CISA Issues Technical Guidance on Uncovering and Remediating Malicious Network Activity
The Cybersecurity and Infrastructure Security Agency (CISA) has recently issued guidance for network defenders and incident response teams on identifying malicious activity and mitigating cyberattacks. The guidance details best practices for detecting malicious activity and step by step instructions for investigating potential security incidents and securing compromised systems.
The purpose of the guidance is “to enhance incident response among partners and network administrators along with serving as a playbook for incident investigation.” The guidance will help incident response teams collect the data necessary to investigate suspicious activity within the network, such host-based artifacts, conduct a host analysis review and analysis of network activity, and take the right actions to mitigate a cyberattack.
The guidance document was created in collaboration with cybersecurity authorities in the United States, United Kingdom, Australia, New Zealand and Canada and includes technical help for security teams to help them identify malicious attacks in progress and mitigate attacks while reducing the potential for negative consequences.
When incident response teams identify malicious activity, the focus is often on terminating a threat actors’ access to the network. While it is important to terminate any access a threat actor has to a device, network, or system, it is important that the correct approach is taken to avoid alerting the attacker that their presence has been detected.
“Although well intentioned to limit the damage of the compromise, some of those actions have the adverse effect of modifying volatile data that could give a sense of what has been done and tipping the threat actor that the victim organization is aware of the compromise and forcing the actor to either hide their tracks or take more damaging actions (like detonating ransomware),” said CISA.
When responding to a suspected intrusion it is first necessary to collect and remove relevant artifacts, logs, and data that will allow the incident to be thoroughly investigated. If these elements are not obtained before any mitigations are implemented, the data could easily be lost, which will hamper any efforts to investigate the breach. Systems also need to be protected, as a threat actor may realize that the intrusion has been detected and change their tactics. Once systems have been protected and artifacts obtained, mitigating steps can be taken with care taken not to alert the threat actor that their presence in the network has been discovered.
When suspicious activity is detected, CISA recommends considering seeking support from a third-party cybersecurity company. Cybersecurity companies have the necessary expertise to eradicate an attacker from a network and ensure that security issues are avoided that could be exploited in further attacks on the organization once the incident has been remediated and closed.
Responding to a security breach requires a variety of technical approaches to uncover malicious activity. CISA recommends conducting a search for known indicators of compromise (IoCs), using confirmed IoCs from a wide range of sources. A frequency analysis is useful for identifying anomalous activity. Network defenders should calculate normal traffic patterns in network and host systems that can be used to identify inconsistent activity. Algorithms can be used to identify when there is activity that is not consistent with normal patterns and identify inconsistencies in timing, source location, destination location, port utilization, protocol adherence, file location, integrity via hash, file size, naming convention, and other attributes.
A pattern analysis is useful for detecting automated activity by malicious scripts and malware, and regular repeating actions by human threat actors. An analyst review should also be conducted based on the security team’s knowledge of system administration to identify errors in collected artifacts and find anomalous activity that could be indicative of threat actor activity.
The guidance details some of the common mistakes that are made when responding to incidents and lists technical measures and best practices for investigation and remediation processes.
CISA also makes general recommendations on defense techniques and programs that will make it much harder for a threat actor to gain access to the network or system and remain there undetected. While these measures may not stop a threat actor from compromising a system, they will help to slow down any attack which will give incident response teams the time they need to identify and respond to an attack.
You can view the CISA guidance here: Technical Approaches to Uncovering and Remediating Malicious Activity (AA20-245A)