The U.K.’s National Cyber Security Centre (NCSC) joined hands with international cybersecurity agencies from five countries to issue security guidelines that intend to help organizations globally in disclosing data breaches and handling threat actors. The joint security advisory “Technical Approaches to Uncovering and Remediating Malicious Activity” is released in cooperation with the U.S.’s Cybersecurity and Infrastructure Security Agency (CISA), the Australian Cyber Security Centre, the New Zealand National Cyber Security Centre and CERT NZ, and the Canadian Communications Security Establishment.
“The purpose of this report is to enhance incident response among partners and network administrators along with serving as a playbook for incident investigation,” the advisory said.
The advisory revealed the technical approaches for organizations when addressing potential security incidents and includes certain mitigation steps.
Common missteps to avoid when responding to a security incident:
- Mitigating the affected systems before responders can protect and recover data.
- Touching adversary infrastructure (Pinging, NSlookup, Browsing, etc.).
- Preemptively blocking adversary infrastructure.
- Preemptive credential resets.
- Failure to preserve or collect log data that could be critical to identifying access to the compromised systems.
- Communicating over the same network as the incident response is being conducted (ensure all communications are held out-of-band).
- Only fixing the symptoms, not the root cause.
The advisory also recommended certain practices for organizations to mitigate potential threats to their network. These include:
- The FTP and Telnet protocols transmit credentials in cleartext, which are susceptible to being intercepted. To mitigate this risk, discontinue FTP and Telnet services by moving to more secure file storage/file transfer and remote access services.
- Restrict or Discontinue Use of Non-approved VPN Services.
- Shut down or Decommission Unused Services and Systems.
- Quarantine and Reimage Compromised Hosts.
- Disable Unnecessary Ports, Protocols, and Services.
- Restrict or Disable Interactive Login for Service Accounts.
- Disable Unnecessary Remote Network Administration Tools.
- Manage Unsecure Remote Desktop Services.
- Credential Reset and Access Policy Review.
NCSC Director of Operations Paul Chichester said, “Cybersecurity is a global issue that requires a collaborative international effort to protect our most critical assets. This advisory will help organizations understand how to investigate cyber incidents and protect themselves online, and we would urge them to follow the guidance carefully. Working closely with our allies, and with the help of organizations and the wider public, we will continue to strengthen our defenses to make us the hardest possible target for our adversaries.”
CISA Director Chris Krebs said, “With our allied cybersecurity government partners, we work together every day to help improve and strengthen the cybersecurity of organizations and sectors of our economy that are increasingly targeted by criminals and nation states alike. Fortunately, there’s strength in numbers and this unified approach to combining our experiences with a range of malicious actors means that we’re able to extend our defensive umbrella on a global scale.”