Abstract: Described are techniques for cybersecurity incident mitigation. The techniques include detecting, by an Endpoint Detection and Response (EDR) function in a networked environment comprising a plurality of endpoints, a security incident on a first endpoint of the plurality of endpoints. The techniques further include identifying an administrator of the first endpoint and initiating a process requiring Multi-Factor Authentication (MFA) associated with the administrator of the first endpoint by transmitting a push notification to a second device associated with the administrator and receiving a response to the push notification from the second device. The techniques further include characterizing, by the EDR function, a maliciousness of the security incident based on the response.

Abstract: A computer-implemented method, a computer program product, and a computer system for creating malware domain sinkholes by domain clustering. The computer system clusters malware domains into domain clusters. The computer system collects domain metrics in the domain clusters. The computer system sorts clustered malware domains in the respective ones of the domain clusters, based on the domain metrics. The computer system selects, from the clustered malware domains in the respective ones of the domain clusters, a predetermined number of top domains as candidates of respective domain sinkholes, wherein the respective domain sinkholes are created for the respective ones of the domain clusters.

Abstract: A computer-implemented method, a computer program product, and a computer system for creating malware domain sinkholes by domain clustering. The computer system clusters malware domains into domain clusters. The computer system collects domain metrics in the domain clusters. The computer system sorts clustered malware domains in the respective ones of the domain clusters, based on the domain metrics. The computer system selects, from the clustered malware domains in the respective ones of the domain clusters, a predetermined number of top domains as candidates of respective domain sinkholes, wherein the respective domain sinkholes are created for the respective ones of the domain clusters.

Abstract: A method, system and computer-usable medium are disclosed for obtaining domain name system (DNS) monitoring data. A DNS data collector that can be either part of a local network or part of an external network is implemented. The DNS data collector receives and collects logs from DNS transactions collected from various sources that include DNS resolvers, DNS servers, and DNS aggregator, which can be part of a local network or can be part of an external network. The DNS data collector determines if the DNS logs are missing any data related to the DNS transactions. The missing DNS data is looked up and the DNS logs are completed. Completed DNS logs can then be sent for analysis, such as for DNS traffic threats.