NSA warns against silly mistake in fight against Windows malware
Task automation platform PowerShell, often misused by threat actors who distribute malware (opens in new tab), can also be used for attack detection and prevention. This advice has recently been given by the US National Security Agency (NSA) to system administrators everywhere.
Along with cybersecurity centers in the UK and New Zealand, the NSA published a security advisory arguing that blocking PowerShell, a common security practice, actually undermines organizations’ defensive capabilities against ransomware. (opens in new tab) and other forms of cyberattacks.
Instead, system administrators should use it to boost their forensics and incident response, as well as automate as many repetitive tasks as possible.
“Blocking PowerShell hinders the defensive capabilities that current versions of PowerShell can provide, and prevents components of the Windows operating system from running properly. Recent versions of PowerShell with improved capabilities and options can prevent abuse of PowerShell.” Can assist defenders in combat,” the NSA said.
The consultation comes with a number of recommendations, including taking advantage of PowerShell Remoting, or using Secure Shell Protocol (SSH), to improve the security of public key authentication.
The document explained, “Proper configuration of WDAC or AppLocker on Windows 10+ helps prevent a malicious actor from gaining full control over a PowerShell session and host.”
System administrators can also hunt for signs of abuse on their endpoints (opens in new tab) By recording powershell activity and monitoring logs.
The advisory also recommends admins turn on features such as deep script block logging, module logging, or over-the-shoulder transcription, as first create a log database, which is handy for finding offending PowerShell activity.
The latter allows administrators to record each and every PowerShell input and output to get a better understanding of the attackers’ goals.
“PowerShell is essential to secure the Windows operating system,” concluded the NSA, adding that with proper configuration and management, it can be a great tool for system maintenance and security.
Through Bleeping Computer (opens in new tab)