12 comments

[ 2.9 ms ] story [ 40.8 ms ] thread
The PDF of the release is at us-cert.cisa.gov:

https://us-cert.cisa.gov/sites/default/files/publications/AA...

This joint advisory is the result of a collaborative research effort by the cybersecurity authorities of five nations: Australia, Canada, New Zealand, the United Kingdom, and the United States. It highlights technical approaches to uncovering malicious activity and includes mitigation steps according to best practices. The purpose of this report is to enhance incident response among partners and network administrators along with serving as a playbook...

Ah yes, Autoruns[0], my first port of call in analyzing malware or stopping malware from running. Such an invaluable tool

From the PDF here: https://us-cert.cisa.gov/sites/default/files/publications/AA...

> Use the Microsoft Windows Sysinternals Autoruns tool, which allows IT security practitioners toview—and, if needed, easily disable—most programs that automatically load onto the system.

[0] https://docs.microsoft.com/en-us/sysinternals/downloads/auto...

I’m not a windows guy, so this is an honest question: is your tone sarcastic?
No. I'm not trying to be sarcastic. Autoruns (seriously) has helped me stop so much malware from running. I'm a Windows sysadmin for my sins, and find the whole Sysinternals suite invaluable and super necessary for my job.
If your users can run malware, erm, what kind of permissions are you giving them? Hate to say it but a sysadmin's job is sometimes to say no.
I'm fine if you down vote me but what exactly is wrong with my suggestion that preventing users running malware is exactly what the sysadmin's job is, and sysadmins have exactly the tools, authority and need to do it. Where did I get it wrong?
I expect it's sincere but with a hint of sardonic edge that such a simple and widespread tool found its way into the guidance issued by nation state level intelligence agencies. Kind of like if NASA issued workmanship standards for the ISS and mentioned the utility of a hammer.
Yes I am overlooking a /lot/ of the PDF which has other useful info on thwarting malware (and a lot of it is very interesting and I might incorporate into my toolbelt), not just the "hammer" of Autoruns lol
Lots of government agencies post best-practices for simple stuff. Getting the basics right is important, both for government agencies and the general public. NASA publications aren't all cutting edge space technology either: https://spaceplace.nasa.gov/telescopes/en/
Yep it rocks.

I'd really love a tool that learns what set of startup triggers and resident processes are normal on my machine, subtly signals when something unusual appears (but unobtrusively, e.g. yellow icon on system tray), and if it lingers for long enough warns me (e.g. reg icon).

Even if I had to "train" it manually by whitelisting processes one at a time I might still be interested.

Took me a little bit to realize this is an announcement of a new collaboration and initiative, and not any specific vulnerability, or am I still reading this wrong?
I thought the same. I feel they should have called it something like "Joint Cybersecurity Advisory Protocol".