This newly-released report is the result of a collaborative effort by cybersecurity authorities in Australia, Canada, New Zealand, the United Kingdom, and the United States.
Nothing says “this is the standard” like a set of guidelines that are written by and agreed upon by the world’s leading experts in cybersecurity. The Joint Cybersecurity Advisory: Technical Approaches to Uncovering and Remediating Malicious Activity provides organizations with technical approaches, mitigation steps, and best practices designed to “enhance incident response among partners and network administrators along with serving as a playbook for incident investigation.”
Some of the most important content in this advisory is its mitigation content; having a planned response *is* important, but it’s better to keep an attack from happening. Some of the familiar recommendations include disallowing unrestricted RDP access (a commonly-used tactic for ransomware attacks) and disabling the interactive logon of service accounts (used as part of lateral movement activity), among others.
It also provides guidance around best practices to put in place prior to an incident occurring. These include:
- Application whitelisting
- Limiting privileged access
- Maintain backups of essential data and systems
- Use and maintain a secure workstation image
In addition, the collective cybersecurity authorities see the user as “the frontline security of [an] organization,” citing the need for “User Education.” According to the advisory, the education focuses on malicious downloads and phishing emails, as well as how to respond should they either come face to face with an attack, as well as should they fall for one.
Security Awareness Training helps to address these recommendations, educating the user with practical examples of modern attacks, while emphasizing the importance of the user’s role in organizational security.
Take a look at this advisory; it provides great context into what you should be doing both before and after an attack.