Take a look at this malware used by APT 29 a Russian hacking group.  This is very advanced malware -  very stealthy.  This malware uses normal IT processes to execute, such as powershell.  This example is the reason that all Security Operations Centers need to monitor the changing threat picture.  Most organizations do not monitor powershell use.  In order to monitor powershell, the organizations needs to upgrade to powershell 5, then start ingesting logs into a correlated event management system. The organization then needs to establish a baseline of normal use in order to determine an anomaly.   Additionally a lot of commercial organizations use git hub and cloud storage, which this malware uses both.  Very hard to defend against this type of attack.  

Please answer the following:

1. What are some of the methods you would use to detect anonymous powershell activity?

2. As a security professional, what steps would you take to defend, detect and re mediate against this type of attack.

 

Requirements:

Needs to be in APA format with a min of 2 resources. Min 300 words