Prevent, detect, and contain: that’s the National Security Agency (NSA) advice for mitigating the damage of malware attacks.
The NSA is warning businesses and agencies to prepare for an upswing of attacks in which data is not only stolen/exposed, but is, along with the network systems that house the data, destroyed or left unusable in the wake of the attack.
Annihilation of data is a growing threat, notes the NSA in its report, “Defensive Best Practices Against Destructive Malware.” Compiled by the NSA’s Information Assurance Directorate (IAD) division, the report provides a good proactive baseline for warding off attacks, along with advice on how to keep attackers from running amuck after they have gained some access to the network.
Security experts have warned that 2016 will be the year of the particularly malicious hacker. Such attackers will wipe compromised networks after a successful attack in order to destroy forensic evidence. In other cases, as we’ve seen with the various “locker” ransomwares, data is encrypted and held for ransom. If demands aren’t met, the data isn’t released from its encrypted prison.
“Defensive Best Practices Against Destructive Malware” is, rather frankly, a list of well-known best security practices that should already be in place in any organization, enterprise, or agency. That’s not a slam against the NSA—best practices are by definition established consensus rules. The NSA does a good job in the report of drilling down to provide implementation advice and other useful documentation.
“Once a malicious actor achieves privileged control of an organization’s network, the actor has the ability to steal or destroy all of the data that is on the network,” the NSA noted.
Its guidance includes the following suggestions:
- Segregate network systems and functions in such a way that an attacker who has successfully penetrated part of the network isn’t able to access other areas of the ecosystem.
- Protect and restrict administrative privileges to minimize the chances that an attacker can gain control over the entire network.
- Utilize application whitelisting to prevent malicious code from executing.
- Limit workstation-to-workstation communication to reduce the attack surface that an attacker can use to spread and hide within a network.
- Run robust network boundary defenses such as perimeter firewalls, application-layer firewalls, forward proxies, and sandboxing or other dynamic traffic and code analyses.
- Actively monitor host and network logging, ensuring that log information is aggregated to a centralized reporting system that will issue an immediate alert on any anomalous or malicious activity.
- Implement pass-the-hash mitigations to reduce the risk of credential theft and reuse.
- Run Microsoft’s EMET or other anti-exploit tools to block initial exploits.
- Employ antivirus reputation services in addition to traditional signature-based AV; the former will thwart brand new attacks more effectively than signature-based tools will.
- Run host intrusion prevention systems.
- Regularly update and patch software.
The report also stresses the importance of planning for the worst case scenario by developing an incident response plan and regularly testing the plan.
“Preparing through offline backups and exercised incident response and recovery plans can make the organization more resilient, enabling quick reconstitution and the resumption of normal business functions as soon as possible,” says the NSA.
We would hope that none of the above is news to security professionals, but the report makes for a good bit of informative reading to pass around the C-suite when security budgets and initiatives are being discussed.
Retailers who are concerned that they’ve been running systems that are essentially open doors to malicious hackers and other criminals may want to conduct a thorough analysis of their system before locking those virtual doors. Obviously, if the criminals are already inside the system, implementing best practices to keep them out will be less than useful.
BAI offers comprehensive IT Security Assessments for companies who want to improve the security of their computing ecosystem. These services include:
- Vulnerability and Penetration Testing
- Extensive Firewall Evaluation
- Social Engineering Evaluation
- Malware Protection Evaluation
- Network Operating System Evaluation
- Remote Location (Branch) Evaluation
- Remote Access Evaluation
- Telco-testing / War-dialing Evaluation
- Wireless Security Evaluation
We also provide a Compromise Assessment service for companies that want to ensure malware is not operating within their network, or that the organization has not already been breached by external attackers.