1.) Logging (collecting and a
2.) Antivirus
3.) IDS / HIDS
4.) Email and malware analysis
5.) Remote management
6.) Trouble shooting
I am sure that I will talk about lots of other relevant topics and will edit this page as it all progresses.
Let me give a little theory behind this. As a red team member we are focused heavily on adversary simulation along with exploitation. This leads me to a question, what happens when you are doing work for a business that does not have the visibility that you have? You yourself gain that visibility. Let me ask another question. As a pentester or red team member do you ever look for signs of other compromise when on a remote system? The truth is that I don't believe many actually think about doing this when in fact they could be walking on top of the footsteps of threats previous. What? Really? Yes, I hate to rain on the parade but there are groups of people that are smarter or have a wider set of resources that can compromise a system. Worst yet, what if this compromise happen to be APT related. So with this , I propose the idea of doing offensive live response on any of the systems that are compromised and have the appropriate groups look at it. If you company doesn't have a group that have live response scripts it really wouldn't be that hard to do with just a simple auto-runs or possibly process memory dumping. The whole idea would be to just provide enough visibility on a compromised system without setting off alarms that you are there working or interrupting the service on that workstation/server.