CISA Issues Guidance on Malicious Network Activity Detection and Incident Response

The Department of Homeland Security Cybersecurity and Infrastructure Security Agency (CISA) has issued a joint Cybersecurity Advisory offering technical guidance on identifying malicious activity and remediating cyberattacks.

The guidance is based on research conducted by cybersecurity authorities in Australia, Canada, New Zealand, the United Kingdom, and the United States. The guidance has been written to help incident response teams and network administrators identify cyberattacks quickly and take steps to mitigate attacks and limit the harm caused.

The guidance – Technical Approaches to Uncovering and Remediating Malicious Activity – Alert AA20-245A – details best practice incident response procedures and a range of technical approaches that should be adopted to uncover malicious activity.

When responding to potential network intrusions, incident response teams are advised to initially collect and remove relevant artifacts, logs, and data for further analysis, then to take mitigation steps but to take care not to alert the adversity that the attack has been discovered.

Incident response teams are also advised to initially seek support from a third-party IT security organization, which will be able to provide subject matter expertise and technical support during the incident response and help ensure that the adversary is kicked out of the network and further problems are avoided once the incident is closed.

Security teams are advised to conduct an indicators of compromise (IoC) search using confirmed IoCs from a broad variety of sources. A frequency analysis should be performed to calculate normal traffic patterns in network and host systems. Predictive algorithms can then be used to identify any activity that deviates from normal patters and could indicate a cyberattack in progress.

Data should be analyzed to identify repeating patterns indicative of automated mechanisms, such as routine activity by human threat actors or the activity of malware and malicious scripts. Normal data can be filtered out and an analysis performed on the remaining data. An analyst review should also be conducted based on the team’s knowledge of system administration to find anomalous activity that could be indicative of threat actor activity.

The guidance helps security teams collect the essential artifacts and information they will need to identify malicious network activity, such as host-based artifacts, host analysis review, and network-based analysis. Detailed lists are provided showing the elements that need to be examined.

It can be tempting for security teams to take rapid action to try to kick an attacker out of the network when malicious activity is detected, but this is not the best approach. “Although well intentioned to limit the damage of the compromise, some of those actions have the adverse effect of modifying volatile data that could give a sense of what has been done and tipping the threat actor that the victim organization is aware of the compromise and forcing the actor to either hide their tracks or take more damaging actions (like detonating ransomware),” explained CISA.

A list of the actions that should be taken are provided in the guidance to help security teams mitigate an attack while limiting potential negative consequences, along with some of the common mistakes that security teams make when responding to an incident, such as fixing the system without addressing the root cause of an incident.

The guidance also offers general recommendations and best practices to adopt prior to an incident to reduce the likelihood of an attack succeeding.

Author: Richard Anderson

Richard Anderson is the Editor-in-Chief of