The NSA’s Information Assurance Directorate (IAD) issued a report this month laying out best practices for combating malware designed to steal or destroy corporate data.
The report, entitled ‘Defensive Best Practices for Destructive Malware’, seems in part aimed at dealing with the type of data-wiping malware at the center of the recent attack on Sony Pictures Entertainment. Much of the advice, the document notes, is also contained in the guidance in the previously published ‘Information Assurance Mitigation Strategies’.
Among the key pieces of advice: segregate network systems, limit workstation-to-workstation communication and protect and restrict administrative privileges for high-level administrator accounts. Organizations are also advised to deploy, configure and monitor application whitelisting to prevent unauthorized or malicious software from executing.
“The earlier that network defenders can detect and contain an intrusion, the less damage the intruder can possibly cause,” according to the report. “In addition to trying to contain an intrusion as early as possible, planning for the possibility of a significant intrusion and potential wide scale destruction of data and systems will be well worth the effort in the event that they are needed. Preparing through offline backups and exercised incident response and recovery plans can make the organization more resilient, enabling quick reconstitution and the resumption of normal business functions as soon as possible.”
Other advice includes:
- Using network security technologies such as perimeter and application firewalls, forward proxies, sandboxing or other dynamic analysis filters to capture malware when it enters the network
- Monitor host and network logs
- Leverage pass-the-hash mitigations to reduce the risk of credential theft
- Deploy Microsoft’s EMET (Enhanced Mitigation Experience Toolkit) or other anti-exploit tools
- Patch vulnerable software
- Use antivirus reputation services to compliment antivirus protections
- Use host intrusion prevention systems
“Once a malicious actor achieves privileged control of an organization’s network, the actor has the ability to steal or destroy all the data that is on the network,” report continues. “While there may be some tools that can, in limited circumstances, prevent the wholesale destruction of data at that point, the better defense for both industry and government networks is to proactively prevent from gaining that much control over the organization’s network.”