Triaging an Incident

Well it finally happened—we may have been breached. Our Cyber First Responder left the attached
PCAP from her initial response actions, but then had to leave for the East coast on a higher priority
response. The CISO declared an “incident” and now wants you to investigate the PCAP of what we
believe to be an attack. Is it an attack or something else?

The more malicious activity
you find and the remediation recommendations