Get an iPad mini, ASUS ZenScreen LED Monitor, or $350 Off with OnDemand Training thru 5/19


To attend this webcast, login to your SANS Account or create your Account.

This webcast has been archived. To view the webcast login into your SANS Portal Account or create an account by clicking the "Get Registered" button on the right. Once you register, you can download the presentation slides below.

Scoping an Intrusion using Identity, Host, and Network Indicators

  • Wednesday, April 28, 2021 at 10:30 AM EDT (2021-04-28 14:30:00 UTC)
  • Chris Crowley, Dale O’Grady


  • Vectra Networks Inc.

You can now attend the webcast using your mobile device!



Second webcast of a two-part series, this webcast covers post identification activities. The techniques covered here could also be used for initial identification, but they're discussed here as though there is already an initial identification which can be used. The effort discussed herein, is to effectively determine the scope of an intrusion.

Defenders fail to discover the full extent of adversary infrastructure. Defenders claim "containment" without thoroughly searching for adversary. Defenders limit the scope of searching for adversary capability and infrastructure for only know items...instead of accepting that the adversary isn't limited to using the tactics and techniques we've discovered. In fact, it's in the adversary's interest to have heterogeneous capability to persist through discovery of one tactic or technique. Adversaries reuse infrastructure because there is a cost of resources and complexity to maintain multiple parallel infrastructures. A single infrastructure is frequently good enough since defenders aren't consistently thorough in intrusion scope discovery or eradication.

This webcast highlights techniques for scoping an incident once discovered, and the sources available on the network endpoints for identification of adversary infrastructure.

Register today to be among the first to receive the associate spotlight paper written by security expert Chris Crowley!

Speaker Bios

Chris Crowley

Christopher Crowley is the course author for SANS Management 517 - Managing Security Operations and SANS Management 535 - Incident Response Team Management. Chris holds several industry certifications including the GSEC, GCIA, GCIH (gold), GCFA, GPEN, GMOB, GASF, GREM, GXPN, and CISSP. His teaching experience includes FOR585, MGT517, MGT535, SEC401, SEC503, SEC504, SEC560, SEC575, and SEC580; Apache web server administration and configuration; and shell programming. He was awarded the SANS 2009 Local Mentor of the year award. "The Mentor of the Year Award is given to SANS Mentors who excel in leading SANS Mentor Training classes in their local communities." Mr. Crowley spends his spare time mountain biking, rock climbing and savoring epicurean treats.

Dale O’Grady

Dale O’Grady is a Principal Engineer at Vectra where he is responsible for enablement of the worldwide security engineering team. With more than two decades in information security, he has worked in security operations, sales engineering and product management roles across a wide variety of security technologies. Dale has authored a number of articles published in known IT Security publications and he currently spends his time assisting customers with their security strategies.

Need Help? Visit our FAQ page or email

Not able to attend a SANS webcast? All Webcasts are archived so you may view and listen at a time convenient to your schedule. View our webcast archive and access webcast recordings/PDF slides.