New international report outlines cybersecurity best practices
by Ryan Ozawa
A new report jointly prepared by five international government cybersecurity agencies provides one of the best and latest overviews of how any organization, including healthcare businesses, can detect malicious activity targeting their computer systems, as well as how to recover from and prevent hacks.
Plainly named the “Joint Cybersecurity Advisory,” it was published September 1, 2020 to provide “technical approaches to uncovering and remediating malicious activity.”
Who published the report?
The relatively brief 14-page advisory was jointly prepared by the Australian Cyber Security Centre (ACSC), Canadian Centre for Cyber Security, New Zealand National Cyber Security Centre (NZ NCSC), New Zealand CERT NZ, United Kingdom National Cyber Security Centre (UK NCSC), and the United States Cybersecurity and Infrastructure Security Agency (CISA).
It encompasses the results of a collaborative research effort to help organizations enhance incident response and to serve as a playbook for incident investigation.
What are the key takeaways?
The Joint Cybersecurity Advisory focuses on three main steps to deal with security incidents:
- Collecting evidence
- Implementing security fixes
- Seeking independent, credible third-party expertise to assist in the response
The report also recommends businesses “avoid tipping off the adversary that their presence in the network has been discovered,” which might cause them to intensify or accelerate the attack, or revert to sabotage.
Evidence might include network and computer logs and other “artifacts” like installed applications, running processes, scheduled tasks, usernames and logins.
As for third-party consultations, companies should enlist them to capably respond to the security breach, confirm that the attackers and their tools have been completely eradicated, and implement measures to prevent potential follow-up attacks.
What are best practices for incident response?
Organizations should enlist a variety of technical approaches to detect and address malicious activity, including five critical steps:
- Searching for indicators of compromise (IOCs), starting with known indicators disclosed and defined by a broad variety of cybersecurity authorities, while preemptively reviewing them for potential false positives.
- Analyzing the frequency and location of computer and network activities, comparing recent traffic and other patterns to a large-scale baseline of normal activity established prior to the suspected attack.
- Looking for new patterns among data, including repetitive patterns that can indicate automated mechanisms like scripts and other malware, or activity that matches likely human routines that are out of sync with normal use.
- Looking for anomalies like increased errors or exceptions reported in system logs, missing or incomplete audit information, or unique values for otherwise known and homogenous data.
What actions should be avoided?
In addition to outlining ways to effectively and appropriately deal with a security incident, the Joint Cybersecurity Advisory summarizes common missteps an organization can make.
If system administrators and security team members are not careful, for example, they could change, reset, or restore systems before important data can be verified and restored. These actions can also prompt hackers to change their tactics before the company fully understands the original attack.
Companies can also fail to collect logs and other records before resetting or reformatting systems, making it harder to identify malicious activity.
Inexperienced security technicians, meanwhile, could make matters worse by touching or modifying malicious code or hardware they don’t understand, or by openly probing the systems being used by malicious actors by pinging external networks, looking up DNS records, or using the compromised system to coordinate the response.
“System administrators are often tempted to take immediate actions,” the report notes. “Although well intentioned to limit the damage of the compromise, some of those actions have the adverse effect of modifying volatile data that could give a sense of what has been done, and tipping the threat actor that the victim organization is aware of the compromise and forcing the actor to either hide their tracks or take more damaging actions (like detonating ransomware).”
What else does the report cover?
While most of the Joint Cybersecurity Advisory can be understood by non-technical team members, it also includes several very specific tools and tips for system administrators to follow. This includes specifying which server directories to search, which commands to use, and ideal ways to configure workstations, servers and networks.
The report also includes a long list of resources to consult for more detailed information on each recommendation.
If you’re a system administrator or responsible for IT and security at your company, the Joint Cybersecurity Advisory is recommended reading.