The National Security Agency (NSA)’s Information Assurance Directorate has released a report on “Defensive Best Practices for Destructive Malware”. The document describes specific actions that organizations can take to defend their networks from malware attacks and prevent or minimize damage.
“Once a malicious achieves prevailed control an organization’s network, the actor has the ability to steal or destroy all of the data that is on the network,” states the report.” It concludes that “the better defense for both industry and government networks is to proactively prevent the actor from gaming that much control over the network”
The report advocates practices it refers to as “Prevent, Detect and Contain”. This includes
- Segregating networks in ways that makes it difficult for the attacker.
- Protecting and restricting administrative privileges.
- Deploying, configuring and monitoring application whitelisting to prevent unauthorized 0r malicious software execution.
- Limiting workstation-to-workstation communication to limit the ability of attackers to spread and conceal themselves within the network.
- Implementing boundary defense technologies such network firewalls, application firewalls, network proxies, sandboxing and analytical tools for traffic analysis.
- Maintaining and monitoring the logging for the activities of all network devices.
- Implementing Pass-the-Hash mitigation to prevent the theft of credentials and reuse.
- Implementing anti-exploitation capabilities such Microsoft Enhanced Mitigation Experience Toolkit (EMET).
- Deploy antivirus protection and antivirus reputation services.
- Implement Host Intrusion Prevention System (HIPS).
- Update and patch software in a timely manner.
The report also recommends that organizations be prepared with robust incident response and recovery plans to respond to breaches.
“Preparing through offline backups and exercised incident response and recovery plans can make the organization more resilient, enabling quick reconstitution and resumption of normal business functions as soon as possible”, the report concludes.