Incident response

Uncovering and remediating malicious activity: From discovery to incident handling

Over the years, industry and government have realized that  collective intelligence is needed to tackle cybersecurity threats. A recent alert from the Cybersecurity and Infrastructure Security Agency (CISA) — Alert (AA20-245A): Technical Approaches to Uncovering and Remediating Malicious Activity — is the result of a collective effort from five countries: Australia, Canada, New Zealand, the United Kingdom and the United States. The alert delivers a best practice guide covering a technical approach to uncovering malicious activity. The alert provides a “cybersecurity playbook” for incident response and offers mitigation steps.

Learn Incident Response

Get hands-on experience with incident response tools and techniques as you progress through nine courses.

Get Started

Some of the key points made by the alert are as follows:

Indicators of compromise

An indicator of compromise (IoC) is the fundamental evidence needed in computer forensics to show that an incident is happening or has occurred. The CISA alert suggests that known, bad indicators of compromise should be collected from an array of sources including those in network and host artifacts. The playbook also points out the importance of removing false positives through careful analysis of IoC artifacts.

The advisory provides a list of recommended artifacts:

Host-based artifacts: antivirus detections, events logs, local and domain users, unusual authentications, installed applications and more. The notice also goes through the information that should be reviewed for host analysis. This includes “collect all PowerShell command-line requests looking for Base64-encoded commands to help identify malicious fileless attacks.”

Network-based artifacts: FTP, hypertext transfer protocol secure/secure sockets layer (HTTPS/SSL), remote desktop protocol (RDP) and virtual private network (VPN) sessions.

Incident handling: Warnings on what not to do

The alert dedicates a section to common mistakes in incident handling. The key and foremost recommendation? Use a measured response. In other words, don’t jump in until you understand what you are dealing with. By taking immediate, ill-considered action, the authors warn that volatile data could end up being modified and the true extent of the danger then lost. If immediate action is taken the attacker could end up being warned that the victim organization is aware of the compromise; the attacker could then hide their tracks or execute ransomware, for example.

The alert notice offers a list of what to avoid when handling cybersecurity incidents. They call these missteps. 

Incident handling missteps

Action

• Mitigating the affected systems before responders can protect and recover data

Result/counteraction

• Loss of volatile data such as memory and other host-based artifacts
• An attacker could be forewarned and change their tactics, techniques and procedures

Action:

• Touching adversary infrastructure

Result/counteraction 

• An attacker could be forewarned

Action

• Preemptively blocking adversary infrastructure

Result/counteraction

• An adversary can easily change to new command and control infrastructure. This has occurred in TrickBot malware after Microsoft blocked the C&C servers to protect the U.S. elections.

Action

• Preemptive credential resets

Result/counteraction

• Chances are the attacker has other credentials at the ready

Action

• Failure to preserve or collect log data that could be critical to identifying access to the compromised systems

Result/counteraction

• Retain log data for at least a year

Action

• Communicating over the same network as the incident response is being conducted

Result/counteraction

• Communicate out-of-band

Action

• Only fixing the symptoms, not the root cause

Result/counteraction

• If you don’t fix the underlying issue, the attacker can just change tactics and continue to attack the system

Frequency analysis

Frequency analysis can be a useful tool in network defense as part of a defense-in-depth approach. Anomalous activity (unusual or abnormal activity) can be an indicator of an incident. This anomalous activity is best understood by using it in context. The CISA alert states that large datasets should be used to calculate normal traffic patterns in both network and host systems to set a baseline of expected behavior. Predictive algorithms can then be used to spot unusual patterns and anomalous events. Contextual variables can include timing, source location, destination location, port utilization, protocol adherence, file location and more.

Pattern analysis

Following on from frequency analysis, pattern analysis is another key technical approach presented in the alert. The authors suggest data analysis that identifies repeating patterns should be used as they are often signs of automated mechanisms of attacks, such as malware infection. These patterns can also indicate human threat actor activity. Pattern analysis should be used with filters to separate normal activity from unusual patterns.

Anomaly detection

Pattern and frequency analysis provide a way to present unusual patterns of behavior and events within a system or network. Using anomaly detection, a human analyst can review these artifacts to identify the anomalies and assign concerns, as well as ensure false positives are not investigated. The human analyst can work with technology tools to find indicators of threat actor activity.

Further recommendations for investigation and remediation of cybersecurity activity

A sample of five recommendations of the 10 given in the CISA alert are shown below. These are good cybersecurity hygiene and measures that all organizations should implement.

Telnet and FTP services

Recommendation

Telnet and FTP protocols transmit credentials in cleartext. Move to more secure file storage/file transfer and remote access services. This includes the use of (SFTP) or HTTPS-based public sites. Also, use a secure shell (SSH) for access to remote devices and servers.

Non-approved VPN services

Recommendation

If any user is using an unapproved VPN service, there should be a robust business reason to do so. If not, restrict or discontinue the use of any unapproved VPN service. To help manage the use of these services, an enterprise should use endpoint monitoring to make these unapproved VPNs (and other apps) visible.

Disable unnecessary ports, protocols and services

Recommendation

Open and insecure ports and protocols have been behind many of the world's most infamous and harmful cyberattacks, including the WannaCry ransomware attack of 2017. Prevent lateral exploitation of a network by finding unused ports. Also, restrict inbound and outbound access not justified by a business case. Finally, set up a firewall log for inbound and outbound network traffic as well as allowed and denied traffic.

Manage insecure remote desktop services (RDS)

Recommendation

Another hacker favorite is finding insecurities in the remote desktop protocol (RDP) behind RDS. The internet-exposed RDP servers have been involved in increases in cyberattacks, most likely because of the increase in remote workers requiring this connectivity. The alert suggests that an enterprise uses secure remote desktop gateway solutions and restricts service trust across multiple network zones. Also, the use of privileged account monitoring and short-time password lease for RDP service use can be helpful. Overall, continuous monitoring of RDP services is advised.

Credential reset and access policy review

Recommendation

Credentials are the enterprise keys to the kingdom. Attacks focusing on credentials are common and persistent. This includes techniques such as phishing, which is still the number one way to steal credentials, and the subsequent use of those credentials in credential stuffing attacks. Brute force attacks are also an issue when it comes to credential security. The CISA alert recommends credential resets should be strategically carried out and should include all compromised accounts and devices to reduce the likelihood that the attacker can adapt and respond.

Learn Incident Response

Get hands-on experience with incident response tools and techniques as you progress through nine courses.

Get Started

Some further best practices in incident response and handling

The CISA alert concludes with a statement that “there is no single technique, program or set of defensive techniques or programs that will completely prevent all attacks.” Instead, multiple methods of defense should be used across the organization and out into the wider network edges and endpoints.

Below are some general recommendations made by the alerts. 

User education

Keeping all employees abreast of cybersecurity attack types, including phishing. The authors describe users as the “frontline security of the organization.”

Account control

Use the principle of least privilege to reduce the chances of an attack against key network resources.

Backups

Use secure backups to help mitigate the impact of malware and ransomware.

Server configuration and logging

Many recent large security incidents have involved misconfiguration. The CISA alert provides several helpful configuration considerations to help prevent vulnerabilities.

Network security

The CISA alert offers a comprehensive list of activities that can be used to harden network security. This includes using an intrusion detection system (IDS).

Much of the recommended actions around user management and segregation of roles and network areas can be considered principles of Zero Trust security.

The CISA alert is a comprehensive guide to what the current swatch of best practices are in uncovering, analyzing and remediating cybersecurity attacks. These measures have been assimilated from the accumulated knowledge across global-based cybersecurity professionals. The alert is a condensed version of this knowledge and essential reading for an IT professional looking to harden their organization against the current onslaught of cyberthreats.

 

Sources: 

Alert (AA20-245A), Cybersecurity and Infrastructure Security Agency (CISA)

Tried and true hacker technique: DOS obfuscation, Huntress blog 

The five largest ransomware attacks of 2017, Infosec 

Attacks against internet-exposed RDP servers surging during COVID-19 pandemic, CSOOnline 

MITRE ATT&CK vulnerability spotlight: Brute force, Infosec 

Zero trust security: What is it?, Infosec