Leading cybersecurity agencies from the UK, US, Australia, Canada, and New Zealand today issued comprehensive guidance to enhance digital forensics and protective monitoring in network devices and appliances with the goal of strengthening threat detection and response.
A set of new guidance has been published that collaboratively aims at strengthening the cybersecurity defenses of leading agencies from the United Kingdom, United States, Australia, Canada, and New Zealand. The new guidance is intended to help improve digital forensics and protective monitoring specifications for producers of network devices and appliances. This will enhance the threat detection and response capabilities within critical infrastructure.
Recommendations
Complete Logging: Devices must record events of attempted authentications, service interactions, process creations, and configuration changes. It means recording the information about the username, IP address, and session ID of the authentication that has been both successful and unsuccessful.
Secure Log Management: All logs must be collected in a standardized format for compatibility with Security Information and Event Management (SIEM) tools. Timestamps should be done in the ISO 8601 format, and systems should rely on trusted sources of Network Time Protocol (NTP) to ensure time is synchronized.
Near real-time transfer of logs must be supported across all devices by standard protocols secured through Transport Layer Security (TLS) encryption. There should also be full documentation on log formats, which could facilitate integration into third-party platforms and tools.
This category of data must be collected through devices. They must collect both volatile and non-volatile data. For instance, the processes running in memory states must be collected. Devices must collect an entire data storage that may represent non-volatile data. It must have controls to ensure secure access.
The guidance focuses on the importance of building devices secure by design and default, pushing manufacturers to build in robust logging and forensic features from the get-go. It is an upfront approach that ensures network defenders have the tools necessary to detect malicious activity and carry out comprehensive investigations after security incidents.
This initiative comes in response to the increasing targeting of network devices by malicious actors exploiting vulnerabilities and insecure configurations. By adhering to these guidelines, device manufacturers and their customers will be better positioned to detect and respond to threats, thereby enhancing the overall security posture of critical infrastructure networks.
For more detailed information, the full guidance document is available on the National Cyber Security Centre’s website.
