Uncovering and remediating malicious activity: From discovery to incident handling

Over the years, industry and government have realized that  collective intelligence is needed to tackle cybersecurity threats. A recent alert from the Cybersecurity and Infrastructure Security Agency (CISA) — Alert (AA20-245A): Technical Approaches to Uncovering and Remediating Malicious Activity — is the result of a collective effort from five countries: Australia, Canada, New Zealand, the United Kingdom and the United States. The alert delivers a best practice guide covering a technical approach to uncovering malicious activity. The alert provides a “cybersecurity playbook” for incident response and offers mitigation steps.

Some of the key points made by the alert are as follows:

Indicators of compromise

An indicator of compromise (IoC) is the fundamental evidence needed in computer forensics to show that an incident is happening or has occurred. The CISA alert suggests that known, bad indicators of compromise should be collected from an array of sources including those in network and host artifacts. The playbook also points out the importance of removing false positives through careful analysis of IoC artifacts.

The advisory provides a list of recommended artifacts:

Host-based artifacts: antivirus detections, events logs, local and domain users, unusual authentications, installed applications and more. The notice also goes through the

Read More: https://resources.infosecinstitute.com/topic/uncovering-and-remediating-malicious-activity-from-discovery-to-incident-handling/