13 Aug 2015
Prevent, detect, and contain: that’s the National Security Agency (NSA) advice for mitigating the damage of malware attacks. The NSA’s new report, “Defensive Best Practices Against Destructive Malware,” provides a good proactive baseline for warding off attacks, along with advice on how to keep attackers from running amuck after they have gained some access to the network. Security experts have warned that 2015 will be the year of the particularly malicious hacker. Such attackers will wipe compromised networks after a successful attack in order to destroy forensic evidence. In other cases, as we’ve seen with the various “locker” ransomwares, data is encrypted and held for ransom. If demands aren’t met, the data isn’t released from its encrypted prison. “Defensive Best Practices Against Destructive Malware” is, rather frankly, a list of well-known best security practices that should already be in place in any organization, enterprise, or agency. That’s not a slam against the NSA; best practices are by definition established consensus rules. The NSA does a good job in the report of drilling down to provide implementation advice and other useful documentation. “Once a malicious actor achieves privileged control of an organization’s network, the actor has the ability to steal or destroy all of the data that is on the network,” the NSA noted. Its guidance includes:
- Segregate network systems and functions in such a way that an attacker who has successfully penetrated part of the network isn’t able to access other areas of the ecosystem.
- Protect and restrict administrative privileges to minimize chances that an attacker can gain control over the entire network.
- Utilize application whitelisting to prevent malicious code from executing.
- Limit workstation-to-workstation communication to reduce the attack surface that an attacker can use to spread and hide within a network.
- Run robust network boundary defenses such as perimeter firewalls, application-layer firewalls, forward proxies, and sandboxing or other dynamic traffic and code analyses.
- Actively monitor host and network logging, ensuring that log information is aggregated to a centralized reporting system that will issue an immediate alert on any anomalous or malicious activity.
- Implement pass-the-hash mitigations to reduce the risk of credential theft and reuse.
- Run Microsoft’s EMET or other anti-exploit tools to block initial exploits.
- Employ antivirus reputation services in addition to traditional signature-based AV; the former will thwart brand new attacks more effectively than signature-based tools.
- Run host intrusion prevention systems.
- Regularly update and patch software.