If your involved with incident response it’s worth checking this advice against your current process to see if you’re in line with best practise…:
The National Cyber Security Centre (NCSC) has joined up with organisations in the US, Canada, Australia and New Zealand in publishing guidance on helping organisations stay safe from malicious cyber actors.
It has produced an advisory document, Technical Approaches to Uncovering and Remediating Malicious Activity, in conjunction with the US’s Cybersecurity and Infrastructure Security Agency (CISA), the Australian Cyber Security Centre, the New Zealand National Cyber Security Centre and CERT NZ, and the Canadian Communications Security Establishment.
It highlights technical approaches and includes mitigation steps based on best practice.
The key takeaways of the advice, focused on addressing potential incidents, begin with the need to collect and remove relevant artifacts, logs and data for further analysis, followed by implementing mitigation steps to avoid tipping off the adversary that their presence has been discovered.
There is then a need to consider support from a third party IT security body to provide subject matter expertise, ensure the actor is eradicated from the network, and avoid residual issues that could result in follow-up compromises once the incident is closed.
Technical approaches include an indicators of compromise search, frequency analysis, pattern analysis and anomaly detection.
Advice is also provided on common missteps such as mitigating affected systems before responded can protect and recover data, failing to preserve or collect log data, and communicating over the same network as the incident response is being conducted.