NSA's top ten mitigation strategies counter a broad range of exploitation techniques used by Advanced Persistent Threat actors and cyber threat actors. NSA's mitigations set priorities for enterprise organizations to minimize mission impact.
The mitigations also build upon the NIST Cybersecurity Framework functions to manage cybersecurity risk and promote a defense-in-depth security posture.
The mitigation strategies are ranked by effectiveness against known APT tactics. You will require additional strategies and best practices to mitigate the occurrence of new tactics.
1. Update and Upgrade Software Immediately
Apply all available software updates, automate the process to the extent possible, and use an update service provided directly by the vendor.
Automation is necessary because cyber threat actors study patches and create exploits, often soon after a patch is released. These "N-day" exploits can be as damaging as a zero-day. Vendor updates must also be authentic; updates are typically signed and delivered over protected links to assure the integrity of the content.
Without rapid and thorough patch application, threat actors can operate inside a defender's patch cycle.
2. Defend Privileges and Accounts
Assign privileges based on risk exposure and as required to maintain operations. Use a Privileged Access Management (PAM) solution to automate credential management and fine-grained access control.
Another way to manage privilege is through tiered administrative access, in which each higher tier provides additional access but is limited to fewer personnel. Create procedures to securely reset credentials (e.g., passwords, tokens, tickets).
Privileged accounts and services must be controlled because cyber threat actors continue to target administrator credentials to access high-value assets and to move laterally through the network.
3. Enforce Signed Software Execution Policies
Use a modern operating system that enforces signed software execution policies for:
- device drivers, and
- system firmware.
Maintain a list of trusted certificates to prevent and detect the use and injection of illegitimate executables. When used in conjunction with a secure boot capability, execution policies can assure system integrity.
Application Whitelisting should be used with signed software execution policies to provide greater control.
Allowing unsigned software enables cyber threat actors to gain a foothold and establish persistence through embedded malicious code.
4. Exercise a System Recovery Plan
Create, review, and exercise a system recovery plan to ensure data restoration as part of a comprehensive disaster recovery strategy.
The plan must protect critical data, configurations, and logs to ensure the continuity of operations due to unexpected events. For additional protection, we suggest encrypting backups and storing them offsite and offline when possible. Also, supporting complete recovery and reconstitution of systems and devices. Finally, perform periodic testing and evaluate the backup plan.
Update the plan as necessary to accommodate the ever-changing network environment. A recovery plan is necessary mitigation of natural disasters as well as malicious threats, including ransomware.
5. Actively Manage Systems and Configurations
Take inventory of network devices and software. Remove unwanted, unneeded, or unexpected hardware and software from the network. Starting from a known baseline reduces the attack surface and establishes control of the operational environment.
Thereafter, actively manage devices, applications, operating systems, and security configurations. Active enterprise management ensures that systems can adapt to dynamic threat environments while scaling and streamlining administrative operations.
6. Continuously Hunt for Network Intrusions
Take proactive steps to detect, contain, and remove any malicious presence within the network. Enterprise organizations should assume that a compromise has occurred and use dedicated teams to continuously seek out, contain, and remove threat actors within the network.
Passive detection mechanisms, such as logs, Security Information and Event Management (SIEM) products, Endpoint Detection and Response (EDR) solutions, and other data analytic capabilities are invaluable tools for finding malicious or anomalous behaviors.
Active pursuits should also include hunt operations and penetration testing using well-documented incident response procedures to address any discovered breaches in security.
Establishing proactive steps will transition the organization beyond basic detection methods, enabling real-time threat detection and remediation using a continuous monitoring and mitigation strategy.
7. Leverage Modern Hardware Security Features
Use hardware security features like Unified Extensible Firmware Interface (UEFI) Secure Boot, Trusted Platform Module (TPM), and hardware virtualization. Schedule older devices for a hardware refresh.
Modern hardware features increase the integrity of the boot process, provide system attestation, and support features for high-risk application containment. Conversely, using a modern operating system on outdated hardware reduces the ability to protect the system, critical data, and user credentials from cyber threat actors.
8. Segregate Networks Using Application-Aware Defenses
Segregate critical networks and services. Then, deploy application-aware network defenses to block improperly formed traffic and restrict content according to policy and legal authorizations.
Due to encryption and obfuscation techniques, traditional intrusion detection based on known, bad signatures is quickly decreasing in effectiveness. Cyber threat actors hide malicious actions and remove data over common protocols, making the need for sophisticated, application-aware defensive mechanisms critical for modern network defenses.
9. Integrate Threat Reputation Services
Leverage multi-sourced threat reputation services for files, DNS, URLs, IPs, and email addresses. Reputation services assist in detecting and preventing malicious events, allowing for rapid global responses to threats, reducing exposure from known threats, and providing access to much larger threat analysis and tipping capability than an organization can deliver on its own.
Whether targeted or global, emerging threats occur faster than most organizations can handle, resulting in poor coverage of new threats. Multi-source reputation and information-sharing services can provide a more timely and effective security posture against dynamic threat actors.
10. Transition to Multi-Factor Authentication
Prioritize protection for accounts with elevated privileges, remote access, and/or used on high-value assets.
Physical token-based authentication systems should be used to supplement knowledge-based factors. These include passwords, PINs, etc. Organizations should migrate away from single-factor authentication, such as password-based systems, which are subject to poor user choices and susceptible to credential theft, forgery, and reuse across multiple systems.