Uncovering and remediating malicious activity: From discovery to incident handling
Over the years, industry and government have realized that collective intelligence is needed to tackle cybersecurity threats. A recent alert from the Cybersecurity and Infrastructure Security Agency (CISA) — Alert (AA20-245A): Technical Approaches to Uncovering and Remediating Malicious Activity — is the result of a collective effort from five countries: Australia, Canada, New Zealand, the United Kingdom and the United States. The alert delivers a best practice guide covering a technical approach to uncovering malicious activity. The alert provides a “cybersecurity playbook” for incident response and offers mitigation steps.
Some of the key points made by the alert are as follows:
Indicators of compromise
An indicator of compromise (IoC) is the fundamental evidence needed in computer forensics to show that an incident is happening or has occurred. The CISA alert suggests that known, bad indicators of compromise should be collected from an array of sources including those in network and host artifacts. The playbook also points out the importance of removing false positives through careful analysis of IoC artifacts.
The advisory provides a list of recommended artifacts:
Host-based artifacts: antivirus detections, events logs, local and domain users, unusual authentications, installed applications and more. The notice also goes through the information that should be reviewed for host analysis. This includes “collect all PowerShell command-line requests looking for Base64-encoded commands to help identify malicious fileless attacks.”
Network-based artifacts: FTP, hypertext transfer protocol secure/secure sockets layer (HTTPS/SSL), remote desktop protocol (RDP) and virtual private network (VPN) sessions.
Incident handling: Warnings on what not to do
The alert dedicates a section to common mistakes in incident handling. The key and foremost recommendation? Use a measured response. In other words, don’t jump in until you understand what you are dealing with. By taking immediate, ill-considered action, the authors warn that volatile data could end up being modified and the true extent of the danger then lost. If immediate action is taken the attacker could end up being warned that the victim organization is aware of the compromise; the attacker could then hide their tracks or execute ransomware, for example.
The alert notice offers a list of what to avoid when handling cybersecurity incidents. They call these missteps.
Incident handling missteps
- Mitigating the affected systems before responders can protect and recover data
- Loss of volatile data such as memory and other host-based artifacts
- An attacker could be forewarned and change their tactics, techniques and procedures
- Touching adversary infrastructure
- An attacker could be forewarned
- Preemptively blocking adversary infrastructure
- An adversary can easily change to new command and control infrastructure. This has occurred in TrickBot malware after Microsoft blocked the C&C servers to protect the U.S. elections.
- Preemptive credential resets
- Chances are the attacker has other credentials at the ready
- Failure to preserve or collect log data that could be critical to identifying access to the compromised systems
- Retain log data for at least a year
- Communicating over the same network as the incident response is being conducted
- Communicate out-of-band
- Only fixing the symptoms, not the root cause
- If you don’t fix the underlying issue, the attacker can just change tactics and continue to attack the system
Frequency analysis can be a useful tool in network defense as part of a defense-in-depth approach. Anomalous activity (unusual or abnormal activity) can be an indicator of an incident. This anomalous activity is best understood by using it in context. The CISA alert states that large datasets should be used to calculate normal traffic patterns in both network and host systems to set a baseline of expected behavior. Predictive algorithms can then be used to spot unusual patterns and anomalous events. Contextual variables can include timing, source location, destination location, port utilization, protocol adherence, file location and more.
Following on from frequency analysis, pattern analysis is another key technical approach presented in the alert. The authors suggest data analysis that identifies repeating patterns should be used as they are often signs of automated mechanisms of attacks, such as malware infection. These patterns can also indicate human threat actor activity. Pattern analysis should be used with filters to separate normal activity from unusual patterns.
Pattern and frequency analysis provide a way to present unusual patterns of behavior and events within a system or network. Using anomaly detection, a human analyst can review these artifacts to identify the anomalies and assign concerns, as well as ensure false positives are not investigated. The human analyst can work with technology tools to find indicators of threat actor activity.
Further recommendations for investigation and remediation of cybersecurity activity
A sample of five recommendations of the 10 given in the CISA alert are shown below. These are good cybersecurity hygiene and measures that all organizations should implement.
Telnet and FTP services
Telnet and FTP protocols transmit credentials in cleartext. Move to more secure file storage/file transfer and remote access services. This includes the use of (SFTP) or HTTPS-based public sites. Also, use a secure shell (SSH) for access to remote devices and servers.
Non-approved VPN services
If any user is using an unapproved VPN service, there should be a robust business reason to do so. If not, restrict or discontinue the use of any unapproved VPN service. To help manage the use of these services, an enterprise should use endpoint monitoring to make these unapproved VPNs (and other apps) visible.
Disable unnecessary ports, protocols and services
Open and insecure ports and protocols have been behind many of the world’s most infamous and harmful cyberattacks, including the WannaCry ransomware attack of 2017. Prevent lateral exploitation of a network by finding unused ports. Also, restrict inbound and outbound access not justified by a business case. Finally, set up a firewall log for inbound and outbound network traffic as well as allowed and denied traffic.
Manage insecure remote desktop services (RDS)
Another hacker favorite is finding insecurities in the remote desktop protocol (RDP) behind RDS. The internet-exposed RDP servers have been involved in increases in cyberattacks, most likely because of the increase in remote workers requiring this connectivity. The alert suggests that an enterprise uses secure remote desktop gateway solutions and restricts service trust across multiple network zones. Also, the use of privileged account monitoring and short-time password lease for RDP service use can be helpful. Overall, continuous monitoring of RDP services is advised.
Credential reset and access policy review
Credentials are the enterprise keys to the kingdom. Attacks focusing on credentials are common and persistent. This includes techniques such as phishing, which is still the number one way to steal credentials, and the subsequent use of those credentials in credential stuffing attacks. Brute force attacks are also an issue when it comes to credential security. The CISA alert recommends credential resets should be strategically carried out and should include all compromised accounts and devices to reduce the likelihood that the attacker can adapt and respond.
Some further best practices in incident response and handling
The CISA alert concludes with a statement that “there is no single technique, program or set of defensive techniques or programs that will completely prevent all attacks.” Instead, multiple methods of defense should be used across the organization and out into the wider network edges and endpoints.
Below are some general recommendations made by the alerts.
Keeping all employees abreast of cybersecurity attack types, including phishing. The authors describe users as the “frontline security of the organization.”
Use the principle of least privilege to reduce the chances of an attack against key network resources.
Use secure backups to help mitigate the impact of malware and ransomware.
Server configuration and logging
Many recent large security incidents have involved misconfiguration. The CISA alert provides several helpful configuration considerations to help prevent vulnerabilities.
The CISA alert offers a comprehensive list of activities that can be used to harden network security. This includes using an intrusion detection system (IDS).
Much of the recommended actions around user management and segregation of roles and network areas can be considered principles of Zero Trust security.
The CISA alert is a comprehensive guide to what the current swatch of best practices are in uncovering, analyzing and remediating cybersecurity attacks. These measures have been assimilated from the accumulated knowledge across global-based cybersecurity professionals. The alert is a condensed version of this knowledge and essential reading for an IT professional looking to harden their organization against the current onslaught of cyberthreats.
Alert (AA20-245A), Cybersecurity and Infrastructure Security Agency (CISA)
Tried and true hacker technique: DOS obfuscation, Huntress blog
The five largest ransomware attacks of 2017, Infosec
Attacks against internet-exposed RDP servers surging during COVID-19 pandemic, CSOOnline
MITRE ATT&CK vulnerability spotlight: Brute force, Infosec
Zero trust security: What is it?, Infosec