Uncovering and remediating malicious activity: From discovery to incident handling

Over the years, industry and have realized that  collective intelligence is needed to tackle threats. A recent alert from the Cybersecurity and Infrastructure Security Agency (CISA) — Alert (AA20-245A): Technical Approaches to Uncovering and Remediating Malicious Activity — is the result of a collective effort from five countries: Australia, Canada, , the United Kingdom and the United States. The alert delivers a best practice guide covering a technical approach to uncovering malicious activity. The alert provides a “cybersecurity playbook” for incident response and offers steps.

Some of the key points made by the alert are as follows:

Indicators of compromise

An indicator of compromise (IoC) is the fundamental evidence needed in computer forensics to show that an incident is happening or has occurred. The CISA alert suggests that known, bad indicators of compromise should be collected from an array of sources including those in and host artifacts. The playbook also points out the importance of removing false positives through careful of IoC artifacts.

The advisory provides a list of recommended artifacts:

Host-based artifacts: detections, events logs, local and domain users, unusual authentications, installed applications and more. The notice also goes through the

Read More: https://resources.infosecinstitute.com/topic/uncovering-and-remediating-malicious-activity-from-discovery-to-incident-handling/