There may be cases where a machine is identified as being compromised, but the nature of the compromise is not known and an organisation wants to gain a clearer understanding of exactly what the attacker is doing. Monitoring traffic on a specific host which is known to be compromised is an approach which carries risks, but the rewards can be significant. Being able to see exactly what the attacker is doing on a machine – commands they are typing, searches they are conducting, how they are trying to escalate their privileges or move laterally within a network – can result in far more effective protection measures. For example, if a certain type of data is being targeted, the organisation can, with Context’s help, segregate that data to give it a higher level of protection.
There are various ways to achieve this end and Context always works closely with clients to consider the pros and cons of each option. Planning ahead is vital: the worst time to start having the discussion about process, risk and strategy is when a compromise is already active on the network.