CISA Releases Joint Advisory on Preventing and Handling Cyber-Attacks
A joint advisory released by the Cybersecurity Infrastructure and Security Agency (CISA) as a result of a collaborative research effort by CISA’s international cybersecurity counterparts in Australia, Canada, New Zealand, and the United Kingdom announced tips for recognizing malicious online activity. The advisory provides advice on how to best handle breaches in cybersecurity.
The advisory details the steps organizations should take when a cybersecurity incident is detected.
The first step is to collect as much data and relevant artifacts from the breach as possible. The second step upon breach discovery is to take mitigation steps to ensure the adversary doesn’t realize their breach has been recognized. The final step is to receive response support from a third-party IT security organization to better understand the data breach, remove the adversary from the network, and ensure that that system cannot be compromised again.
The release highlights commonly made mistakes during this three-step process, exemplifying a need for a long-term plan versus impulsive decisions when incidents occur.
As NextGov explains, these often-overlooked steps include:
Mitigating the affected systems too early, which could allow the adversary to notice and change their tactics
Touching adversary infrastructure, which can tip off the adversary that they have been detected
Preemptively blocking adversary infrastructure, which can take away network defenders’ visibility of their activity
Preemptive password reset, which does not ensure a fix because adversary likely has multiple credentials – or worse owns your network
Failure to preserve or collect critical log data, which should be collected and retained for at least one year.
The final portion of the advisory report details recommendations and best practices prior to an attack. A few of which outlined in the advisory include:
User education, which would educate users in security principles and improve organization resilience
Allowlisting, which would prevent the execution of unauthorized software by using application allowlisting as part of the OS installation and security hardening process
User control, which would remove unnecessary accounts and groups
Backups, which would secure and maintain data logs in case of compromise
Network security, which includes implementing an intrusion detection system (IDS)
Paul Chichester, Director of Operations for the U.K. National Cybersecurity Centre, which collaborated with CISA on the report, said, “This advisory will help organisations understand how to investigate cyber incidents [and] protect themselves online, and we would urge them to follow the guidance carefully. Working closely with our allies, and with the help of organisations and the wider public, we will continue to strengthen our defences to make us the hardest possible target for our adversaries.”
There are a number of other mitigation practices and recommendations detailed in the joint advisory. Overall, CISA maintains that a strong cybersecurity infrastructure will be necessary for the proper functioning of the federal government and its internal systems.