Vantage applies threat analysis to security incident response โ computing what is driving the attack, what happens next in the kill chain, and which containment action breaks it. Not guesses. Answers.
๐
Causal Kill Chain Analysis
Maps every security event to a threat model โ telling you why the attack is progressing, not just that it is.
โก
Pre-emptive Containment
Projects the next kill chain stage before it executes. Recommends containment before the attacker takes their next action.
๐
Counterfactual Reporting
Post-incident: computes what would have prevented the breach, identifies the exact policy gap, and produces a board-ready report.
Four Proprietary Intelligence Layers
1
Situation Scan
Observe
Classifies the incident: attack vector, kill chain stage, affected hosts, involved accounts. Real-time, specific to this incident.
2
Decision Guide
Intervene
Scores each containment option through the threat model. Ranked recommendations with impact on attack progression.
2.5
Foresight Engine
Anticipate
Projects the next kill chain stage before it executes. Pre-emption, not reaction. The proprietary layer.
3
Evidence Analysis
Counterfactual
Post-incident: what would have prevented it? Exact policy gap identified. Board-ready report generated.
Vantage Situation Scan complete โ incident loaded, threat model loaded from CrowdStrike + Splunk telemetry.
Vantage โ Situation Scan
Incident classified: Ransomware kill chain, stage 4 of 6.
At 09:14 AM, Outlook.exe on IT-WORKSTATION-042 opened a macro-enabled Excel attachment. The macro spawned PowerShell with a Base64-encoded download cradle โ this is the execution event. PowerShell then ran ProcDump against LSASS memory, confirming SYSTEM-level privilege escalation.
Over the following 40 minutes, PsExec lateral movement confirmed to 14 additional hosts across the Finance and IT segments. A Cobalt Strike beacon is now active on all 15 hosts, calling out to 45.33.104.12 at 10-second intervals.
Current risk level: CRITICAL. The attacker has persistent access and active C2. Ransomware deployment is estimated within 6โ8 hours based on the observed dwell pattern.
Analyst
What are our containment options? Which one do you recommend?
Vantage โ Decision Guide
I've run all four containment options through the threat model. Here are the results:
Containment Options โ Scored Against Kill Chain DAG
A
Isolate patient zero only (IT-WORKSTATION-042)
Too late โ lateral movement is already confirmed on 14 hosts. Isolating patient zero does not sever C2 or block ransomware on the other hosts. Attack probability: 91% unchanged.
HIGH RISK
B โ
Isolate affected network segment (Finance + IT)
Severs C2 beacon and blocks all lateral movement simultaneously. Ransomware deployment requires active C2 โ without it, the attacker cannot execute the final stage. Attack probability drops from 94% to 4%.
RECOMMENDED
C
Monitor in forensic mode โ let it run
Maximum intelligence gathering, maximum risk. Appropriate only with a dedicated IR team on-site and board-level authorization. Ransomware deployment nearly certain within 8 hours.
CRITICAL RISK
D
Emergency domain shutdown
Total prevention โ but requires 4+ hours of full business downtime. Backup integrity not verified (last test: 90 days ago). Recovery risk is significant. Use only if Option B is not executable.
LAST RESORT
Analyst
We're going with B โ segment isolation. What should we expect to happen next after we execute that?
Vantage โ Foresight Engine
Projected sequence after segment isolation:
Once network isolation is applied, the Cobalt Strike beacon on all 15 hosts will fail to reach C2 within 10โ30 seconds. The attacker will lose active control. Because ransomware deployment requires a signed C2 command in this variant (based on the beacon signature), encryption will not execute.
Watch for: Attempts to re-establish C2 via DNS (common fallback). Block all outbound DNS from the isolated segment โ not just the known C2 IP. The attacker may have a backup C2 domain configured.
Recovery window: Once isolation confirms C2 dead (no outbound traffic to external IPs for 5+ minutes), you can begin forensic imaging of patient zero. Do not remediate before imaging โ the macro and initial payload are on disk and are your primary evidence.
Analyst
Incident is contained. Pull the post-incident report โ what would have prevented this?
3.5 hours of active attacker dwell ยท Contained before encryption ยท Recovery: 6 hours
With Policy Change
0 hosts compromised
Attack stopped at execution stage ยท No lateral movement ยท No incident response required
The key finding: CrowdStrike was deployed in Monitor (not Block) mode. The macro execution event at 09:14 AM was flagged but not prevented. If EDR policy had been set to Block, PowerShell would have been terminated at spawn. The kill chain breaks at stage 2. Lateral movement to 14 hosts, 3.5 hours of attacker dwell, and $180K in incident response costs would not have occurred.
Recommended policy change: Enable CrowdStrike "Prevent" policy for Office macro spawning PowerShell. This single policy change has a 96% probability of blocking this attack class entirely.
๐ Click a question below to continue the Vantage analysis:
Vantage Situation Scan complete โ insider threat model loaded from DLP, Okta, and SharePoint audit logs.
Vantage โ Situation Scan
Incident classified: Insider data exfiltration, stage 3 of 5.
Sarah Chen submitted her resignation 11 days ago. Vantage flagged an anomalous access pattern beginning 3 days after notice โ a known causally associated timing (employees with access to sensitive data show 340% higher exfiltration probability in the 30 days post-resignation notice).
Confirmed events: (1) Bulk download of customer PII dataset โ 12,400 records from Salesforce; (2) Access to competitor pricing model folder outside normal working hours; (3) Upload to personal Google Drive โ DLP intercepted the attempt; (4) USB device connected to Finance laptop โ transfer log pending.
Data at risk: Customer PII (CCPA-regulated), proprietary pricing models, and Q3 financial projections. External transfer may have occurred via USB before DLP interception.
Analyst
Has anything actually left the building? And what do we do now โ HR is asking.
Vantage โ Decision Guide
On exfiltration confirmation: Google Drive upload was blocked by DLP. USB log shows a connection for 4 minutes on Tuesday at 6:47 PM โ sufficient time to transfer the pricing model folder (1.2 GB). I assess the probability of successful USB exfiltration at 73% based on the transfer window and file sizes. This is not confirmed but should be treated as assumed until disproven by forensic imaging.
Recommended actions โ in sequence:
1. Preserve evidence now โ do not alert Sarah Chen, revoke access, or conduct an interview. Premature action destroys evidence. Legal hold must be placed silently.
2. Image the Finance laptop โ forensic copy before any HR action. This is the only way to confirm or deny USB transfer.
3. Revoke access simultaneously with HR meeting โ coordinate IT and HR to act in the same minute. Any gap risks data deletion or additional exfiltration.
4. Notify legal counsel โ CCPA breach notification clock starts when you confirm PII left the organization. 72-hour window.
Analyst
What's the counterfactual โ what should we have had in place to catch this earlier?
Vantage โ Evidence Analysis
Counterfactual analysis: what breaks the attack chain before exfiltration.
The key finding: No automated alert was triggered when a user under resignation notice performed a bulk export of 12,400 Salesforce records. Vantage would have flagged this as a high-probability exfiltration precursor on day 3. The missing control is a resignation-status-aware DLP rule โ employees on notice should trigger immediate review on any bulk data access event. This is a policy gap, not a technology gap.
๐ Click a question below to continue the Vantage analysis:
Vantage Situation Scan complete โ BEC model loaded from email gateway, wire transfer system, and domain reputation data.
Vantage โ Situation Scan
Incident classified: Business Email Compromise โ active wire fraud attempt, stage 3 of 5.
At 2:43 PM, an email purportedly from CFO David Marsh was received by three AP employees requesting an urgent $240,000 wire transfer to a new vendor account. The sending domain is "company-corp.com" โ registered 4 days ago, designed to appear identical to the real domain at a glance.
One AP employee has already replied confirming the wire details. The transfer has not been submitted yet โ it requires a second approval from the AP Manager, who is currently reviewing the request.
You are at the last intervention point. Once the AP Manager approves and submits, the transfer is effectively irreversible โ international wire fraud recovery rate is under 12%.
Analyst
Stop the wire immediately. What else do we need to do right now?
Vantage โ Decision Guide
Immediate actions โ execute in parallel:
1. Contact AP Manager by phone right now โ do not email (the attacker may be monitoring the email thread). Say: "Do not approve or submit the wire transfer initiated at 2:43 PM. Suspected fraud." That's all that's needed.
2. Freeze the transaction in the wire system โ flag the pending transfer as under review. Even if approved, a fraud flag gives you a 20โ40 minute window before it clears.
3. Report to your bank's fraud line immediately โ even if the wire hasn't been submitted. Banks can flag the destination account pre-emptively.
4. Do not reply to the fraudulent email โ the attacker will escalate and create urgency. Silence is correct.
The CFO's actual email account shows no sent message at 2:43 PM. This confirms spoofing, not compromise. The real CFO's mailbox is clean.
Analyst
Wire is stopped. What control would have prevented this?
Vantage โ Evidence Analysis
Counterfactual: the path to prevention.
Counterfactual โ BEC Wire Fraud Attempt
Actual Path
Near miss โ $240K
Caught at second approval ยท 47-minute exposure window ยท Significant staff time and stress
With Controls
Email rejected at gateway
DMARC enforcement blocks spoofed domain ยท Email never reaches inbox ยท Zero exposure
The key finding: Your email gateway does not enforce DMARC rejection for your domain. The spoofed "company-corp.com" domain passed SPF checks because the attacker registered a real domain โ but DMARC alignment with your actual domain "company.com" would have flagged the mismatch. Enabling DMARC enforcement + a dual-approval policy for wire transfers over $50K breaks this attack class entirely. Both are low-cost controls. DMARC: 2โ4 hour implementation. Dual-approval: policy change only.
๐ Click a question below to continue the Vantage analysis: