Cybersecurity - NSA Advice - Top Ten Cyber Security Strategies

NSA’S Top Ten Cybersecurity Mitigation Strategies

NSA’s Top Ten Mitigation Strategies counter a broad range of exploitation techniques used by Advanced

Persistent Threat (APT) actors. NSA’s mitigations set priorities for enterprise organizations to minimize mission impact.

The mitigations also build upon the NIST Cybersecurity Framework functions to manage cybersecurity risk and promote a

defense-in-depth security posture. The mitigation strategies are ranked by effectiveness against known APT tactics.

Additional strategies and best practices will be required to mitigate the occurrence of new tactics.

1. Update and Upgrade Software Immediately

Apply all available software updates, automate the process to the extent possible, and use an update service

provided directly from the vendor. Automation is necessary because threat actors study patches and create exploits,

often soon after a patch is released. These “N-day” exploits can be as damaging as a zero-day. Vendor updates must

also be authentic; updates are typically signed and delivered over protected links to assure the integrity of the content.

Without rapid and thorough patch application, threat actors can operate inside a defender’s patch cycle.

2. Defend Privileges and Accounts

Assign privileges based on risk exposure and as required to maintain operations. Use a Privileged Access

Management (PAM) solution to automate credential management and fine-grained access control. Another way to

manage privilege is through tiered administrative access in which each higher tier provides additional access, but is

limited to fewer personnel. Create procedures to securely reset credentials (e.g., passwords, tokens, tickets). Privileged

accounts and services must be controlled because threat actors continue to target administrator credentials to access

high-value assets, and to move laterally through the network.

3. Enforce Signed Software Execution Policies

Use a modern operating system that enforces signed software execution policies for scripts, executables, device

drivers, and system firmware. Maintain a list of trusted certificates to prevent and detect the use and injection of

illegitimate executables. Execution policies, when used in conjunction with a secure boot capability, can assure system

integrity. Application Whitelisting should be used with signed software execution policies to provide greater control.

Allowing unsigned software enables threat actors to gain a foothold and establish persistence through embedded

malicious code.

4. Exercise a System Recovery Plan

Create, review, and exercise a system recovery plan to ensure the restoration of data as part of a comprehensive

disaster recovery strategy. The plan must protect critical data, configurations, and logs to ensure continuity of operations

due to unexpected events. For additional protection, backups should be encrypted, stored offsite, offline when possible,

and support complete recovery and reconstitution of systems and devices. Perform periodic testing and evaluate the

backup plan. Update the plan as necessary to accommodate the ever-changing network environment. A recovery plan is

a necessary mitigation for natural disasters as well as malicious threats including ransomware.

5. Actively Manage Systems and Configurations

Take inventory of network devices and software. Remove unwanted, unneeded or unexpected hardware and

software from the network. Starting from a known baseline reduces the attack surface and establishes control of the

operational environment. Thereafter, actively manage devices, applications, operating systems, and security

configurations. Active enterprise management ensures that systems can adapt to dynamic threat environments while

scaling and streamlining administrative operations.

6. Continuously Hunt for Network Intrusions

Take proactive steps to detect, contain, and remove any malicious presence within the network. Enterprise

organizations should assume that a compromise has taken place and use dedicated teams to continuously seek out,

contain, and remove threat actors within the network. Passive detection mechanisms, such as logs, Security Information

and Event Management (SIEM) products, Endpoint Detection and Response (EDR) solutions, and other data analytic

capabilities are invaluable tools to find malicious or anomalous behaviors. Active pursuits should also include hunt

operations and penetration testing using well documented incident response procedures to address any discovered

breaches in security. Establishing proactive steps will transition the organization beyond basic detection methods,

enabling real-time threat detection and remediation using a continuous monitoring and mitigation strategy.

7. Leverage Modern Hardware Security Features

Use hardware security features like Unified Extensible Firmware Interface (UEFI) Secure Boot, Trusted Platform

Module (TPM), and hardware virtualization. Schedule older devices for a hardware refresh. Modern hardware features

increase the integrity of the boot process, provide system attestation, and support features for high-risk application

containment. Using a modern operating system on outdated hardware results in a reduced ability to protect the system,

critical data, and user credentials from threat actors.

8. Segregate Networks Using Application-Aware Defenses

Segregate critical networks and services. Deploy application-aware network defenses to block improperly formed

traffic and restrict content, according to policy and legal authorizations. Traditional intrusion detection based on known-

bad signatures is quickly decreasing in effectiveness due to encryption and obfuscation techniques. Threat actors hide

malicious actions and remove data over common protocols, making the need for sophisticated, application-aware

defensive mechanisms critical for modern network defenses.

9. Integrate Threat Reputation Services

Leverage multi-sourced threat reputation services for files, DNS, URLs, IPs, and email addresses. Reputation

services assist in the detection and prevention of malicious events and allow for rapid global responses to threats, a

reduction of exposure from known threats, and provide access to a much larger threat analysis and tipping capability than

an organization can provide on its own. Emerging threats, whether targeted or global campaigns, occur faster than most

organizations can handle, resulting in poor coverage of new threats. Multi-source reputation and information sharing

services can provide a more timely and effective security posture against dynamic threat actors.

10. Transition to Multi-Factor Authentication

Prioritize protection for accounts with elevated privileges, remote access, and/or used on high value assets.

Physical token-based authentication systems should be used to supplement knowledge-based factors such as passwords

and PINs. Organizations should migrate away from single factor authentication, such as password-based systems, which

are subject to poor user choices and susceptible to credential theft, forgery, and reuse across multiple systems.