In the wake of a cybersecurity incident, executives often pose a deceptively simple question to their incident response teams: “Can you tell us exactly how the attackers got in, what they did while inside, and whether they’re still there?”
It’s a fair ask – after all, clarity drives decisions on containment, recovery, and disclosure. Yet the reality is far more nuanced. The ability to deliver precise, defensible answers hinges less on the sophistication of the forensics team and more on the proactive measures your organization implemented before the breach ever occurred.
Here’s the hard truth: A breach investigation is only as good as the data you preserved in advance.
The Three Questions – and Why They’re Not Always Answerable
- “How did they get in?”
Without comprehensive ingress logging (e.g., firewall, WAF, email gateway, and endpoint telemetry), attackers can enter through blind spots.
Example: A phishing email deletes itself after execution, and no mail flow logs are retained beyond 30 days. Result? The initial vector becomes a hypothesis, not a fact.
- “What did they do while inside?”
Lateral movement, privilege escalation, and data exfiltration leave traces – but only if you’re capturing them.
- Centralized endpoint detection and response (EDR) with long-term retention is non-negotiable.
- Without process-level logging (e.g., PowerShell execution, WMI activity), you’re reconstructing a crime scene with the lights off.
- “Are they still in?”
Persistence mechanisms (scheduled tasks, registry run keys, rogue accounts) are detectable – but only if you have a baseline of “normal.”
- Immutable audit logs and regular credential resets are your insurance policy.
- No baseline + no change monitoring = “We can’t rule it out.”
The Pre-Breach Decisions That Determine Post-Breach Clarity
|
Pre-Breach Action |
Post-Breach Impact |
|
Log retention < 90 days |
Critical evidence overwritten; timeline gaps |
|
No EDR or SIEM |
Blind to lateral movement; “We think they were here for 6 months” |
|
Default admin accounts |
Impossible to distinguish legit vs. attacker activity |
|
No network segmentation |
Attackers roam freely; scope becomes “the entire domain” |
|
Immutable backups offline |
Fast recovery; reduces attacker leverage |
|
Regular threat hunting |
Baselines exist; anomalies stand out |
Real-World Example
A mid-sized financial firm suffered a ransomware attack. Leadership demanded: “Show us the patient zero and prove they’re gone.”
The problem:
- Email logs: 14-day retention
- No EDR on workstations
- Domain admin account shared across IT
The outcome:
- Initial vector: “Likely phishing” (no proof)
- Dwell time: “30–180 days” (best guess)
- Containment: Full domain rebuild (no trust)
Cost: $4.2M in downtime, forensics, and recovery
Lesson: They paid for reactive clarity with proactive neglect.
Your Action Plan Before the Next Incident
- Extend log retention to 12+ months (cloud costs are trivial vs. breach fallout).
- Deploy EDR everywhere and feed it into a SIEM with alerting.
- Enforce least privilege – No shared admins, no local accounts with domain rights.
- Segment critical assets – Zero trust isn’t a buzzword; it’s containment.
- Test your IR plan quarterly – Internal tabletops are free; surprises are not.
The next time your CISO says, “We can’t be 100% sure,” don’t blame the investigators. Blame the architecture built when “it won’t happen to us” was the strategy.
Cyber resilience isn’t just about stopping breaches – it’s about ensuring that when one occurs, you can answer the hard questions with evidence, not excuses.
If you have questions or want to discuss any of Avalon's cybersecurity services, contact our experts today.
