CISA Releases Joint Advisory on Preventing and Handling Cyber-Attacks

A joint advisory released by the Cybersecurity Infrastructure and Security Agency (CISA) as a result of a collaborative research effort by CISA’s international cybersecurity counterparts in Australia, Canada, New Zealand, and the United Kingdom announced  tips for recognizing malicious online activity. The advisory provides advice on how to best handle breaches in cybersecurity.

The advisory details the steps organizations should take when a cybersecurity incident is detected.

The first step is to collect as much data and relevant artifacts from the breach as possible. The second step upon breach discovery is to take mitigation steps to ensure the adversary doesn’t realize their breach has been recognized. The final step is to receive response support from a third-party IT security organization to better understand the data breach, remove the adversary from the network, and ensure that that system cannot be compromised again.

The release highlights commonly made mistakes during this three-step process, exemplifying a need for a long-term plan versus impulsive decisions when incidents occur.

As NextGov explains, these often-overlooked steps include:

  • Mitigating the affected systems too early, which could allow the adversary to notice and change their tactics

  • Touching adversary infrastructure, which can tip off the adversary that they have been detected

  • Preemptively blocking adversary infrastructure, which can take away network defenders’ visibility of their activity

  • Preemptive password reset, which does not ensure a fix because adversary likely has multiple credentials – or worse owns your network

  • Failure to preserve or collect critical log data, which should be collected and retained for at least one year.

The final portion of the advisory report details recommendations and best practices prior to an attack. A few of which outlined in the advisory include:

  • User education, which would educate users in security principles and improve organization resilience

  • Allowlisting, which would prevent the execution of unauthorized software by using application allowlisting as part of the OS installation and security hardening process

  • User control, which would remove unnecessary accounts and groups

  • Backups, which would secure and maintain data logs in case of compromise

  • Network security, which includes implementing an intrusion detection system (IDS)

Paul Chichester, Director of Operations for the U.K. National Cybersecurity Centre, which collaborated with CISA on the report, said, “This advisory will help organisations understand how to investigate cyber incidents [and] protect themselves online, and we would urge them to follow the guidance carefully. Working closely with our allies, and with the help of organisations and the wider public, we will continue to strengthen our defences to make us the hardest possible target for our adversaries.”

There are a number of other mitigation practices and recommendations detailed in the joint advisory. Overall, CISA maintains that a strong cybersecurity infrastructure will be necessary for the proper functioning of the federal government and its internal systems.

Previous
Previous

GAO Investigates Handling of Time and Attendance Misconduct in Federal Agencies

Next
Next

Two Defendants Sentenced for Fraudulent Sale of Native American Goods