Interesting blog post about remediation and response to persistent & targeted attacks. White paper and slides are linked from the post. I am not sure where I stand on this. I understand the logic and the need for effective remediation and determining scope of the incident. However, given the assumptions in the paper: “organization inexperienced in dealing with targeted intrusions” and “security team has poor visibility into host and network activities”, I have serious doubts that this type of a team will be able to execute¬† the process effectively. At a minimum, some form of containment should be higher on the priority list.

https://blog.mandiant.com/archives/3110