NZ Incident Response Bulletin - February 2022

The February edition of the NZ Incident Response Bulletin was published today. The bulletin is a monthly high-level executive summary containing some of the most important news articles that have been published on Forensic and Cyber Security matters during the last month. Each Bulletin also includes a section of our own content, based on a trending theme, this months being “Cyber Incident Detection”.

Each article contains a brief summary and where appropriate, a linked reference on the web for detailed information.

We'll give you a brief summary of each article, and a link to more information. Why do we publish this bulletin? Because we want to keep you up to date with the latest Forensic and Cyber Security news, so that you aren't caught by surprise - and you'll know about risks and changes before they become problems.

Bulletin Update

For the last 36 months, we have published the Incident Response Bulletin to inform our readers about cyber risk, incident response preparation, and forensic technology considerations. We appreciate hearing from you about the insights and value you gain from our ongoing research.

We were also delighted to receive recognition this month from the Google Search Engine, following our recent Bulletin series about the ‘CIS Controls’. Google has allocated us with a ‘Snippet’ from our website page on CIS Controls.

One final update, starting this month; we have included a new section in our Premium Bulletin on the “Cyber Incident Landscape” which summarises the incidents we have responded to over the past month, trends to be aware of, and mitigations you can employ.

Cyber Incident Detection

In 2020, the New Zealand National Cyber Security Centre (NCSC) part of the Government Communications Security Bureau (GCSB), published guidance in Cyber Incident Management. Incident response involves tactical practices to detect, respond to, and recover from cyber incidents.

Cyber incident risks cannot be solely managed through preventative measures. Accepting that a cyber incident could occur, we recommend adopting and adhering to a cyber incident framework that recognises the importance of ‘detection’ and ‘response’ functions. These functions require you to have the right data at the right time. 

First up, you need a capability to collect and manage logs, events, alerts, and incidents. Identify these sources of data and then determine how this will help you inform your first steps in an incident in order to expedite the processes of containment, eradication and recovery.

So, you received a security alert; what now? 

The cyberattack surface is constantly expanding, and attackers are continually adapting and escalating the threat landscape, making it almost inevitable that you will experience malicious activity inside your network at some stage. As we know, detecting this activity quickly and enabling a fast response is key to minimising damage. There are many tools designed for this purpose, such as Security Information and Event Monitoring (SEIM), Intrusion Detection Systems (IDS), Intrusion Prevention Systems (IPS), Data Loss Prevention Systems (DPL) and Network Behaviour Anomaly Detection (NBAD). Each of these tools are intended to act as an early warning system to alert you and initiate a suitable response. 

So…how do you respond effectively to a security alert?

Threat Intelligence that comes from reliable and reputable sources is essential to understanding the steps to take after receiving a security alert. In addition, timely intelligence can help you clearly identify which alerts indicate genuine malicious activity and which may be false positives.

Obtaining up to date indicators of compromise and recent typical attack profiles can assist you to stay ahead of new threats as they emerge and take fast preventative action. For example, Cobalt Strike (a legitimate penetration testing framework) is often used as a command-and-control mechanism during an attack. However, it is an early step in the attack kill chain. Therefore, if you know to search for this tool and subsequently find it residing illegitimately on your network, you may be able to act and stop an attack before further damage is done. 

If you are wondering what to do next, the NCSC pose a number of questions to ask yourself and then act:

• How would our organisation detect an incident?
• Are we responding to all the alerts we are receiving?
• Are we receiving too many alerts because we aren’t tuning them correctly?
• If something happened, would we be able to go back and find the information in our logs?
• How far back can we go? Is it one week, one month, one year, or might we need longer?
• Have we produced reports for our security incidents?

The Bulletin:

To obtain a full copy of the Bulletin, please visit https://incidentresponse.co.nz/bulletin