Watch an attack happen from the “other” side:
A rogue insider was paid to exfiltrate sensitive organizational data.
To remain undetected, he Kerberoasts his way into a service account; then rips through company filers for docs with indicating keywords.
For a clean getaway, he copies matching docs to his PC, encrypts them in a ZIP, and uploads it to an external Gmail.
- 1 Where in the kill chain could you spot this attack?
- 2 How would you detect this in your environment?
- 3 When and how should you respond?
- 4 How would you investigate the incident, and how long would it take?