A joint cybersecurity advisory released on September 1st detailed technical methods for uncovering and responding to malicious activity including best practice mitigations and common missteps. A collaborative effort, this advisory (coded AA20-245A) is the product of research from the cybersecurity organizations of five nations. Those include the United States’ Cybersecurity and Infrastructure Security Agency (CISA) along with its counterpart entities from Canada, the United Kingdom, Australia and New Zealand.
The joint advisory is a general overview of threat hunting and incident response best practices, giving technical advice on a number of areas that can aid in an investigation. It includes information on host- and network-based artifacts that are worthy of collection, and it provides extensive general security mitigation guidance for before and during an incident.
Recommended Artifact and Information Collection
Uncovering malicious activity requires reviewing host and network data found in your environment. Storing logs and other artifacts are beneficial in detecting known-bad indicators of compromise (IOC), and careful searching and analysis can reveal behaviors that are suspicious. Knowing the baseline settings and behaviors of your systems and users can help to find anomalies in your environment. Many security tools have been designed to make detecting threats easier with real time change detection or log analysis. You may already have some to take advantage of.
Host-based artifacts that are worthy of gathering are enumerated in the report and contain items such as running processes and services, security product alerts, event logs, installed applications and malware persistence indicators such as run key, scheduled task or autorun settings. Numerous examples for both pre- and post-incident best practices exist, such as pre-emptively blocking script files like .js and .vbs, looking for suspicious processes, collecting scripts and binaries from temp file location, archiving log files and checking for additional suspicious secure shell (SSH) keys which may have been added to authorized keys files.
Similarly, network-based artifacts should be collected. Suggestions for these include suspicious DNS traffic and remote connections such as remote desktop applications like RDP and VC along with VPN or SSH sessions. Traffic to suspicious hosts on unusual ports or via anomalous protocols should also be recorded and stored safely for analysis.
Recommended Investigation and Remediation Processes
The advisory also provides a list of common mistakes made during incident investigation and suggests many steps you can take to secure your environment. Missteps can be classified into categories of either compromising the evidence and/or tipping to the attacker that an investigation has started. An action such as patching and rebooting a system can alter memory that could be investigated, or it could clear other host artifacts. Warning an attacker that they are about to be uncovered could lead them to advance further attacks or attempt to cover their tracks more carefully. Perform incident response or launch an investigation from a separate network. Also, ensure communication about the incident and your activities are held out-of-band.
Other mistakes can include only fixing the symptoms of a breach, such as changing credentials when the attacker may have other hijacked accounts or even directory-level access. It could also involve blocking a specific malicious IP address when others can likely be used. A key takeaway for an incident is the gathering and removal for analysis of logs and other artifacts without letting the attacker know an investigation is under way.
Best Practices for Minimizing a Security Incident
Finally, the advisory contains best practice security advice on a variety of subjects valuable on the entire timeline from pre- to post-security incident. From general security mitigations such as stopping unnecessary services, restricting network access to reduce attack surface area and patching vulnerabilities to implementing user access controls and education, it recommends protection for both on-premise systems as well as cloud configuration management.
The report is thorough with extensive network security guidance and other best practices. It also advises establishing a vulnerability management program along with server configuration management and endpoint detection.
Expert Guidance for Mitigating Future Incidents
The Joint Cybersecurity Advisory, AA20-245A Technical Approaches to Uncoveringand Remediating Malicious Activity, is an excellent resource for anyone looking to help protect their environment as well as respond to any incidents which do occur. It provides guidance from top cybersecurity agencies on security practices to implement prior to an attack in order to provide the best outcomes in the event of a security breach.