Does your organization employ automated tools to detect indicators of compromise and evidence of persistence across your systems?
Explanation
Automated tools like endpoint detection and response (EDR), security information and event management (SIEM) systems, or threat hunting platforms should continuously monitor your environment for signs of malicious activity. These tools can identify unusual behaviors, known malware signatures, unauthorized access attempts, and persistent threats that may have established a foothold in your systems.
Evidence of fulfillment could include documentation of deployed security tools with screenshots of dashboards showing active monitoring, reports generated by these tools showing scan results, or a written procedure detailing how and when automated scans are performed across your environment.
Implementation Example
Automatically run tools on targets to look for indicators of compromise and evidence of persistence
ID: RS.AN-08.329
Context
- Function
- RS: RESPOND
- Category
- RS.AN: Incident Analysis
- Sub-Category
- An incident's magnitude is estimated and validated
Related questions
- Does your organization have a documented process for investigating notifications from security detection systems?
- Does your organization have a formal process to assess and document the impact of security incidents?
- Does your organization have a documented process for reconstructing the chronological sequence of security incidents, including all affected assets and resources?
- Does your incident response process include identification and analysis of vulnerabilities, threats, and threat actors involved in security incidents?
- Does your organization conduct root cause analysis to identify systemic issues when investigating security incidents?
- Does your organization utilize cyber deception technologies to gather intelligence on attacker behavior and tactics?

