A joint cybersecurity advisory released on September 1st detailed technical methods for uncovering and responding to malicious activity including best practice mitigations and common missteps. A collaborative effort, this advisory (coded AA20-245A) is the product of research from the cybersecurity organizations of five nations. Those include the United States’ Cybersecurity and Infrastructure Security Agency (CISA) along with its counterpart entities from Canada, the United Kingdom, Australia and New Zealand.

The joint advisory is a general overview of threat hunting and incident response best practices, giving technical advice on a number of areas that can aid in an investigation. It includes information on host- and network-based artifacts that are worthy of collection, and it provides extensive general security mitigation guidance for before and during an incident.

Recommended Artifact and Information Collection

Uncovering malicious activity requires reviewing host and network data found in your environment. Storing logs and other artifacts are beneficial in detecting known-bad indicators of compromise (IOC), and careful searching and analysis can reveal behaviors that are suspicious. Knowing the baseline settings and behaviors of your systems and users can help to find anomalies in your environment. Many security tools have been designed to make detecting threats easier with real time change detection or log analysis. You may already have some to take advantage of.

Host-based artifacts that are worthy of gathering are enumerated in the report and contain items such as running processes and services, security product alerts, event logs, installed applications and malware persistence indicators such as run key, scheduled task or autorun settings. Numerous examples for both pre- and post-incident best practices exist, such as pre-emptively blocking script files like .js and .vbs, looking for suspicious processes, collecting scripts and binaries from temp file location, archiving log files and checking for additional suspicious (Read more...)