Getty Images
CISA Shares Incident Detection, Response Playbook for Cyber Activity
The joint DHS CISA alert highlights the best practice methods for incident detection and remediation of malicious cyber activity, including mitigation steps and indicators of compromise.
The Department of Homeland Security Cybersecurity and Infrastructure Security Agency released guidance to help enterprise organizations detect and remediate malicious cyber activity, which includes best practice steps for mitigating a cyberattack.
The joint alert was created in collaboration between the cybersecurity authorities of the US, Australia, Canada, New Zealand, and the United Kingdom, to help support organizations bolster incident response policies and procedures. Officials said it’s designed to serve as a playbook for incident investigation.
The insights detail the technical measures needed for uncovering malicious activity within the enterprise network, which includes step-by-step incident response procedures and indicators of compromise.
The guide also recommends organizations consider seeking support from a third-party IT security firm to gain subject matter expertise and technical support, along with making sure the threat actor is completely eradicated from the network and avoiding any potential security issues that could result in another system compromise.
In the event of an attack, the incident response leader should also consider performing frequency and pattern analyses and anomaly detection, for which the guide provides technical insights.
CISA also shared crucial artifact and information collection needed to support security leaders when hunting or investigating suspicious activity within the network, including host-based artifacts, host analysis review, and network-based analysis.
The guidance provides administrators with detailed lists of elements that need to be examined and how it can be accomplished, which can help ensure the network is cleared from the attackers and any security gaps are closed.
“After determining that a system or multiple systems may be compromised, system administrators and or system owners are often tempted to take immediate actions,” officials wrote.
“Although well intentioned to limit the damage of the compromise, some of those actions have the adverse effect of modifying volatile data that could give a sense of what has been done and tipping the threat actor that the victim organization is aware of the compromise and forcing the actor to either hide their tracks or take more damaging actions (like detonating ransomware),” they added.
In response, CISA created a list of actions organizations experiencing a successful hack should avoid in order to prevent negative consequences.
For example, mitigating affected systems prior to protecting and recovering data can lead to the loss of volatile data like memory or host-based artifacts. The action may also alert the attacker who may then merely change their tactics, techniques, and procedures – without necessarily leaving the victim's network.
Another mistake includes failing to preserve or collect log data critical to identifying access to the compromised system, which can eliminate the possibility to obtain key insights about the incident. CISA recommended log data be retained by organizations for at least a year.
CISA also provided a list of common missteps organizations make in responding to an incident, which includes preemptively blocking an adversary infrastructure, preemptive credential resets, only fixing the system and not the root cause of the incident, and communicating over the same network that experienced the incident.
The guide also provides step-by-step mitigation guidance, which includes restricting or disconnecting use of telnet services, FTP, and non-approved Virtual Private Network (VPN) services. Organizations were also reminded to shut down or decommission unused services and systems, key access points for attackers.
VPNs and common vulnerabilities have remained critical access points for those attacking the healthcare sector, especially amid the COVID-19 pandemic.
Organizations can also leverage the insights for detailed security recommendations that should be implemented prior to an incident, such as employee education, allowlisting, account control, workstation and server management, server configuration and logging, and overall network security, among a host of other step-by-step techniques.
“Properly implemented defensive techniques and programs make it more difficult for a threat actor to gain access to a network and remain persistent yet undetected,” officials wrote. “When an effective defensive program is in place, attackers should encounter complex defensive barriers.”
“Attacker activity should also trigger detection and prevention mechanisms that enable organizations to identify, contain, and respond to the intrusion quickly,” they added. “There is no single technique, program, or set of defensive techniques or programs that will completely prevent all attacks. The network administrator should adopt and implement multiple defensive techniques and programs in a layered approach to provide a complex barrier to entry, increase the likelihood of detection, and decrease the likelihood of a successful attack.”
Administrators should refer to the insights to view a list of free resources on network security zoning, incident handling, credential controls, and even baseline security controls for small and medium organizations.