Time boundaries
Two kinds of time
π Historical review
Looking backward from the alert. How far back the investigation pulls evidence. Short windows (hours to a day) work for fast-moving attacks like ransomware staging. Longer windows (weeks to months) are needed for slow-burn insider cases or campaigns that establish persistence over time.
β±οΈ Real-time investigation
The window during which the investigation is happening now. Influences whether containment can happen mid-investigation and how quickly the handoff to incident response needs to be ready.
Choosing the historical window
Fast-moving. The attack typically progresses within a single shift, and the relevant evidence is recent.
Initial access happened recently; the question is what the adversary did with it after.
Adversaries dwell for days or weeks before moving. The historical baseline needs enough range to surface the gradual expansion.
The compromise may predate the alert by weeks or months. Both the alert and earlier silent activity matter.
The trajectory is what reveals the case. A short window will not capture the gradual deviation.
Four elements of a defensible historical review
Historical context is foundational to triage. Analysts cannot determine whether activity is malicious without understanding what normal looks like. Effective historical review anchors on four investigation elements.
Establishing review timeframes
Match the window to the threat. Insider threats may require 60-90 days of user behavior analysis. Malware incidents need weeks to capture lateral movement patterns. Supply-chain compromises run months. The window is the threat typeβs choice, not a default.
System log considerations
Account for log retention periods, business cycles (financial closes, audits, holiday slowdowns), and the lookback needed for typical attacker dwell time. The right window may exceed what the SIEM retains, in which case backups, archives, or complementary systems with longer retention come into play.
Technical & organizational baselines
Understand normal network traffic, typical user behavior, and business rhythms like seasonal spikes and recurring maintenance windows. Misinterpreting expected patterns as malicious produces false-positives and erodes trust in the triage process.
Multi-source timeline
Correlate authentication logs, network flows, endpoint telemetry, and application logs across consistent timeframes. The relationships between seemingly disparate events are often where the real picture emerges. A timeline anchored in only one source misses the inter-tool story.
A historical-review pitfall to avoid
Low-fidelity sources, such as aggregated NetFlow Cisco-developed protocol for flow-based monitoring and anomaly detection; metadata about traffic sessions. or summarized access logs, reveal general trends but lack the specificity needed to track session-based behavior or detect subtle anomalies. High-fidelity logs (full packet captures, process command lines, registry modifications) enable deep Forensics The application of scientific methods to collect, preserve, and analyze digital evidence for security investigations and incident response. but impose storage and indexing burdens.
The mistake is choosing fidelity by default rather than by need. Triage often starts with low-fidelity sources to confirm a pattern exists, then expands to high-fidelity sources for the specific time windows that pattern surfaces. Pulling full packet captures on day one for a four-week investigation is almost always wasted effort. Pulling them targeted at the 2-hour window where the suspicious Traffic The flow of data between devices, systems, or servers on a network. occurred is the methodology working.
Real-time investigation considerations
Most investigations begin with a 24-48 hour bracket surrounding the initial alert. The window often extends if there are indicators of long-term Persistence Mechanisms an adversary installs so their access survives reboots, password resets, and partial cleanups: Run keys, scheduled tasks, services, WMI subscriptions, browser extensions. Mature operators plant several anchors so removing one is not enough. , recurring patterns, or deferred Execution The attacker successfully runs malicious code on a system, typically using interpreters, scripts, payloads, or legitimate tools. . Extension decisions get documented with the evidence that supports them.
The real-time windowβs job is different from the historical one. Historical analysis builds the picture of what happened. Real-time analysis tracks what is happening now and prepares the response.
π Lateral movement attempts
Immediately after detection, watch for privilege escalation, credential reuse, or attempts to move into adjacent systems. Real-time monitoring of authentication systems is essential when credential theft is suspected.
β° Scheduled or periodic execution
Tasks that did not fire during the initial detection window but are configured to run later. Scheduled tasks, cron jobs, service abuse, and beacon callback intervals all deserve attention in real-time.
π¨ Retaliatory actions
Log tampering, process termination, account lockouts. These are signals that the attacker is aware of detection and is reacting. Capturing them in real time both preserves evidence and informs the response posture.
π C2 / beacon follow-up
For malware events with implants or beacons, outbound traffic and DNS patterns should be tracked across the environment in real time. Additional infected systems or fallback infrastructure often surface this way.
Real-time prioritization
It is rarely feasible to maintain continuous visibility across the entire environment in real time. Scope decides where to focus that finite attention.
π― Directly affected critical assets
Hosts and accounts explicitly named in the investigationβs primary entity list. Continuous attention until containment is in place.
π Systems with elevated access
Domain controllers, identity providers, cloud control planes, key vaults. If they were touched during the alert window, they get real-time eyes.
π Anomalous-after-the-alert hosts
Any system that started showing unusual behavior after the initial alert was raised. Often the first sign of attacker pivot or alternate persistence channel.
Operational considerations
- Coverage model. A 24/7 SOC and an 8/5 SOC handle real-time differently. After-hours alerts have different escalation paths.
- Containment The incident-response phase between detection and eradication: isolate the affected hosts, revoke the compromised credentials, block the C2 destinations, freeze the situation so it stops getting worse while the investigation continues. timing. Some actions (isolating a host, disabling an account) can be taken during the investigation. Others have to wait for Incident Response The organized approach to addressing and managing the aftermath of a security breach or cyberattack, including preparation, detection, analysis, containment, eradication, and recovery. . Scope decides which is which based on Threat An actor (or capability) with intent and means to cause harm. A vulnerability is what they exploit; risk is the product of threat, vulnerability, and impact. type and impact.
- Time-boxing. Open-ended investigations consume resources without producing results. Scope sets a soft deadline at which the investigation either escalates or closes, even if not every thread has been chased.
Next up
Entity boundaries
Primary and secondary entities, relationship mapping, access modeling, dependency tracing.
Read entity boundaries