On Tuesday, September 1st, 2020, something major happened in the cyber security community. The governments of the United States (US), United Kingdom (UK), Canada, New Zealand and Australia released a joint cyber security advisory detailing approaches to uncovering and remediating malicious activity. This is extremely relevant for all businesses and organizations in these countries.
A joint cyber security advisory
The advisory is important and comes at a critical time when cyber-attacks are on the rise. Despite a joint announcement by Canada, the US, and the UK on Russian attacks against COVID-19 research and intellectual property, these kinds of publications are relatively rare. The effort invested by these governments in issuing a joint advisory underscores the confidence the authors have in the cyber security techniques within, as well as the importance of implementing them.
Behind the report are national security organizations charged with preventing attacks on the government, critical infrastructure, and businesses within their respective nations. They are the authoritative government experts within each country, with access to vast volumes of cyber security intelligence and data, and decades of experience designing, developing, and implementing secure networks. This includes highly sensitive networks, such as those that handle classified material.
Why this cyber security advisory matters
At Field Effect, we are excited about this advisory because it allowed these national security agencies to share some of their sensitive information and intelligence in a form that is accessible to the public. It provides an unbiased collection of expert recommendations, free from commercial spin, and built on data sets available to very few organizations around the world.
What does the advisory advise?
Worth noting in the advisory are several high-level strategies as well as some very specific technical measures recommended for implementation. They include:
- Identifying attacks through an ability to define what is ‘normal’ on a network and subsequently spotting user and system behaviours that are inconsistent with this baseline. This is often called anomaly-based threat detection.
- Given how much data can be present on even the smallest network, it isn’t feasible to review everything that happens or read thousands or millions of alert logs. It is necessary to employ strategies that avoid data overload and alert fatigue. This can include focusing on known attack patterns to identify telltale signs of attacker movement or persistence in a network.
- Ensuring that you have detailed visibility of your network to identify vulnerabilities and spot active threats. This means having enough detail and insight into:
- User accounts to detect anomalous activity and insecure configuration
- Host processes, file storage, and operating system to spot attacker tradecraft
- Network traffic to spot legacy protocols that could be exploited
- Unnecessary network services, disabled firewalls, or ghost and shadow IT
The advisory similarly provides detailed recommendations across host and network systems, as well as best practice recommendations for the level and types of cyber security monitoring for your network. Mitigation advice—things to do to prevent an attack—and incident handling best practices are included among the recommendations.
At Field Effect, we’re proud to say we are in full alignment with the recommendations contained within this report.
In fact, the reason we offer both leading-edge digital forensics and incident response services, as well as an advanced threat detection and vulnerability discovery solution, is no coincidence. They are highly related operationally and skill-wise.
In other words, being able to successfully respond and recover from an incident depends on the ability to first identify and detect an attacker’s behaviour. The Joint Cybersecurity Advisory recognizes this relationship and its title “Technical Approaches to Uncovering and Remediating Malicious Activity”, reflects this concept.