Verify: Determine an alert needs to be validated.
Review suspect data to determine if this is a false positive and scope of the event.
Determine if the reputation of attributes are an issue.
Retrieve artifacts for validation. This can be accomplished through tools like Solara, NetWitness, and EnCase.
Evaluate collected artifacts to determine if they are malicious. Extract attributes of the artifact in order to prepare for response.
Get the asset operational again.
Enforcement of security controls to prevent further escalation.
The term Indications of Compromise (IoC) relates to the set of attributes that infected systems of certain type of attack share. Most commonly, it is a list of:
File Hashes (MD5 of SHA256)
Bad IP Addresses
Bad Host Names
Signatures (or Alerts) directly related to the event
While the term IoC relates to compromised systems, the term is used to also include attributes associated with the attacking.
The process of collecting the list of attributes is called Scoping.