Guide Unveiled by NSA for Countering Residential-Based Infiltration Strategies
The National Security Agency (NSA) has released a comprehensive guide aimed at senior information technology (IT) and operational technology (OT) decision-makers, network administrators, and critical infrastructure providers. The guide, developed in cooperation with international partners, details best practices for event logging and threat detection in various landscapes, including cloud services, enterprise networks, mobile devices, and operational technology (OT) networks.
The guide emphasizes the importance of a well-structured logging policy. It recommends that such a policy should include details of the events to be logged, event logging facilities to be used, how event logs will be monitored, event log retention durations, and when to reassess which logs are worthy of collection. The policy should also consider any shared responsibilities between service providers and organizations.
One of the primary threats addressed in the guide is the use of Living Off the Land (LOTL) techniques by advanced persistent threat actors (APTs). These tactics enable malicious actors to blend in with normal system activity, making them difficult to detect. The guide highlights the case of Volt Typhoon, a Chinese threat group that uses LOTL techniques to target critical infrastructure.
To combat these tactics, the guide suggests several key factors. Centralized log access and correlation are highlighted as crucial elements in logging best practices. The guide recommends the implementation of a centralized event logging facility, such as a secured data lake, for log aggregation. This approach allows for easier analysis and correlation of events across various systems and networks.
Moreover, the guide underscores the role of behavioral analytics in detecting malicious actors employing LOTL techniques. The behaviors exhibited by Volt Typhoon would be considered abnormal compared to business-as-usual activity and could be used to create detection use cases.
Organizations are also encouraged to consider implementing user and entity behavioral analytics capabilities for automated detection of behavioral anomalies on networks, devices, or accounts. This proactive approach can significantly improve an organization's chances of detecting malicious behavior on their systems.
Event logs can be forwarded to analytic tools like security information and event management (SIEM) solutions and extended detection and response (XDR) solutions. This centralized storage prevents the loss of logs once the local device's storage is exhausted, which is particularly important for network infrastructure devices with limited local storage.
The international partners involved in the Best Practice Guide for event logging and threat detection by the NSA and the Australian Cybersecurity Centre include various landscapes of global collaboration in cybersecurity. However, the specific partner countries or regions are not detailed in the available search results.
In conclusion, the NSA's guide provides valuable insights and recommendations for organizations looking to enhance their event logging and threat detection capabilities. By implementing the suggested best practices, organizations can better protect their systems against the evolving threats posed by advanced persistent threat actors.
