Cybersecurity authorities in Australia, Canada , New Zealand, the United Kingdom and the United States have issued a joint advisory that focuses on detecting malicious activity and responding to incidents.
Best practise incident response procedures, the report states, begin with artefact collection, reports and data collection and removal for further review, and proceed to enforce mitigating measures without letting the adversary know that their existence has been identified in the compromised area.
In addition, the Joint Advisory advises organisations to partner with a third-party IT security agency to obtain technical assistance, ensure that the opponent is excluded from the network, and prevent problems arising from the follow-up compromises.
The Joint Guidance outlines technological methods to identify malicious activity and provides strategies for mitigation based on best practises. This report aims to enhance incident response among partners and network administrators along with serving as a playbook to investigate incidents.
Scientific approaches to detecting malicious behaviour include looking for Vulnerability Indicators (IOCs), examining traffic patterns in both network and host networks, examining data to identify repeat patterns and detecting anomalies.
Organizations are advised to look for a wide variety of artefacts when conducting network investigations or host analysis, including DNS traffic, RDP, VPN, and SSH sessions, rogue processes , new applications, registry keys, open ports, connexions established, user login data, PowerShell commands and more.
Organizations should also avoid common mistakes while managing an incident, such as taking quick action after detecting compromised systems (which could tip off the opponent), minimising the systems until objects are protected and retrieved, accessing / blocking the adversary networks, preemptively resetting passwords, erasing log data or failing to fix the root cause of an assault.
Mitigation steps that organisations can take to avoid common attack vectors include limiting or discontinuing FTP, Telnet, and unauthorised VPN services; deleting unused networks and systems; quarantining compromised hosts; closing unwanted ports and protocols; disabling remote network management tools; resetting passwords; and timely manoeuvring vulnerabilities.
The advisory also details recommendations and best practises to be applied by organisations when seeking to improve their security position and prevent cyber attacks from occurring, but highlights the fact that no single technique, programme or set of defensive measures could prevent intrusions completely.
“Properly implemented protection strategies and programmes make access to a network more challenging for a threat actor and remain persistent and undetected. When an effective defence programme is in place, attackers may face complex barriers to the defence. Attacker behaviour should also activate mechanisms for detection and prevention that enable organisations to quickly identify, capture, and respond to the intrusion, “the advisory reads.
Network segmentation, physical isolation of sensitive data, acceptance of the least privileged principles, and application of guidelines and implementation of protected configurations across network segments and layers can help minimise the harm in case of an attack.