CISA, International Counterparts Highlight Mistakes Organizations Make After a Cyber Intrusion

BeeBright/Shutterstock.com

A lot of what’s necessary to appropriately respond to a cyber incident should happen way in advance.

The Cybersecurity and Infrastructure Security Agency collaborated with similar allied authorities in issuing an extensive list of best practices for preempting malicious cyber actors and navigating related crises in the moment. 

“Today’s joint alert is the first of its kind for CISA since our formal establishment in 2018 and one I’ve aimed for since day one,” CISA Director Christopher Krebs said in a press release Tuesday.

CISA has partnered with the United Kingdom’s National Cyber Security Centre in the past to call attention to specific nation-state actors and threats. Tuesday’s advisory takes a more general, proactive approach, and includes the Australian Cyber Security Centre, New Zealand’s National Cyber Security Centre and Computer Emergency Response Team, and Canada’s Communications Security Establishment, in addition to the U.K.’s NCSC.

“With our allied cybersecurity government partners, we work together every day to help improve and strengthen the cybersecurity of organizations and sectors of our economy that are increasingly targeted by criminals and nation states alike,” Krebs said. “Fortunately, there’s strength in numbers and this unified approach to combining our experiences with a range of malicious actors means that we’re able to extend our defensive umbrella on a global scale.”

The release highlighted five mistakes network defenders tend to make when responding to an incident that suggest a global need to focus more on the long game rather than impulsive reactions.

These often overlooked steps include: “Mitigating the affected systems too early, which could allow the adversary to notice and change their tactics; touching adversary infrastructure, which can tip off the adversary that they have been detected; preemptively blocking adversary infrastructure, which can take away network defenders’ visibility of their activity; preemptive password reset, which does not ensure a fix because adversary likely has multiple credentials – or worse owns your network; and failure to preserve or collect critical log data, which should be collected and retained for at least one year.”

Increased use of cloud technology could make that last item especially challenging. A report issued by the National Institute of Standards and Technology last month about the effect of cloud computing on forensic capabilities notes a “lack of even minimum/basic [standard operating procedures],” in cloud providers’ maintenance of logs and other records.

The advisory—“technical approaches to uncovering and remediating malicious activity”—includes a huge list of other specific proactive measures, such as segmenting networks, shutting down unused systems or services, and implementing the least-privilege principle of access.

“Cyber security is a global issue that requires a collaborative international effort to protect our most critical assets,” said Paul Chichester, director of operations for NCSC U.K. “This advisory will help organisations understand how to investigate cyber incidents [and] protect themselves online, and we would urge them to follow the guidance carefully. Working closely with our allies, and with the help of organisations and the wider public, we will continue to strengthen our defences to make us the hardest possible target for our adversaries.”

RELATED PODCAST: