The NSA’s Information Assurance Directorate (IAD) issued a report this month laying out best practices for combating malware designed to steal or destroy corporate data.
The report, entitled ‘Defensive Best Practices for Destructive Malware’, seems in part aimed at dealing with the type of data-wiping malware at the center of the recent attack on Sony Pictures Entertainment. Much of the advice, the document notes, is also contained in the guidance in the previously published ‘Information Assurance Mitigation Strategies’.
Among the key pieces of advice: segregate network systems, limit workstation-to-workstation communication and protect and restrict administrative privileges for high-level administrator accounts. Organizations are also advised to deploy, configure and monitor application whitelisting to prevent unauthorized or malicious software from executing.
“The earlier that network defenders can detect and contain an intrusion, the less damage the intruder can possibly cause,” according to the report. “In addition to trying to contain an intrusion as early as possible, planning for the possibility of a significant intrusion and potential wide scale destruction of data and systems will be well worth the effort in the event that they are needed. Preparing through offline backups and exercised incident response and recovery plans can make the organization more resilient, enabling quick reconstitution and the resumption of normal business functions as soon as possible.”
Other advice includes:
- Using network security technologies such as perimeter and application firewalls, forward proxies, sandboxing or other dynamic analysis filters to capture malware when it enters the network
- Monitor host and network logs
- Leverage pass-the-hash mitigations to reduce the risk of credential theft
- Deploy Microsoft’s EMET (Enhanced Mitigation Experience Toolkit) or other anti-exploit tools
- Patch vulnerable software
- Use antivirus reputation services to compliment antivirus protections
- Use host intrusion prevention systems
“Once a malicious actor achieves privileged control of an organization’s network, the actor has the ability to steal or destroy all the data that is on the network,” report continues. “While there may be some tools that can, in limited circumstances, prevent the wholesale destruction of data at that point, the better defense for both industry and government networks is to proactively prevent from gaining that much control over the organization’s network.”
More from Brian Prince
- U.S. Healthcare Companies Hardest Hit by ‘Stegoloader’ Malware
- CryptoWall Ransomware Cost Victims More Than $18 Million Since April 2014: FBI
- New Adobe Flash Player Flaw Shares Similarities With Previous Vulnerability: Trend Micro
- Visibility Challenges Industrial Control System Security: Survey
- Adobe Flash Player Zero-Day Exploited in Attack Campaign
- Researchers Demonstrate Stealing Encryption Keys Via Radio
- Researchers Uncover Critical RubyGems Vulnerabilities
- NSA, GCHQ Linked to Efforts to Compromise Antivirus Vendors: Report
Latest News
- In Other News: AI Regulation, Layoffs, US Aerospace Attacks, Post-Quantum Encryption
- Blackpoint Raises $190 Million to Help MSPs Combat Cyber Threats
- Google Introduces SAIF, a Framework for Secure AI Development and Use
- ‘Asylum Ambuscade’ Group Hit Thousands in Cybercrime, Espionage Campaigns
- Evidence Suggests Ransomware Group Knew About MOVEit Zero-Day Since 2021
- SaaS Ransomware Attack Hit Sharepoint Online Without Using a Compromised Endpoint
- Google Cloud Now Offering $1 Million Cryptomining Protection
- Democrats and Republicans Are Skeptical of US Spying Practices, an AP-NORC Poll Finds
