Cases I have investigated recently have included:

-new ‘elite’ malware that most well configured/behavioral AV would have caught
-‘junk’ malware used for initial entry
-unpatched servers on the internet

Attackers don’t often encounter networks that require advanced techniques.

Every week we encounter at least one case of malware taking advantage of matching local admin passwords. You can fix that for free with aka.ms/laps

Every week we encounter at least one case of a domain admin level account being available on a web facing/easily compromised server because of doubt about where the account is used and what it might break to remove it. You can figure that out with aka.ms/weffles

At least once a week we encounter a case of lateral movement using off the shelf tools like psexec, command line utilities, or eternal blue. You can stop all of them from moving laterally by blocking SMB and RPC between endpoints using the Windows Firewall channel9.msdn.com/Events/Ignite/…

Supporting our CSS remote IR engineers is one of my favorite parts of my job - it’s not always elite APT malware ‘glamour,’ but it is always a case - even if it’s ‘just’ Qakbot - where you learn the real world isn’t quite like a security product sales pitch.

Have a practice IR. This may look different than you’re expecting.
Can you:
1) deploy software or a script to ALL endpoints without errors?
2) identify all your endpoints?
3) know what your patch or configuration deployment status is for a basic item like KB2871997 or a GPO?

During an actual IR, a shocking number or organizations (even ones with incredible human and monetary investments in their security stack) are unable to do steps like deploying a GPO or software due to unknown infrastructure issues-which often made them insecure in the beginning.