Curious how folks are leveraging enVision for visibility into Advanced Persistent Threats?
1. Reconnaissance.
2. Intrusion into the network
3. Establishing a backdoor
4. Obtaining user credentials
5. Installing multiple utilities
6. Privilege escalation
7. Maintaining persistence
IDS and firewall logs are helpful for #1 and #2 but appear to be less helpful in the other stages.
How do folks detect connections to Command and Control sites, especially if those sites are hosted in the US (where I live)?
