NSA report: Indicators of compromise on personal networks
Introduction
The advent of the novel coronavirus pandemic has brought with it a sharp rise in the number of government workers that work telework, typically with Government-Furnished Equipment (GFE). This makes cybersecurity a top priority for these workers.
In response, the National Security Agency released a report entitled “Compromised Personal Network Indicators and Mitigations.” This report is intended to help remote government workers using GPE to connect to personal networks protect their data and personal networks and contains a solid rundown of the knowledge it takes to do it.
This article will provide a recap of this report and will explore how to tell if your network is compromised using indicators of personal network compromise, as well as recommendations for generally suspicious activity and mitigation for more aggressive compromises.
Learn Network Security Fundamentals
Report preface
This report recommends different actions that GFE users accessing personal networks can take to determine if their network is compromised and mitigation actions the user can take. NSA prefaces the report with a strong recommendation that those who seek expert advice for a suspected compromise disregard the report and follow the recommendations of the expert.
Indicators of a personal network compromise
To take the proper steps to mitigate or eliminate threats, users need to have awareness of the basic indicators of a compromised personal network. The report includes a list of these common indicators of compromise seen on personal networks and identifies five types of compromise, along with their corresponding indicators of compromise and a description of the suspicious activity that they inform.
The list in the report is not an exhaustive list of all compromises. This article has included the most important ones you should know if you want to determine if your personal network is compromised.
Below are the indicators of compromise that the report covers.
Compromised router
- Router password changes: This is when your router login credentials were not changed by you but have still become ineffective.
- Modified connectivity: This is when your router or wireless status indicates that an unknown router or SSID is connected to your network.
Compromised router or malware
- Browser redirects: This is when you try to access a site but get redirected to a different site that you did not intend to go to. Browser redirects may be caused by malware on the network or the device.
Malware
- Devices functioning without user input: Examples include a device turning on by itself, cursors moving on their own and microphones/web cameras activating without the user activating it.
- False antivirus/anti-malware alerts: First appears with device screens displaying misleading notifications that are designed to appear like reputable security programs.
- Unexpected hardware displays: LED or camera light is unexpectedly turned on.
- Inactivity faults: When a computer that has been turned off for an extended time is warm/hot when it should not be because it was not being used
- Tampered logs: The best example of this is when the user’s website history or cache is unexpectedly reset (independent of a manual reset by the user and scheduled resets)
- Malfunctioning antivirus or anti-malware: Typical signs of this indicator are that the registry or task manager is not starting up, being placed in a reduced state or by being completely disabled without being done by you.
- Taxed memory: The task manager informs you of heavy memory usage for services or apps.
- Modified parameters: When your clock time is different from the current time or reset.
- Operation instability: Devices rebooting on their own or when there are periodic device crashes.
Ransomware
- Ransomware messages: You know what ransomware is by this point, I am sure, so look out for the typical messages appearing on your desktop or system access being locked and completely restricted. Access to your files and content may be restricted until you pay a specified amount of Bitcoin. Never pay them!
- Unexpected file encryption: When your files or folders become encrypted without encrypting them, meaning that you can’t open them.
Compromised account
- Sharing exposure: Teleconference or collaborative apps that list different previous connections than what you normally use.
- Unexpected login notifications: These notifications are provided by some services when new devices connect to a service account. These notifications sometimes give an option to deny or block the new device. Act upon these notifications if you receive them.
- Unusual displays: Prompts requesting you to change or update your password that may appear different than the normal password change prompt that you see.
- Unintentional sent messages: Messages or invitations that say they are from you.
Mitigation steps
If the indicators of compromise make you think that your personal network is compromised, there are mitigation steps you can take to mitigate or stop network threats altogether. For responding to generally suspicious activity…
Compromised router
- Reboot the router
- Disable local/remote administration
- Update firmware
- Change passwords on all accounts
Malware
- Remove suspected compromised devices from your personal network.
- Log in to accounts with an uncompromised, trusted device and change all passwords and remove all untrusted or unknown devices out of all online services.
Ransomware
- Don’t pay the ransom!
- Disconnect the compromised device from the personal network.
- Remove the malware.
- Restore to a known good backed-up state.
Aggressive mitigation
For compromises that are more than suspected, the report gives a distilled list of recommendations that may eliminate the threat. It should be noted that performing these recommendations will delete the data on these devices.
- Disconnect all devices from the personal network and reset network connected devices.
- Factory reset previously connected devices.
- Change passwords and require all linked devices require a new sign in immediately.
Learn Network Security Fundamentals
Conclusion
The recommendations in the report should be useful for GFE users connecting to a personal network trying to eradicate, or at least minimize, damage due to a compromised network. The report recommends users to seek expert advice in cases where the suspicious activity does not go away after performing the recommendations, which is sound advice indeed.
Sources
Compromised Personal Network Indicators and Mitigations, National Security Agency
Network Security Fundamentals
Learn the fundamentals of networking and how to secure your networks with seven hands-on courses. What you'll learn:- Models and protocols
- Networking best practices
- Wireless and mobile security
- Network security tools
- And more
In this Series
- NSA report: Indicators of compromise on personal networks
- What is zero trust architecture (ZTA)? Pillars of zero trust and trends for 2024
- A deep dive into network security protocols: Safeguarding digital infrastructure 2024
- Asset mapping and detection: How to implement the nuts and bolts
- The Pentagon goes all-in on Zero Trust
- How to configure a network firewall: Walkthrough
- 4 network utilities every security pro should know: Video walkthrough
- How to use Nmap and other network scanners
- Security engineers: The top 13 cybersecurity tools you should know
- Converting a PCAP into Zeek logs and investigating the data
- Using Zeek for network analysis and detections
- Suricata: What is it and how can we use it
- Intrusion detection software best practices
- What is intrusion detection?
- How to use Wireshark for protocol analysis: Video walkthrough
- 9 best practices for network security
- Securing voice communications
- Introduction to SIEM (security information and event management)
- VPNs and remote access technologies
- Cellular Networks and Mobile Security
- Secure network protocols
- Network security (101)
- IDS/IPS overview
- Exploiting built-in network protocols for DDoS attacks
- Firewall types and architecture
- Wireless attacks and mitigation
- Wireless network overview
- Open source IDS: Snort or Suricata? [updated 2021]
- PCAP analysis basics with Wireshark [updated 2021]
- What is a firewall: An overview
- Securing the home office: Printer security risks (and mitigations)
- Email security
- Data integrity and backups
- Cost of non-compliance: 8 largest data breach fines and penalties
- How to find weak passwords in your organization’s Active Directory
- Monitoring business communication tools like Slack for data infiltration risks
- Firewalls and IDS/IPS
- IPv4 and IPv6 overview
- The OSI model and TCP/IP model
- Endpoint hardening (best practices)
- Wireless Networks and Security
- Networking fundamentals (for network security professionals)
- How your home network can be hacked and how to prevent it
- Network design: Firewall, IDS/IPS
- Work-from-home network traffic spikes: Are your employees vulnerable?
- RTS threshold configuration for improved wireless network performance [updated 2020]
- Web server protection: Web server security monitoring
- Web server security: Active defense
- Web server security: Infrastructure components
- Web server protection: Web application firewalls for web server protection
- Web server security: Command line-fu for web server protection
Get certified and advance your career
- Exam Pass Guarantee
- Live instruction
- CompTIA, ISACA, (ISC)², Cisco, Microsoft and more!
