Blog
Practical incident response and DFIR guides from the CICADA IR team.
- ·13 min read
The first hour of a credential compromise: a repeatable IR playbook
What you do in the first hour of a credential compromise decides how the rest of the investigation goes. A minute-by-minute IR playbook — triage without destroying evidence, collect the telemetry that expires first, build the timeline, and contain with an approval gate and full audit trail.
Credential CompromisePlaybooksIncident ResponseEntra IDDFIR - ·13 min read
Chain of custody for digital evidence: building IR reports that survive legal review
How to apply NIST SP 800-86 chain-of-custody principles to a modern IR investigation — cryptographic integrity, action logging, and the structure of a report that holds up in court, regulator review, or insurance dispute.
Chain of CustodyDFIRIncident ResponseCompliance - ·14 min read
PCAP-driven incident response: investigating suspicious traffic when you don't have an EDR
A practical workflow for using PCAP captures to drive an incident response when endpoint telemetry isn't available — what to look for, how to extract IOCs from raw packets, and how to reconstruct an attack chain from the wire.
PCAPNetwork ForensicsIncident ResponseDFIR - ·15 min read
Detecting Active Directory ransomware precursors: stopping lateral movement before encryption
Ransomware doesn't start with encryption. It starts with credential theft, lateral movement, and privilege escalation in Active Directory. A practical detection and response playbook for the AD attack chain — kerberoasting, DCSync, ticket-granting attacks, and the tier-2 sequences that catch them.
Active DirectoryRansomwareLateral MovementIncident ResponseDFIR - ·13 min read
Investigating Microsoft 365 BEC: OAuth grants, mailbox rules, and the BEC kill chain
Business Email Compromise has moved past simple password theft. Modern BEC chains pivot through OAuth consent grants, mailbox forwarding rules, and inbox poisoning. A step-by-step IR workflow for tracing a BEC incident end-to-end in a Microsoft 365 tenant.
Microsoft 365BECEntra IDIncident ResponseDFIR - ·12 min read
How to investigate a compromised Entra ID account: a step-by-step IR workflow
A practical incident response workflow for investigating a suspected compromised Microsoft Entra ID user — from initial triage to containment, evidence collection, and report generation.
Entra IDMicrosoft 365Incident ResponseDFIR