09.09.2020 Here’s what the Five Eyes say you need to do to uncover threat actors on your network

by Andrew Loschmann

Australia, Canada, New Zealand, the United Kingdom and the US publish a rare joint cyber security advisory

On Tuesday, September 1st, 2020, something major happened in the cyber security community. The governments of the United States (US), United Kingdom (UK), Canada, New Zealand and Australia released a joint cyber security advisory detailing approaches to uncovering and remediating malicious activity. This is extremely relevant for all businesses and organizations in these countries.

The advisory is important and comes at a critical time when cyber-attacks are on the rise.  Despite a recent joint announcement by Canada, the US and the UK on Russian attacks against COVID-19 research and intellectual property, these kinds of publications are relatively rare. The effort invested by these governments in issuing a joint advisory underscores the confidence the authors have in the cyber security techniques within, as well as the importance of implementing them.

Behind the report are national security organizations charged with preventing attacks on the government, critical infrastructure, and businesses within their respective nations. They are the authoritative government experts within each country, with access to vast volumes of cyber security intelligence and data, and decades of experience designing, developing, and implementing secure networks.  This includes highly sensitive networks, such as those that handle classified material (you know, the stuff marked ‘TOP SECRET’).

At Field Effect , we are excited about this advisory because it allowed these national security agencies to share some of  their sensitive information and intelligence in a form that is accessible to the public. It provides an unbiased collection of expert recommendations, free from commercial spin, and built on data sets available to very few organizations around the world.

Worth noting in the advisory are several high-level strategies as well as some very specific technical measures recommended for implementation.  They include:

  • Identifying attacks through an ability to define what is ‘normal’ on a network, and subsequently spotting user and system behaviours that are inconsistent with this baseline. This is often called anomaly-based threat detection.
  • Given how much data can be present on even the smallest network, it isn’t feasible to review everything that happens or read thousands or millions of alert logs. It is necessary to employ strategies that avoid data overload(sometimes referred to as “alert fatigue”). This can include focusing on known attack patterns to identify telltale signs of attacker movement or persistence in a network.
  • Ensuring that you have detailed visibility of your network to identify vulnerabilities and spot active threats. This means being able to monitor all user accounts for anomalous activity and insecure configuration; detailed host insight into the processes, file storage and operating system to spot attacker tradecraft. All while having enough detail from network traffic to spot legacy protocols that could be exploited or attacker communications to your network; and sufficiently detailed information to spot unnecessary network services, disabled firewalls, or identifying ghost and shadow IT.

The advisory similarly provides detailed recommendations across host and network systems, as well as best practice recommendations for the level and types of cyber security monitoring for your network.  Mitigation advice, which are the things to do to prevent an attack, and incident handling best practices are included among the recommendations.

At Field Effect, we’re proud to say we are in full alignment with the recommendations contained within this report. In fact, the reason we offer both leading edge digital forensics and incident response services, as well as a continuous threat detection and vulnerability discovery product is no coincidence. They are highly related operationally and skill-wise.  In other words, being able to successfully respond and recover from an incident depends on the ability to first identify and detect an attacker’s behaviour.  The Joint Cybersecurity Advisory recognizes this relationship and its title “Technical Approaches to Uncovering and Remediating Malicious Activity”, reflects this concept.

Stay tuned for more detailed breakdowns of the advisory! After all, we love talking about how our combination of experts at your service and our Covalence™ cyber security solution allow you to maintain a network with the same security practices recommended by the world’s leading cyber security agencies.

 

Request Demo

Fill out the form and we will send you details about our demo.