Tips on Detecting and Handling Cyberattack
Canada, along with Australia, New Zealand, UK and the US have issued a joint advisory with the goal of assisting organizations in protecting themselves against cyberattack.
The report, called “Technical Approaches to Uncovering and Remediating Malicious Activity” provides tips to discovering malicious activity in a corporate network, as well as steps to mitigate risk of initial infection.
Discovering Malicious Activity in your network:
Monitoring for indicators of Compromise:
IOCs are flags that indicate that a network has been compromised. They can include overly active .RAR, 7zip, or WinZip activity. It is also important to monitor for suspicious file names include 1.zip or 2.zip.
Frequency analysis uses data to calculate the standard traffic patterns in networks. After normal patterns have been identified, it is easier to identify areas of inconstancy, which often points towards a malicious actor.
Similar to frequency analysis, pattern analysis records data of activity across the company network, and filters out normal behavior patterns to reveal any activity that seems malicious or out-of-place.
In the report, common mistakes when handling malware incidents are identified,
Firstly, it is an erroneous step to mitigate the infected systems before data can be protected and recovered. This can often lead to permanent data loss. Taking this action too early can also encourage a malicious actor to switch their strategy and attack procedures as a response making it more difficult to combat.
Another common mistake is by touching adversary infrastructural elements such as NSlookup and pinging addresses. An increase in this can tip off an attacker that they have been discovered, prompting them to act quicker. In a similar vein, changing compromised credentials too quickly is and often ineffective method of mitigating cyberattack, as at that point the attacker likely has access to multiple compromised credentials. On the contrary, it would make issues worse by prompting the attacker to create new compromised credentials.
Blocking cyberattackers access to control infrastructure too early can also make it more difficult to assess the situation as it could result in a loss of visibility of their activity.
One of the most important parts of cyberattack response is keeping critical data logs. Using these, you can more effectively determine the vulnerable points of access that were exploited by the cyberattackers during the attack. The technical advisory report recommends that these logs are keep for a minimum of 1 year post-incident.
Finally, blocking IP addresses without finding the root cause of a cyberattack is a mistake that will only hide the symptoms of a breach. Furthermore, it gives the malicious attacker an opportunity to identify the IPs block strategy being used and react accordingly, worsening the threat.
Below are some investigation tips provided by the report:
-Restrict usage of FTP connections and Telnet services.
-Eliminate the use of insecure, non-approved VPN connections
-Disconnect or Shut down unused systems.
-Disable all unnecessary administrative tools to minimize the amount of weak points.
-In the event of an incident, ensure that credentials are reset
Keep devices patched and up-to-date. Known vulnerabilities are increasingly being exploited by cyberattackers as information is travelling faster across the internet than ever before. It is essential to ensure that all your network-facing devices including access points, endpoint systems and servers are up-to-date.
The report outlines several additional steps in order to ensure that your systems are protected:
-Design a clear vulnerability assessment protocol
-Ensure that sensitive data is not stored in plaintext, and always encrypted when in transit
-Define an insider threat program
-Ensure that systems are being monitored for suspicious activity
-Define a program for information sharing
-Review network monitoring documentation including network diagrams, asset management and incident response plans
GIGE Corporation has over 30 years of experience in designing and deploying IT network infrastructure. Call us at +1 888 366 4443 or email us at firstname.lastname@example.org for a consultation today.