End of story¶

A squirrel mid-sprint across a server room floor, cheeks stuffed, arms full of flags and file bundles. Behind it: a bird feeder tipped over, logs scattered, a handful of decoy nuts arranged with suspicious neatness.

By the time an attacker reaches this phase, the objective is in sight: data staged, compressed, encrypted, and moved; systems disrupted or destroyed; the evidence of how they got there quietly tidied up behind them. Detection here is late, but not useless. Exfiltration has a shape, impact has a signature, and forensics still works even after the fact. This section covers collection, exfiltration, and impact from the defender’s perspective, with an emphasis on what can still be caught, contained, and learned from.

Watching data being gathered
- Patterns and detection
- Collection activity hunting
Watching the exits
- Exfiltration: channels and tells
- The data egress hunt
Limiting the blast radius
- Techniques and response context
- Responding to active impact

Sweep Up the Mess