Computer Security Incident Response Teams (CSIRT) are typically engaged in mitigating malware incidents. The identification and mitigation of these incidents is often complex, and requires a variety of skills, including anomaly detection, dynamic analysis, static analysis, prioritization and clustering. In addition, mitigations and responses can be very diverse, from the simple removal of a file, over the wiping of an individual machine, through the rebuild and migration of a network area or enterprise network.
Accurate prioritization, while always a goal, is often very difficult. Some organizations invest large resources in distinguishing between day-to-day attacks that can be addressed through anti-malware solutions, and more targeted or significant infections that may require significant forensics and investigation. However, a large part of the CSIRT community is simply not unable to invest these resources, or does not have a good place to start.
This SIG will have as goal to develop best practices for the CSIRT community around malware detection, mitigation and remediation. It will aim to build a framework which organizations can readily adopt for malware response, including both baseline and state of the art elements at varying levels of organizational maturity, and develop an index of tools available to fill specific needs.
We have the following goals: