STEP 4: Identify Systems at Risk
Once an incident has been identified, systems immediately affected are easily identified. You should also consider how those systems interact with the rest of the network, what information may be on them, and how that information could enable an attacker to pivot to other systems. This information ranges from system and application settings (e.g., trust relationships, account credentials, APIs) to intelligence (e.g., standard email templates, network diagrams, organization charts). Attackers use many methods to exploit compromised systems and gain access to other systems and data in the environment.
Our experience shows that in most cases, people under-estimate the extent of systems and data at risk. A complete forensic examination is needed to determine which systems and data the attacker has had access. At this stage you are operating with incomplete information and it is safer to assume the worst rather than being optimistic.