The phone rings. You answer it and the rattled voice on the other end says, “We think there has been a breach.” What is your first thought about what to do?
A recent joint advisory issued by Australia, Canada, New Zealand, the United Kingdom and the United States highlights technical approaches to uncovering malicious activity and includes best-practice mitigation steps. The advisory’s goal is to help organizations improve incident response. That starts with the collection of relevant data: event logs, browser history files, evidence of listening ports, historical dates of when file folders and files were created, and so on.
I’d take a step back and ensure you have logging set up properly before an incident occurs. Install Sysmon on all relevant systems to log events to identify malicious or anomalous activity and understand how intruders and malware operate on your network. Then export these log files to your SIEM (security information and event management).