Canada, Together with Other Countries, Issues Advisory Aimed at Helping Organizations Protect Themselves Online
Canada joins four other countries, Australia, New Zealand, UK and the US, in issuing a joint technical advisory that details approaches for organizations to stay safe from malicious cyber actors.
The advisory called “Technical Approaches to Uncovering and Remediating Malicious Activity” highlights technical approaches to uncovering malicious activity and includes mitigation steps according to best practices. The following are the highlights of the joint advisory:
Uncovering Malicious Activity
To uncover malicious activity, the advisory recommends to organizations to conduct the following:
1. Indicators of compromise (IOC) Search
IOC search refers to the hunt of an artifact – referring to any element of a software – on the network or in an operating system that suggests with high certainty of a computer intrusion. Examples of IOC, according to the advisory, include excessive .RAR, 7zip, or WinZip processes, especially suspicious file names typically used for data exfiltration staging such as “1.zip” and “2.zip”.
2. Frequency Analysis
Frequency analysis uses a large set of data to calculate the normal traffic in network systems and host systems. Network systems refer to two or more computer systems linked together for the purpose of sharing resources. Host systems, meanwhile, refer to computers that are physically found in some distant location and from which other computers retrieve data.
An automated system can be used to detect malicious activity that’s inconsistent with the normal traffic. Factors considered in detecting abnormal traffic include timing, source location, destination location, port utilization, protocol adherence, file location, integrity via hash and file size.
3. Pattern Analysis
In pattern analysis, repeating patterns that either show automated mechanisms (example: malicious software) or routine human threat actor activity are analyzed. In this type of analysis, the data containing normal activity is filtered out and the remaining data is evaluated for suspicious or malicious activity.
Common Missteps in Handling Malicious Activity
According to the advisory, upon the discovery of a malicious activity, organizations often make the following mistakes:
Mitigating the affected systems before responders can protect and recover data
This misstep, according to the advisory, can cause the loss of important data such as memory and other artifacts. This premature action can also prompt an attacker to change tactics, techniques, and procedures.
Touching adversary infrastructure
Examples of adversary infrastructure include NSlookup, pinging and browsing. Disturbing this infrastructure can tip off an attacker.
Pre-emptively blocking attacker’s command and control infrastructure
Command and control infrastructure refer to a computer controlled by an attacker or attackers to send commands to compromised systems. This infrastructure is also used to receive stolen data from compromised systems.
Pre-emptively blocking this command and control infrastructure could result in lose visibility of their activity as changing command and control infrastructure is fairly inexpensive nowadays. In addition to computers, threat actors have been found using cloud-based services, such as webmail and file-sharing services as command and control infrastructure to blend in with normal traffic and avoid detection.
Pre-emptive credential resets
Resetting the login details of a compromised account in some cases isn’t enough as the attacker may have access to multiple login details or has access to the entire Active Directory. Pre-emptive credential resets may prompt the attacker to create new credentials or forge tickets.
Failure to preserve or collect log data that could be critical to identifying access to the compromised systems
Log data refers to the record of data-based events and actions of network or host systems that are collected and stored over a period of time. Data logging makes it possible to track which data, files or applications are stored or accessed.
A cyber incident may not be determinable, the advisory states, if critical log types are not collected and retained. The advisory recommends retaining log data for at least one year.
Only fixing the symptoms, not the root cause
Blocking an IP address, for instance, without taking steps to determine what the binary is and how it got there, gives the attacker an opportunity to change tactics and retain access to the network, the advisory said.
Recommended Investigation and Remediation Process
The advisory offers the following recommendations and best practices:
- Restrict or discontinue use of FTP and Telnet services
- Restrict or discontinue use of non-approved VPN services
- Shut down or decommission unused services and systems
- Quarantine and reimage compromised hosts
- Disable unnecessary ports, protocols, and services
- Disable unnecessary remote network administration tools
- Review credential reset and access policy: The advisory states that credential resets have to be done strategically to make sure that all compromised accounts and devices are covered and to minimize the possibility that the attacker is able to adapt in response to the credential resets.
According to the advisory, attackers often exploit security vulnerabilities in software or hardware in order to gain access to a targeted system.
“Known vulnerabilities in external facing devices and servers should be patched immediately, starting with the point of compromise, if known,” the joint advisory states. “Ensure external-facing devices have not been previously compromised while going through the patching process.”
Additional Best Practices
Below are the additional best practices mentioned in the advisory:
- Implement a vulnerability assessment and remediation program.
- Encrypt all sensitive data in transit and at rest.
- Create an insider threat program.
- Assign additional personnel to review logging and alerting data.
- Complete independent security (not compliance) audits.
- Create an information sharing program.
- Complete and maintain network and system documentation to aid in timely incident response, including:
- Network diagrams,
- Asset owners,
- Type of asset, and
- An up-to-date incident response plan.
Protecting your business online is a strategic undertaking requiring skills and resources.
Let GenX Solutions experts take the pressure off your business operations and implement the best practices to protect your business from cybercriminals.
We’ve helped hundreds of business focus on growing their business without technology headaches or interruptions and look forward to helping you.
Call us today at (416) 920-3000 to schedule a consultation or email firstname.lastname@example.org