A joint cybersecurity advisory released on September 1st detailed technical methods for uncovering and responding to malicious activity including best practice mitigations and common missteps. A collaborative effort, this advisory (coded AA20-245A
) is the product of research from the cybersecurity organizations of five nations. Those include the United States’ Cybersecurity and Infrastructure Security Agency (CISA
) along with its counterpart entities from Canada, the United Kingdom, Australia and New Zealand.The joint advisory is a general overview of threat hunting and incident response best practices, giving technical advice on a number of areas that can aid in an investigation. It includes information on host- and network-based artifacts that are worthy of collection, and it provides extensive general security mitigation guidance for before and during an incident.Recommended Artifact and Information CollectionUncovering malicious activity requires reviewing host and network data found in your environment. Storing logs and other artifacts are beneficial in detecting known-bad indicators of compromise (IOC), and careful searching and analysis can reveal behaviors that are suspicious. Knowing the baseline settings and behaviors of your systems and users can help to find anomalies in your environment. Many security tools have been designed to make detecting threats easier with real time change detection
or log analysis
. You may already have some to take advantage of.Host-based artifacts that are worthy of gathering are enumerated in the report and contain items such as running processes and services, security product alerts, event logs, installed ap ..