Skip to content
NGTEdu Logo

NGTEdu

A PRODUCT OF NGTECH.CO.IN

NGTEdu Logo

NGTEdu

  • Home
  • Cyber Attacks
  • Malware
  • Vulnerabilities
  • Data Breach
  • Home
  • Cyber Attacks
  • Joint Cybersecurity Advisory on Threat Hunting and Incident Response Released
  • Cyber Attacks
  • Data Breach
  • Malware
  • Vulnerabilities

Joint Cybersecurity Advisory on Threat Hunting and Incident Response Released

5 years ago Ben Layer
Joint Cybersecurity Advisory on Threat Hunting and Incident Response Released

A joint cybersecurity advisory released on September 1st detailed technical methods for uncovering and responding to malicious activity including best practice mitigations and common missteps. A collaborative effort, this advisory (coded AA20-245A) is the product of research from the cybersecurity organizations of five nations. Those include the United States’ Cybersecurity and Infrastructure Security Agency (CISA) along with its counterpart entities from Canada, the United Kingdom, Australia and New Zealand.

The joint advisory is a general overview of threat hunting and incident response best practices, giving technical advice on a number of areas that can aid in an investigation. It includes information on host- and network-based artifacts that are worthy of collection, and it provides extensive general security mitigation guidance for before and during an incident.

Recommended Artifact and Information Collection

Uncovering malicious activity requires reviewing host and network data found in your environment. Storing logs and other artifacts are beneficial in detecting known-bad indicators of compromise (IOC), and careful searching and analysis can reveal behaviors that are suspicious. Knowing the baseline settings and behaviors of your systems and users can help to find anomalies in your environment. Many security tools have been designed to make detecting threats easier with real time change detection or log analysis. You may already have some to take advantage of.

Host-based artifacts that are worthy of gathering are enumerated in the report and contain items such as running processes and services, security product alerts, event logs, installed applications and malware persistence indicators such as run key, scheduled task or autorun settings. Numerous examples for both pre- and post-incident best practices exist, such as pre-emptively blocking script files like .js and .vbs, looking for suspicious processes, collecting scripts and binaries from temp file location, archiving log files and checking for additional suspicious secure shell (SSH) keys which may have been added to authorized keys files.

Similarly, network-based artifacts should be collected. Suggestions for these include suspicious DNS traffic and remote connections such as remote desktop applications like RDP and VC along with VPN or SSH sessions. Traffic to suspicious hosts on unusual ports or via anomalous protocols should also be recorded and stored safely for analysis.

Recommended Investigation and Remediation Processes

The advisory also provides a list of common mistakes made during incident investigation and suggests many steps you can take to secure your environment. Missteps can be classified into categories of either compromising the evidence and/or tipping to the attacker that an investigation has started. An action such as patching and rebooting a system can alter memory that could be investigated, or it could clear other host artifacts.  Warning an attacker that they are about to be uncovered could lead them to advance further attacks or attempt to cover their tracks more carefully. Perform incident response or launch an investigation from a separate network. Also, ensure communication about the incident and your activities are held out-of-band.

Other mistakes can include only fixing the symptoms of a breach, such as changing credentials when the attacker may have other hijacked accounts or even directory-level access. It could also involve blocking a specific malicious IP address when others can likely be used. A key takeaway for an incident is the gathering and removal for analysis of logs and other artifacts without letting the attacker know an investigation is under way.

Best Practices for Minimizing a Security Incident

Finally, the advisory contains best practice security advice on a variety of subjects valuable on the entire timeline from pre- to post-security incident. From general security mitigations such as stopping unnecessary services, restricting network access to reduce attack surface area and patching vulnerabilities to implementing user access controls and education, it recommends protection for both on-premise systems as well as cloud configuration management.

The report is thorough with extensive network security guidance and other best practices. It also advises establishing a vulnerability management program along with server configuration management and endpoint detection.

Expert Guidance for Mitigating Future Incidents

The Joint Cybersecurity Advisory, AA20-245A Technical Approaches to Uncoveringand Remediating Malicious Activity, is an excellent resource for anyone looking to help protect their environment as well as respond to any incidents which do occur. It provides guidance from top cybersecurity agencies on security practices to implement prior to an attack in order to provide the best outcomes in the event of a security breach.

The post ” Joint Cybersecurity Advisory on Threat Hunting and Incident Response Released” appeared first on TripWire

Source:TripWire – Ben Layer

Tags: CERT, Cloud, Goverment, TripWire

Continue Reading

Previous Using the Cost of a Data Breach to Maximize Your ROI on Your Security Tools
Next CISA: Chinese Hackers Exploiting Unpatched Devices to Target U.S. Agencies

More Stories

  • Critical Vulnerability
  • Cyber Attacks
  • Data Breach
  • Malware
  • Vulnerabilities

eScan Antivirus Update Servers Compromised to Deliver Multi-Stage Malware

3 hours ago [email protected] (The Hacker News)
  • Cyber Attacks
  • Data Breach
  • Malware
  • Vulnerabilities

Open VSX Supply Chain Attack Used Compromised Dev Account to Spread GlassWorm

4 hours ago [email protected] (The Hacker News)
  • Cyber Attacks
  • Data Breach
  • Malware
  • Vulnerabilities

Iran-Linked RedKitten Cyber Campaign Targets Human Rights NGOs and Activists

2 days ago [email protected] (The Hacker News)
  • Cyber Attacks
  • Data Breach
  • Malware
  • Vulnerabilities

Mandiant Finds ShinyHunters-Style Vishing Attacks Stealing MFA to Breach SaaS Platforms

2 days ago [email protected] (The Hacker News)
  • Cyber Attacks
  • Data Breach
  • Malware

CERT Polska Details Coordinated Cyber Attacks on 30+ Wind and Solar Farms

2 days ago [email protected] (The Hacker News)
  • Cyber Attacks
  • Data Breach
  • Malware
  • Vulnerabilities

Researchers Uncover Chrome Extensions Abusing Affiliate Links and Stealing ChatGPT Access

3 days ago [email protected] (The Hacker News)

Recent Posts

  • eScan Antivirus Update Servers Compromised to Deliver Multi-Stage Malware
  • Open VSX Supply Chain Attack Used Compromised Dev Account to Spread GlassWorm
  • Iran-Linked RedKitten Cyber Campaign Targets Human Rights NGOs and Activists
  • Mandiant Finds ShinyHunters-Style Vishing Attacks Stealing MFA to Breach SaaS Platforms
  • CERT Polska Details Coordinated Cyber Attacks on 30+ Wind and Solar Farms

Tags

Android APT Bug CERT Cloud Compliance Coronavirus COVID-19 Critical Severity Encryption Exploit Facebook Finance Google Google Chrome Goverment Hacker Hacker News High Severity Instagram iPhone Java Linux Low Severity Malware Medium Severity Microsoft Moderate Severity Mozzila Firefox Oracle Patch Tuesday Phishing Privacy QuickHeal Ransomware RAT Sim The Hacker News Threatpost TikTok TripWire VMWARE Vulnerability Whatsapp Zoom
Copyright © 2020 All rights reserved | NGTEdu.com
This website uses cookies to improve your experience. We'll assume you're ok with this, but you can opt-out if you wish. Read More here.Cookie settingsACCEPT
Privacy & Cookies Policy

Privacy Overview

This website uses cookies to improve your experience while you navigate through the website. Out of these cookies, the cookies that are categorized as necessary are stored on your browser as they are essential for the working of basic functionalities of the website. We also use third-party cookies that help us analyze and understand how you use this website. These cookies will be stored in your browser only with your consent. You also have the option to opt-out of these cookies. But opting out of some of these cookies may have an effect on your browsing experience.
Necessary
Always Enabled
Necessary cookies are absolutely essential for the website to function properly. This category only includes cookies that ensures basic functionalities and security features of the website. These cookies do not store any personal information.
Non-necessary
Any cookies that may not be particularly necessary for the website to function and is used specifically to collect user personal data via analytics, ads, other embedded contents are termed as non-necessary cookies. It is mandatory to procure user consent prior to running these cookies on your website.
SAVE & ACCEPT