NSA report: Indicators of compromise on personal networks
The advent of the novel coronavirus pandemic has brought with it a sharp rise in the number of government workers that work telework, typically with Government-Furnished Equipment (GFE). This makes cybersecurity a top priority for these workers.
In response, the National Security Agency released a report entitled “Compromised Personal Network Indicators and Mitigations.” This report is intended to help remote government workers using GPE to connect to personal networks protect their data and personal networks and contains a solid rundown of the knowledge it takes to do it.
This article will provide a recap of this report and will explore how to tell if your network is compromised using indicators of personal network compromise, as well as recommendations for generally suspicious activity and mitigation for more aggressive compromises.
This report recommends different actions that GFE users accessing personal networks can take to determine if their network is compromised and mitigation actions the user can take. NSA prefaces the report with a strong recommendation that those who seek expert advice for a suspected compromise disregard the report and follow the recommendations of the expert.
Indicators of a personal network compromise
To take the proper steps to mitigate or eliminate threats, users need to have awareness of the basic indicators of a compromised personal network. The report includes a list of these common indicators of compromise seen on personal networks and identifies five types of compromise, along with their corresponding indicators of compromise and a description of the suspicious activity that they inform.
The list in the report is not an exhaustive list of all compromises. This article has included the most important ones you should know if you want to determine if your personal network is compromised.
Below are the indicators of compromise that the report covers.
- Router password changes: This is when your router login credentials were not changed by you but have still become ineffective.
- Modified connectivity: This is when your router or wireless status indicates that an unknown router or SSID is connected to your network.
Compromised router or malware
- Browser redirects: This is when you try to access a site but get redirected to a different site that you did not intend to go to. Browser redirects may be caused by malware on the network or the device.
- Devices functioning without user input: Examples include a device turning on by itself, cursors moving on their own and microphones/web cameras activating without the user activating it.
- False antivirus/anti-malware alerts: First appears with device screens displaying misleading notifications that are designed to appear like reputable security programs.
- Unexpected hardware displays: LED or camera light is unexpectedly turned on.
- Inactivity faults: When a computer that has been turned off for an extended time is warm/hot when it should not be because it was not being used
- Tampered logs: The best example of this is when the user’s website history or cache is unexpectedly reset (independent of a manual reset by the user and scheduled resets)
- Malfunctioning antivirus or anti-malware: Typical signs of this indicator are that the registry or task manager is not starting up, being placed in a reduced state or by being completely disabled without being done by you.
- Taxed memory: The task manager informs you of heavy memory usage for services or apps.
- Modified parameters: When your clock time is different from the current time or reset.
- Operation instability: Devices rebooting on their own or when there are periodic device crashes.
- Ransomware messages: You know what ransomware is by this point, I am sure, so look out for the typical messages appearing on your desktop or system access being locked and completely restricted. Access to your files and content may be restricted until you pay a specified amount of Bitcoin. Never pay them!
- Unexpected file encryption: When your files or folders become encrypted without encrypting them, meaning that you can’t open them.
- Sharing exposure: Teleconference or collaborative apps that list different previous connections than what you normally use.
- Unexpected login notifications: These notifications are provided by some services when new devices connect to a service account. These notifications sometimes give an option to deny or block the new device. Act upon these notifications if you receive them.
- Unusual displays: Prompts requesting you to change or update your password that may appear different than the normal password change prompt that you see.
- Unintentional sent messages: Messages or invitations that say they are from you.
If the indicators of compromise make you think that your personal network is compromised, there are mitigation steps you can take to mitigate or stop network threats altogether. For responding to generally suspicious activity…
- Reboot the router
- Disable local/remote administration
- Update firmware
- Change passwords on all accounts
- Remove suspected compromised devices from your personal network.
- Log in to accounts with an uncompromised, trusted device and change all passwords and remove all untrusted or unknown devices out of all online services.
- Don’t pay the ransom!
- Disconnect the compromised device from the personal network.
- Remove the malware.
- Restore to a known good backed-up state.
For compromises that are more than suspected, the report gives a distilled list of recommendations that may eliminate the threat. It should be noted that performing these recommendations will delete the data on these devices.
- Disconnect all devices from the personal network and reset network connected devices.
- Factory reset previously connected devices.
- Change passwords and require all linked devices require a new sign in immediately.
The recommendations in the report should be useful for GFE users connecting to a personal network trying to eradicate, or at least minimize, damage due to a compromised network. The report recommends users to seek expert advice in cases where the suspicious activity does not go away after performing the recommendations, which is sound advice indeed.
Compromised Personal Network Indicators and Mitigations, National Security Agency