Malicious Activity Detection and Mitigation Guidance Published by CISA
The HIPAA Security Rule requires covered entities and their business associates to implement safeguards to ensure the confidentiality, integrity, and availability of ePHI. Those safeguards will make it harder for cybercriminals to gain access to networks and computer systems that are used to create, store, process, maintain, or transmit ePHI. Those safeguards may not block all attempts by threat actors to access the networks of healthcare organizations and their vendors. When a cyberattack is successful it is essential for it to be detected and remediated quickly.
Recently, the Department of Homeland Security Cybersecurity and Infrastructure Security Agency (CISA) has published a Joint Advisory to help security and incident response teams detect malicious activity quickly and respond to potential intrusions efficiently and effectively and limit any negative consequences. The guidance was developed in collaboration with cybersecurity authorities in the United States, United Kingdom, Canada, Australia, and New Zealand.
When incident response teams identify malicious activity, there is a tendency for actions to be taken immediately to terminate any unauthorized access, but before any action is taken it should be carefully considered. Actions taken by incident response teams could alert the attacker that their presence in the network has been discovered. The threat actor may then change tactics, techniques, and procedures (TTPs) which could have negative consequences.
“Although well intentioned to limit the damage of the compromise, some of those actions have the adverse effect of modifying volatile data that could give a sense of what has been done and tipping the threat actor that the victim organization is aware of the compromise and forcing the actor to either hide their tracks or take more damaging actions (like detonating ransomware),” explained CISA.
The guidance acts as an incident response playbook, providing technical guidance on the actions that should be taken by incident response teams and best practices that should be adopted to shorten the time it takes to detect malicious activity on networks and mitigate any attack when malicious activity is detected.
The guide explains the technical measures necessary for detecting malicious activity, including obtaining indicators of compromise (IoCs) from a variety of sources and conducting searches for those indicators in network and host artifacts.
A frequency analysis can uncover potential malicious activity. Normal traffic patterns in network and host systems should be determined and algorithms used to identify any traffic that is inconsistent with normal patterns. Variables that should be included include timing, source location, destination location, port utilization, protocol adherence, file location, integrity via hash, file size, naming convention, and other attributes.
A pattern analysis helps to detect regular, automated actions performed by malware and malicious scripts and any repeating actions by human threat actors. An analyst review should also be conducted to identify anomalous behavior based on the team’s understanding of system administration.
When suspicious activity is detected, it is essential to collect and remove relevant artifacts, logs and data to ensure that information can be analyzed without tipping off an attacker that their presence in the network has been identified. Mitigation steps should then be taken, again taking care not to alert the attacker. While incident response teams can use the playbook to determine the mitigation steps that should be taken, CISA recommends considering soliciting support from a third-party cybersecurity organization.
Third-party cybersecurity experts will provide subject matter expertise and technical support to the incident response team, will ensure that any adversary is eradicated from the network, and will avoid residual issues that could allow the attacker to conduct another successful attack once the incident is closed.
The guidance also includes information on the mistakes that incident response teams often make when searching for and identifying malicious activity to help teams avoid the errors and the associated negative consequences
The CISA Alert – Technical Approaches to Uncovering and Remediating Malicious Activity – can be viewed on this link.