Once a cyber compromise is known, system administrators and/or system owners are often tempted to take immediate actions. Although well intentioned to limit the damage of the compromise, some of those actions have adverse effects, according to the NCSC, the UK’s official National Cyber Security Centre.
The NCSC has released a joint cyber security advisory, Technical Approaches to Uncovering and Remediating Malicious Activity, with the US’s Cybersecurity and Infrastructure Security Agency (CISA), the Australian Cyber Security Centre, the New Zealand National Cyber Security Centre and CERT NZ, and the Canadian Communications Security Establishment.
Common missteps, the advisory says, include trying to mitigate before responders can protect and recover data; failing to preserve log data; only fixing the symptoms of a breach, rather than the root cause; and communicating over the same network as the one the incident response is using.
NCSC Director of Operations Paul Chichester said: “Cyber security is a global issue that requires a collaborative international effort to protect our most critical assets. This advisory will help organisations understand how to investigate cyber incidents and protect themselves online, and we would urge them to follow the guidance carefully.
“Working closely with our allies, and with the help of organisations and the wider public, we will continue to strengthen our defences to make us the hardest possible target for our adversaries.”
Among general mitigation guidance, the agencies point out that cyber actors ‘regularly identify servers that are out of date or end of life (EOL) to gain access to a network’. You should ‘identify and disable ports, protocols, and services not needed for official business to prevent would-be attackers from moving laterally to exploit vulnerabilities’. Compromised accounts and devices calls for re-setting of access credentials. As attackers may exploit unpatched software or hardware, known vulnerabilities in external facing devices and servers should be patched at once, starting with the point of compromise.
You can read the advisory on the CISA website. It also offers some ‘general recommendations and best practices’, such as back-ups and education of users; and proper network segmentation.
