Network Forensics Without a Tap: Reconstructing Lateral Movement from DNS Cache, NetFlow, and Authentication Logs
ยท 36 min read
The attacker has been in your network for six days. You have no packet capture. You have no IDS tap on east-west traffic. Your NDR license only covers the perimeter. The EDR on the compromised host was disabled on day two. What you do have: DNS server query logs, DHCP lease records, NetFlow from your core switches, and Windows Security event logs from your domain controllers. That is enough if you know exactly what to look for, in what order, and how to correlate across sources that were never designed to talk to each other.