourth error is single-analyst scoping on a large incident. One analyst working sequentially through a multi-system incident will miss parallel attacker activity and will take far longer than the timeline allows before containment. Larger incidents should assign analysts to specific log sources or specific asset rings in parallel, with a lead analyst synthesising findings into the master timeline. This division of labour is one of the core functions of a security operations centre during an active incident.