There are a lot of different guidelines and regulations by government bodies of different countries responsible for cyber-security, most of them provide information about threats, strategies, and bad actors. I will write a series of blog posts about the most interesting of these publications and portals that I saw. This is not a complete list, I'm sure cyber-security measures differ from country to country and I'm sure I could miss cyber-security body of some less known, but a technologically advanced country which could have the best materials.
This time we are going to talk about materials provided by Australian Government and specifically about Australian Cyber-Security Centre (https://acsc.gov.au/index.html). In my opinion, cyber-security departments of this country issue most interesting, but at the same time easy to read and understand and relevant materials. All publications are also structured according to the audience level from very high-level principles and concepts to low-level specific configuration recommendations for IT professionals.
My first introduction to their materials started with this very detailed guide on Windows Event Log management strategies, I was researching materials for InTrust's improved forwarding capabilities and was looking for good guide and recommendations about events triage recommendations that would help with events prioritization and reduce overall event log noise level. Australian Government has the most specific document on this matter - Windows Event Logging and Forwarding (https://www.acsc.gov.au/publications/protect/Windows_Event_Logging_Technical_Guidance.pdf). The document could help filter out more important logs from less important and develop a log management strategy for the organization, in other words - what should be just archived for legal and compliance purposes vs information that should be kept in a hot storage and indexed, so that it is ready for rapid analysis by your security team. As a starting point you can just take everything with Low Noise from the document and forward directly to SIEM and work on reducing the noise in your log management solution such as Quest InTrust, or just keep most of the data in the log management layer and forward only most important events and rely on InTrust during the security threat investigation process.
A good addition to the described document is a GitHub space with scripts that can help configure Windows Event logging to the described standards. Really useful material. https://github.com/AustralianCyberSecurityCentre/windows_event_logging
There is another masterpiece from the Australian Government. "Strategies to Mitigate Cyber Security Incidents" (https://acsc.gov.au/publications/Mitigation_Strategies_2017.pdf) If you felt like crawling through yet another cybersecurity framework definitions is a nightmare, you will like this document a lot. It's easy, simple and on the money. You can start light and easy by implementing just a basic level of protection and continue improving your security posture in cycles. Amazing document
There is a partner document that goes into implementation recommendations (https://acsc.gov.au/publications/Mitigation_Strategies_2017_Details.pdf). For awareness about Sysmon, PowerShell auditing, application whitelisting and other highly specialized cyber-security measures I can definitely give a five start to the document, not trying to be an expert, but I've seen a lot of security frameworks and compliance regulation definitions and I can say that ability to put everything into a single page is an accomplishment by itself
Besides other detailed and very well structured suggestions and recommendations, Australian Cyber Security Centre also has a threat sharing platform and they also publish a report on well known and publicly available cyber-crime toolkits
"Joint report on publicly available hacking tools" (https://cyber.gov.au/infrastructure/publications/publicly-available-tools/U5-Joint-Product-ACSC-Release-Final.pdf)
This document is brief but interesting and I want to stop on each threat mentioned in the document
Remote Access Tool – Adwind and JBiFrost
I would recommend checking the document about the history and examples of use for this trojan type of offensive toolkits, what is interesting for me is a paragraph about Detection and Protection:
ACSC recommends using user behavior analysis tools, application whitelisting and endpoint protection.
Web Shells – China Chopper
Again it's recommended to protect against them enforcing cyber-security posture of your publicly-facing web services. For detection, it's recommended to audit web servers: their logs and overall activity on these machines for anomalies and suspicious behavior.
Besides detailed Windows Event logs from these servers, Quest InTrust is capable of parsing and archiving for analysis web application logs and spotting some of the well-known attacks.
Credential Stealer – Mimikatz
We know this fellow at Quest and use it a lot to test the validity of our protection features. ACSC recommends keeping your windows infrastructure updated and incorporate well-known security hardening which could significantly reduce the risk of pass-the-hash attacks. On the detection side - log monitoring and user behavior analysis are vital parts of the detection strategy. It is also recommended to perform thorough investigations of all activities for the endpoints where the use of mimikatz has been detected. Privilege Access Management principles are recommended as well to reduce the footprint of a potential attack.
"Network defenders should audit the use of scripts, particularly PowerShell, and inspect logs to identify anomalies. This will aid identification of Mimikatz or pass-the-hash abuse, as well as providing some mitigation against attempts to bypass detection software."
With Quest InTrust 11.4 releasing in the upcoming weeks we believe that built-in PowerShell protection rules can help implement this recommendation.
Lateral Movement Frameworks – PowerShell Empire
Again, for detection part, it's highly recommended to use PowerShell script block logging. Quest InTrust product can help with enabling full audit of this log from servers to workstations as well as automated response actions for the suspicious commands such as those used in the PowerShell Empire toolkit.
Command and Control Obfuscators - HTran
This toolkit is responsible for creating a network connection to the backend servers where bad actors operate and the tool can proxy and hide malicious connections behind normal network traffic. ACSC recommends monitoring network packets for maintaining the baseline of activities which can help spot the networking anomaly. I would also recommend sysmon and collecting its log for analysis. HTran can inject itself into processes, but suspicious network connections initiated by normally silent processes should definitely trigger an alert and further analysis of the behavior of the corresponding process.
I want to thank Australian Cyber Security Centre for such a detailed and nice documentation on their cyber-security recommendations and policies.
This will be a series of blog posts with information about other governments providing cyber-security recommendations, warnings, and guidelines.