NSA warns against silly mistake in the fight against Windows malware

Magnifying glass enlarging the word 'malware' in computer machine code
(Image credit: Shutterstock)

Task automation platform PowerShell, which is often abused by threat actors distributing malware, can also be used for attack detection and prevention. This is the advice the US National Security Agency (NSA) recently gave to system administrators everywhere. 

Alongside cybersecurity centers in the UK and New Zealand, the NSA published a security advisory in which it argues that blocking PowerShell, a common security practice, actually lowers organizations’ defensive capabilities against ransomware and other forms of cyberattacks.

Instead, system admins should use it to boost their forensics and incident response, as well as to automate as many repetitive tasks as possible.

Image

Share your thoughts on Cybersecurity and get a free copy of the Hacker's Manual 2022. Help us find how businesses are preparing for the post-Covid world and the implications of these activities on their cybersecurity plans. Enter your email at the end of this survey to get the bookazine, worth $10.99/£10.99.

Numerous recommendations

“Blocking PowerShell hinders defensive capabilities that current versions of PowerShell can provide, and prevents components of the Windows operating system from running properly. Recent versions of PowerShell with improved capabilities and options can assist defenders in countering abuse of PowerShell,” the NSA stated.

The advisory comes with a number of recommendations, including leveraging PowerShell remoting, or using Secure Shell protocol (SSH) to improve the security of public-key authentication.

“Proper configuration of WDAC or AppLocker on Windows 10+ helps to prevent a malicious actor from gaining full control over a PowerShell session and the host,” the document explained.

System admins can also hunt for signs of abuse on their endpoints by recording PowerShell activity and monitoring logs. 

The advisory also recommends admins turn on features such as Deep Script Block Logging, Module Logging, or Over-The-Shoulder Transcription, as the former create a log database, handy for spotting aggressive PowerShell activity. 

The latter allows admins to record every PowerShell input and output, getting a better understanding of the attackers’ goals. 

“PowerShell is essential to secure the Windows operating system,” the NSA concluded, adding that, with proper configuration and management, it can be a great tool for system maintenance and security.

Via BleepingComputer

Sead is a seasoned freelance journalist based in Sarajevo, Bosnia and Herzegovina. He writes about IT (cloud, IoT, 5G, VPN) and cybersecurity (ransomware, data breaches, laws and regulations). In his career, spanning more than a decade, he’s written for numerous media outlets, including Al Jazeera Balkans. He’s also held several modules on content writing for Represent Communications.

Read more
Hack The Box crisis simulation event
“Everyone will experience a hack” - how incident response can protect your organization
A stylized depiction of a padlocked WiFi symbol sitting in the centre of an interlocking vault.
Don’t let holidays be your cybersecurity downfall
An image of network security icons for a network encircling a digital blue earth.
Why effective cybersecurity is a team effort
A digital representation of a lock
Exploits on the rise: How defenders can combat sophisticated threat actors
A digital representation of a lock
Security experts are being targeted with fake malware discoveries
Representational image of a cybercriminal
Microsoft discovers five potentially damaging attacks against its own software
Latest in Security
Data Breach
Thousands of healthcare records exposed online, including private patient information
China
Juniper patches security flaws which could have let hackers take over your router
Representational image depecting cybersecurity protection
GitLab has patched a host of worrying security issues
Ai tech, businessman show virtual graphic Global Internet connect Chatgpt Chat with AI, Artificial Intelligence.
AI agents can be hijacked to write and send phishing attacks
China
Volt Typhoon threat group had access to American utility networks for the best part of a year
Abstract image of cyber security in action.
MassJacker malware targets those looking for pirated software
Latest in News
Brad Pitt looks over his right shoulder with 'F1' written behind him
Apple Original Films will take you behind-the-scenes of a racing cockpit in this new thrilling F1 movie trailer
AI writer
Coding AI tells developer to write it himself
Reacher looking down at another character from the Prime Video TV series Reacher
Reacher season 3 becomes Prime Video’s biggest returning show thanks to Hollywood’s biggest heavyweight
Image showing detail of the Leica D-Lux 8
Still can't get a Fujifilm X100VI? This premium Leica compact costs less, and it's in stock
Man using iMessage on an iPhone
Apple will finally enable encrypted RCS messages between iOS and Android, and it's about time
Google Messages update
Google Messages could soon follow WhatsApp with an upgrade that makes it much easier to join group chats