Attack Phases and Incident Investigation

Your monitoring stack fires an alert: a container just spawned a reverse shell. The clock starts now. Every second you spend without a plan is a second the attacker uses to enumerate your secrets, move laterally through your cluster, or deploy a cryptominer that will show up on your cloud bill before it shows up in your dashboards.

The CKS exam domain "Monitoring, Logging and Runtime Security" (20% weight) covers not just detection, but what happens after the alert fires. Behavioral Analytics with Falco and Threat Detection Across Infrastructure and Workloads covered how to detect threats. This lesson covers the next steps: understanding what phase of an attack you are looking at, collecting evidence before it vanishes, and containing the incident without destroying the forensic trail.