Five Eyes security alliance releases a series of recommendations for detecting & stopping malware in corporate networks

A team of Five Eyes representatives has embarked on a collaborative campaign to develop plans to help improve the response to cybersecurity incidents that pose threats against group members; the group’s latest effort is to create a recommendation manual for cyber threats. It should be remembered that Five Eyes is a joint effort by the governments of the United States, the United Kingdom, Canada, Australia and New Zealand to implement the best intelligence and information security plans.   

To be more specific, the manual was prepared by specialists from the Australian Cyber Security Center, the Communications Security Establishment in Canada, the National Cyber Security Center and the New Zealand Computer Emergency Response Team, the UK National Cybersecurity Center, as well as the US Cybersecurity and Infrastructure Security Agency (CISA) “This is the result of a joint effort by the major cybersecurity authorities,” mentions the announcement published by CISA.

La imagen tiene un atributo ALT vacío; su nombre de archivo es fiveeyesflags.jpg

Experts mention that this manual was developed in adherence to best practices in the industry, which should be implemented when a security incident occurs, including data collection, deletion of artifacts, logs and relevant data, as well as recommendations on the complete elimination of minor issues that could lead to new security threats. 

Cybersecurity specialists agree that a successful incident response process requires a wide range of techniques and procedures, so developing a guide with general application methods are a good measure in the face of the advancement of malicious hacking. Among the main measures that experts recommend are:

  • Search for Indicators of Compromise (IOCs): Experts recommend collecting any details related to malicious activity from all possible sources, as well as evaluating the results in order to detect new clues to eliminate false positives.
  • Frequency analysis: Collecting large amounts of data for the calculation of normal traffic patterns on the network and on host systems is also recommended. These predictive algorithms can be used to identify anomalous activity in a short period of time. 
  • Pattern Analysis: In the manual, Five Eyes experts ensure that it is possible to perform analysis tasks to identify patterns of automated mechanisms typical of scripts or malware variants, as well as routine activity of malicious hackers acting manually. IT teams need to learn how to separate data corresponding to normal activity and potentially malicious information. 
  • Anomaly Detection: Analyze unique values for multiple datasets and, if necessary, investigate the associated data to find any signs of malicious activity.

The manual also includes a list of artifacts that IT teams in affected organizations can focus on for signs of hacking activity:  

  • Running processes
  • Services in use
  • Parent-child process trees
  • Background executable integrity hash
  • Installed applications
  • Local and domain users
  • Unusual authentication methods
  • Irregularly formatted usernames
  • Listening ports and associated services
  • Domain Name System (DNS) resolution settings and static routes
  • Established and recent connections
  • Scheduled tasks
  • Execution artifacts (Prefetch and Shimcache)
  • Event logs
  • Virus detections

Finally, the manual contains a section for describing the most common errors that security teams make when analyzing a hacking incident. In this regard, Five Eyes warns that some legitimate actions could be highly damaging to the investigation, which is highly beneficial for threat actors. An inadequate incident response process could also cause malicious hackers to cover their tracks before researchers can detect them, so the Five Eyes manual can help IT teams take the best steps towards a comprehensive and secure scan.

The manual is available at the following link and is a highly recommended tool for security teams in any organization.