This joint advisory is the result of a collaborative research
effort by the cybersecurity authorities of five nations:
Australia, Canada, New Zealand, the United Kingdom, and
the United States. It highlights technical approaches to
uncovering malicious activity and includes mitigation steps
according to best practices. The purpose of this report is to
enhance incident response among partners and network
administrators along with serving as a playbook...
> Use the Microsoft Windows Sysinternals Autoruns tool, which allows IT security practitioners toview—and, if needed, easily disable—most programs that automatically load onto the system.
No. I'm not trying to be sarcastic. Autoruns (seriously) has helped me stop so much malware from running. I'm a Windows sysadmin for my sins, and find the whole Sysinternals suite invaluable and super necessary for my job.
I'm fine if you down vote me but what exactly is wrong with my suggestion that preventing users running malware is exactly what the sysadmin's job is, and sysadmins have exactly the tools, authority and need to do it. Where did I get it wrong?
I expect it's sincere but with a hint of sardonic edge that such a simple and widespread tool found its way into the guidance issued by nation state level intelligence agencies. Kind of like if NASA issued workmanship standards for the ISS and mentioned the utility of a hammer.
Yes I am overlooking a /lot/ of the PDF which has other useful info on thwarting malware (and a lot of it is very interesting and I might incorporate into my toolbelt), not just the "hammer" of Autoruns lol
Lots of government agencies post best-practices for simple stuff. Getting the basics right is important, both for government agencies and the general public. NASA publications aren't all cutting edge space technology either: https://spaceplace.nasa.gov/telescopes/en/
I'd really love a tool that learns what set of startup triggers and resident processes are normal on my machine, subtly signals when something unusual appears (but unobtrusively, e.g. yellow icon on system tray), and if it lingers for long enough warns me (e.g. reg icon).
Even if I had to "train" it manually by whitelisting processes one at a time I might still be interested.
Took me a little bit to realize this is an announcement of a new collaboration and initiative, and not any specific vulnerability, or am I still reading this wrong?
12 comments
[ 2.9 ms ] story [ 40.8 ms ] threadhttps://us-cert.cisa.gov/sites/default/files/publications/AA...
This joint advisory is the result of a collaborative research effort by the cybersecurity authorities of five nations: Australia, Canada, New Zealand, the United Kingdom, and the United States. It highlights technical approaches to uncovering malicious activity and includes mitigation steps according to best practices. The purpose of this report is to enhance incident response among partners and network administrators along with serving as a playbook...
From the PDF here: https://us-cert.cisa.gov/sites/default/files/publications/AA...
> Use the Microsoft Windows Sysinternals Autoruns tool, which allows IT security practitioners toview—and, if needed, easily disable—most programs that automatically load onto the system.
[0] https://docs.microsoft.com/en-us/sysinternals/downloads/auto...
I'd really love a tool that learns what set of startup triggers and resident processes are normal on my machine, subtly signals when something unusual appears (but unobtrusively, e.g. yellow icon on system tray), and if it lingers for long enough warns me (e.g. reg icon).
Even if I had to "train" it manually by whitelisting processes one at a time I might still be interested.