Joint Cybersecurity Advisory: Technical Approaches to Uncovering and Remediating Malicious Activity (Sept. 1, 2020)
Available at https://us-cert.cisa.gov/sites/default/files/publications/AA20-245A-Joint_CSA-Technical_Approaches_to_Uncovering_Malicious_Activity_508.pdf
The cybersecurity authorities of Australia, Canada, New Zealand, the United Kingdom, and the United States have issued a joint advisory highlighting technical approaches to uncovering malicious cyberactivity, with suggested mitigation practices. Recommended approaches include analyzing data in various ways to identify normal traffic patterns, so that anomalous activity stands out. In addition, the advisory lists investigative steps to help spot suspicious activity. These include identifying file names that suggest data exfiltration, looking for new connections on previously unused ports, and detecting unauthorized connections to known threat indicators. The advisory also focuses on common mistakes in handling security incidents, cautioning against certain immediate responses that could lead to adverse consequences. Key concerns include tipping off threat actors (possibly leading them to cover their tracks or take more damaging actions such as activating ransomware) and modifying data that could have been used to analyze an attack.
The bulk of the advisory is devoted to recommended investigation and remediation processes. These are divided into general mitigation guidance and pre-incident best practices. The best practices include defensive techniques and programs to make it more difficult for a threat actor to gain persistent, undetected access to a network. Because no single technique, program, or set of defensive techniques or programs will completely prevent attacks, the advisory recommends a layered approach with multiple defensive techniques and programs to provide a complex barrier to entry, increase the likelihood of detection, and decrease the likelihood of a successful attack.
EBIA Comment: Although the advisory does not mention HIPAA, covered entities and business associates may benefit from comparing their current cybersecurity programs to the pre-incident recommendations and best practices. As noted, an effective cybersecurity defense is one that forces attackers to overcome multiple barriers before gaining unauthorized access to sensitive information. The warning against precipitous actions should be viewed in the context of OCR’s previous advice that HIPAA requires entities to “immediately fix any technical or other problems” to stop a security incident (see our Checkpoint article). Victims of malicious attacks should also resist the temptation to “play along” with an attacker in hopes of identifying the perpetrator—investigations are best left to law enforcement. Key takeaways: Entities should prioritize data protection and recovery, and planning is essential to ensure that the immediate response does not do more harm than good. For more information, see EBIA’s HIPAA Portability, Privacy & Security manual at Sections XXV.H (“Guide to Planning for Breach Notification”) and XXX.B.6 (“Standard: Security Incident Procedures”). You may also be interested in our webinar “HIPAA Breaches: Preparation and Response” (recorded on 9/10/20).
Contributing Editors: EBIA Staff.