NZ Incident Response Bulletin - February 2022
The February edition of the NZ Incident Response Bulletin was published today. The bulletin is a monthly high-level executive summary containing some of the most important news articles that have been published on Forensic and Cyber Security matters during the last month. Each Bulletin also includes a section of our own content, based on a trending theme, this months being “Cyber Incident Detection”.
Each article contains a brief summary and where appropriate, a linked reference on the web for detailed information.
We'll give you a brief summary of each article, and a link to more information. Why do we publish this bulletin? Because we want to keep you up to date with the latest Forensic and Cyber Security news, so that you aren't caught by surprise - and you'll know about risks and changes before they become problems.
Bulletin Update
For the last 36 months, we have published the Incident Response Bulletin to inform our readers about cyber risk, incident response preparation, and forensic technology considerations. We appreciate hearing from you about the insights and value you gain from our ongoing research.
We were also delighted to receive recognition this month from the Google Search Engine, following our recent Bulletin series about the ‘CIS Controls’. Google has allocated us with a ‘Snippet’ from our website page on CIS Controls.
One final update, starting this month; we have included a new section in our Premium Bulletin on the “Cyber Incident Landscape” which summarises the incidents we have responded to over the past month, trends to be aware of, and mitigations you can employ.
Cyber Incident Detection
In 2020, the New Zealand National Cyber Security Centre (NCSC) part of the Government Communications Security Bureau (GCSB), published guidance in Cyber Incident Management. Incident response involves tactical practices to detect, respond to, and recover from cyber incidents.
Cyber incident risks cannot be solely managed through preventative measures. Accepting that a cyber incident could occur, we recommend adopting and adhering to a cyber incident framework that recognises the importance of ‘detection’ and ‘response’ functions. These functions require you to have the right data at the right time.
Recommended by LinkedIn
First up, you need a capability to collect and manage logs, events, alerts, and incidents. Identify these sources of data and then determine how this will help you inform your first steps in an incident in order to expedite the processes of containment, eradication and recovery.
So, you received a security alert; what now?
The cyberattack surface is constantly expanding, and attackers are continually adapting and escalating the threat landscape, making it almost inevitable that you will experience malicious activity inside your network at some stage. As we know, detecting this activity quickly and enabling a fast response is key to minimising damage. There are many tools designed for this purpose, such as Security Information and Event Monitoring (SEIM), Intrusion Detection Systems (IDS), Intrusion Prevention Systems (IPS), Data Loss Prevention Systems (DPL) and Network Behaviour Anomaly Detection (NBAD). Each of these tools are intended to act as an early warning system to alert you and initiate a suitable response.
So…how do you respond effectively to a security alert?
Threat Intelligence that comes from reliable and reputable sources is essential to understanding the steps to take after receiving a security alert. In addition, timely intelligence can help you clearly identify which alerts indicate genuine malicious activity and which may be false positives.
Obtaining up to date indicators of compromise and recent typical attack profiles can assist you to stay ahead of new threats as they emerge and take fast preventative action. For example, Cobalt Strike (a legitimate penetration testing framework) is often used as a command-and-control mechanism during an attack. However, it is an early step in the attack kill chain. Therefore, if you know to search for this tool and subsequently find it residing illegitimately on your network, you may be able to act and stop an attack before further damage is done.
If you are wondering what to do next, the NCSC pose a number of questions to ask yourself and then act:
The Bulletin:
To obtain a full copy of the Bulletin, please visit https://incidentresponse.co.nz/bulletin