NSA offers advice to enterprises confronting malware-wielding attackers
In the aftermath of the major data breaches perpetrated by malware-wielding hackers, such as the Target breach and recent Sony Pictures hack, the National Security Agency (NSA) and Central Security Service have published a report with advice for companies on how to deal with malware attacks.
The report summarizes the advice as "prevent, detect and contain."
To be more specific, the report recommends that IT security pros:
- Segregate networks so that an attacker who breaches one section is blocked from accessing more sensitive areas of the network;
- Protect and restrict administrative privileges, in particular high-level administrator accounts, so that the attacker cannot get control over the entire network;
- "Deploy, configure, and monitor application whitelisting[--listing of approved applications--]to prevent malware from executing;"
- Restrict workstation-to-workstation communication to reduce the attack surface for attackers;
- Deploy strong network boundary defenses such as perimeter and application firewalls, forward proxies, sandboxing and dynamic analysis filters to catch the malware before it breaches the network;
- Maintain and monitor centralized host and network logging product after ensuring that all devices are logging enabled and their logs are collected in order to detect malicious activity and contain it as soon as possible;
- Implement pass-the-hash mitigation to reduce credential theft and reuse;
- Deploy Microsoft Enhanced Mitigation Experience Toolkit or other anti-exploitation capability for devices running non-Windows operating systems;
- Employ anti-virus file reputation services to catch known malware sooner than normal anti-virus software;
- Implement host intrusion prevent systems to detect and prevent attack behaviors; and
- Update and patch software in a timely manner so known vulnerabilities cannot be exploited.
"Once a malicious actor achieves privileged control of an organization's network, the actor has the ability to steal or destroy all the data that is on the network," the report noted. "While there may be some tools that can, in limited circumstances, prevent the wholesale destruction of data at that point, the better defense for both industry and government networks is to proactively prevent the actor from gaining that much control over the organization's network."
- check out the NSA report