Five Eyes Nations Release Cybersecurity Principles
The joint advisory offers technical approaches to finding malicious activity on digital networks.
The cybersecurity representatives of the so-called Five Eyes intelligence partners are working together to improve cyber event incident response across the extended community of the countries of Australia, Canada, New Zealand, United Kingdom and the United States.
As such, the Five Eyes nations' cyber authorities—including: the Australian Cyber Security Centre; Canada’s Communication Security Establishment; New Zealand National Cyber Security Centre and New Zealand Computer Emergency Response Team; United Kingdom National Cyber Security Centre; and U.S. Cybersecurity and Infrastructure Security Agency (CISA)—have published a playbook for incident investigation. The advisory is the result of a collaborative research effort performed by the cybersecurity authorities, according to the bulletin, which was released on September 1 by the U.S. Department of Homeland Security's CISA.
The playbook addresses which best practices to apply when breached and conducting incident response measures, including the collection and removal of relevant artifacts, logs and data, and how to avoid residual issues that could result in additional compromises once the incident is closed.
“The incident response process requires a variety of technical approaches to uncover malicious activity,” the bulletin stated.
Among other measures, the nations recommended that cybersecurity responders consider conducting the following activities in a response:
- Indicators of Compromise (IOC) Search – Collect known-bad indicators of compromise from a broad variety of sources, and search for those indicators in network and host artifacts. Assess results for further indications of malicious activity to eliminate false positives.
- Frequency Analysis – Leverage large datasets to calculate normal traffic patterns in both network and host systems. Use these predictive algorithms to identify activity that is inconsistent with normal patterns. Variables often considered include timing, source location, destination location, port utilization, protocol adherence, file location, integrity via hash, file size, naming convention and other attributes.
- Pattern Analysis – Analyze data to identify repeating patterns that are indicative of either automated mechanisms (e.g., malware, scripts) or routine human threat actor activity. Filter out the data containing normal activity and evaluate the remaining data to identify suspicious or malicious activity.
- Anomaly Detection – Conduct an analyst review (based on the team’s knowledge of, and experience with, system administration) of collected artifacts to identify errors. Review unique values for various datasets and research associated data, where appropriate, to find any anomalous activity that could be indicative of threat actor activity.
In addition, when investigating a network, the Five Eyes recommended reviewing a broad variety of host-based artifacts to identify any suspicious activity, including:
- Running Processes
- Running Services
- Parent-Child Process Trees
- Integrity Hash of Background Executables
- Installed Applications
- Local and Domain Users
- Unusual Authentications
- Non-Standard Formatted Usernames
- Listening Ports and Associated Services
- Domain Name System (DNS) Resolution Settings and Static Routes
- Established and Recent Network Connections
- Run Key and other AutoRun Persistence
- Scheduled Tasks
- Artifacts of Execution (Prefetch and Shimcache)
- Event logs
- Anti-virus detections
The Five Eyes also identified the common mistakes made in response to breaches. They warned that although well-intentioned, some immediate actions to limit the damage of the compromise may instead modify important data that would have revealed the work of the cyber attackers. The actions could also tip the threat actors that the victim is aware of the compromise, prompting the malicious actors to either hide their tracks or take more damaging actions, such as detonating ransomware, the advisory stated.