The Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency, in connection with international partners, released joint guidance Tuesday intended to be “a playbook for incident investigation” as stakeholders and network administrators defend, detect and rapidly respond to cyber attacks.
The joint advisory, Technical Approaches to Uncovering and Remediating Malicious Activity. was released by CISA in collaboration with Australian Cyber Security Centre (ACSC), New Zealand’s National Cyber Security Centre (NCSC NZ) and Computer Emergency Response Team NZ (CERT NZ), Canada’s Communications Security Establishment, and the United Kingdom’s National Cyber Security Centre (NCSC UK).
The guide covers technical approaches to uncover malicious activity, recommended artifact and information collection, common mistakes in incident handling, mitigation measures, and general recommendations and best practices prior to an incident.
“Today’s joint alert is the first of its kind for CISA since our formal establishment in 2018 and one I’ve aimed for since day one,” CISA Director Chris Krebs said. “With our allied cybersecurity government partners, we work together every day to help improve and strengthen the cybersecurity of organizations and sectors of our economy that are increasingly targeted by criminals and nation states alike. Fortunately, there’s strength in numbers and this unified approach to combining our experiences with a range of malicious actors means that we’re able to extend our defensive umbrella on a global scale.”
The guide stresses that although it provides best practices to mitigate common attack vectors, organizations should tailor this response to their specific network.
“When addressing potential incidents and applying best practice incident response procedures, first, collect and remove for further analysis: relevant artifacts, logs, and data,” it states. “Next, implement mitigation steps that avoid tipping off the adversary that their presence in the network has been discovered. Finally, consider soliciting incident response support from a third-party IT security organization to provide subject matter expertise and technical support to the incident response, ensure that the actor is eradicated from the network, and avoid residual issues that could result in follow-up compromises once the incident is closed.”
Incident responders should consider collecting known-bad indicators of compromise from a broad variety of sources and searching for those indicators in network and host artifacts, leveraging large datasets to calculate normal traffic patterns in both network and host systems, analyzing data to identify repeating patterns that are indicative of either automated mechanisms (e.g., malware, scripts) or routine human threat actor activity, and conducting an analyst review to identify errors, the guidance continues.
Organizations should restrict or discontinue use of FTP and Telnet services along with non-approved VPN services, shut down or decommission unused services and systems, quarantine and reimage compromised hosts, disable unnecessary ports, protocols and services, restrict or disable interactive login for service accounts, disable unnecessary remote network administration tools, manage unsecure remote desktop services, do a credential reset and access policy review, and patch vulnerabilities, according to the guidance.
“These are longstanding challenges we’ve observed when organizations are responding to cyber incidents, and we’re pleased to join our partners in raising awareness about these critical measures,” said Scott Jones, head of the Communications Security Establishment’s Canadian Centre for Cyber Security.
In detailing common missteps of incident handling, the guidance notes that “although well intentioned to limit the damage of the compromise, some of those actions have the adverse effect of modifying volatile data that could give a sense of what has been done, and tipping the threat actor that the victim organization is aware of the compromise and forcing the actor to either hide their tracks or take more damaging actions (like detonating ransomware).”
That includes mitigating the affected systems before responders can protect and recover data, touching adversary infrastructure, preemptively blocking adversary infrastructure, preemptive credential resets, failure to preserve or collect log data that could be critical to identifying access to the compromised systems, communicating over the same network as the incident response is being conducted (ensure all communications are held out-of-band), and only fixing the symptoms, not the root cause.
“Cybersecurity is a global issue that requires a collaborative international effort to protect our most critical assets,” said Paul Chichester, Director of Operations, NCSC UK. “This advisory will help organizations understand how to investigate cyber incidents protect themselves online, and we would urge them to follow the guidance carefully. Working closely with our allies, and with the help of organizations and the wider public, we will continue to strengthen our defenses to make us the hardest possible target for our adversaries.”
Abigail Bradshaw CSC, head of the ACSC, said, “Cybersecurity is a team sport, most effective when we work collaboratively with global partners and communities. This joint advisory reflects our collective global experience and lessons learned. Following the guidance will enhance our collective defenses against malicious cyber actors.”