Joint Cybersecurity Advisory Outlines Approaches to Discovering and Remediating Attacks

This newly-released report is the result of a collaborative effort by cybersecurity authorities in Australia, Canada, New Zealand, the United Kingdom, and the United States.
Nothing says “this is the standard” like a set of guidelines that are written by and agreed upon by the world’s leading experts in cybersecurity. The Joint Cybersecurity Advisory: Technical Approaches to Uncovering and Remediating Malicious Activity provides organizations with technical approaches, mitigation steps, and best practices designed to “enhance incident response among partners and network administrators along with serving as a playbook for incident investigation.”
Some of the most important content in this advisory is its mitigation content; having a planned response *is* important, but it’s better to keep an attack from happening. Some of the familiar recommendations include disallowing unrestricted RDP access (a commonly-used tactic for ransomware attacks) and disabling the interactive logon of service accounts (used as part of lateral movement activity), among others.
It also provides guidance around best practices to put in place prior to an incident occurring. These include:
Application whitelisting
Limiting privileged access
Maintain backups of essential data and systems
Use and maintain a secure workstation image
In addition, the collective cybersecurity authorities see the user as “the frontline security of [an] organization,” citing the need for “User Education.” According to the advisory, the education focuses on malicious downloads and phishing emails, as well as how to respond should they either come face to face with an attack, as well as should they fall for one.
Security Awareness Training helps to address these recommendations, educating the user with practical examples of modern attacks, while emphasizing the importance of the user’s role in organizational security.
Take a look at this advisory; it provides great context into what you should be doing both before and after an attack.

Read More

Maze ransomware uses Ragnar Locker virtual machine technique

The Maze ransomware operators now use a virtual machine to encrypt a computer, a tactic previously adopted by the Ragnar Locker malware. The Maze ransomware operators have adopted a new tactic to evade detection, their malware now encrypts a computer from within a virtual machine. This technique was first adopted by Ragnar Locker gang in […]
The post Maze ransomware uses Ragnar Locker virtual machine technique appeared first on Security Affairs.