Malware Defenses

How do attackers exploit the absence of this control?

Malicious software is an integral and dangerous aspect of Internet threats, targeting end-users and organizations via web browsing, e-mail attachments, mobile devices, the cloud, and other vectors. Malicious code may tamper with the system's contents, capture sensitive data, and spread to other systems. Modern malware aims to avoid signature-based and behavioral detection, and may disable anti-virus tools running on the targeted system. Anti-virus and anti-spyware software, collectively referred to as anti-malware tools, help defend against these threats by attempting to detect malware and block its execution.

How to Implement, Automate, and Measure the Effectiveness of this Control

1. Quick wins: Employ automated tools to continuously monitor workstations, servers, and mobile devices for active, up-to-date anti-malware protection with anti-virus, anti-spyware, personal firewalls, and host-based IPS functionality. All malware detection events should be sent to enterprise anti-malware administration tools and event log servers. The endpoint security solution should include zero-day protection such as network behavioral heuristics.

2. Quick wins: Employ anti-malware software and signature auto-update features or have administrators manually push updates to all machines on a daily basis. After applying an update, automated systems should verify that each system has received its signature update.

3. Quick wins: Configure laptops, workstations, and servers so that they will not auto-run content from USB tokens (i.e., "thumb drives"), USB hard drives, CDs/DVDs, Firewire devices, external serial advanced technology attachment devices, mounted network shares, or other removable media. If the devices are not required for business use, they should be disabled.

4. Quick wins: Configure systems so that they conduct an automated anti-malware scan of removable media when it is inserted.

5. Quick wins: Scan and block all e-mail attachments entering the organization's e-mail gateway if they contain malicious code or file types unneeded for the organization's business. This scanning should be done before the e-mail is placed in the user's inbox. This includes e-mail content filtering and web content filtering.

6. Quick wins: Apply anti-virus scanning at the Web Proxy gateway. Content filtering for file-types should be applied at the perimeter.

7. Quick wins: Deploy features and toolkits such as Data Execution Prevention (DEP) and Enhanced Mitigation Experience Toolkit (EMET), products that provide sandboxing (e.g., run browsers in a Virtual Machine), and other techniques that prevent malware exploitation.

8. Quick wins: Limit use of external devices to those that have a business need. Monitor for use and attempted use of external devices.

9. Visibility/Attribution: Block access to external e-mail systems, instant messaging services, and other social media tools.

10. Visibility/Attribution: Ensure that automated monitoring tools use behavior-based anomaly detection to complement and enhance traditional signature-based detection.

11. Visibility/Attribution: Utilize network-based anti-malware tools to analyze all inbound traffic and filter out malicious content before it arrives at the endpoint.

12. Advanced: Perform continuous monitoring on all inbound and outbound traffic. Any large transfers of data or unauthorized traffic should be flagged and, if validated as malicious, the computer should be moved to an isolated VLAN.

13. Advanced: Implement an incident response process that allows the IT support organization to supply the security team with samples of malware running undetected on corporate systems. Samples should be provided to the security vendor for "out-of-band" signature creation and deployed to the enterprise by system administrators.

14. Advanced: Utilize network-based flow analysis tools to analyze inbound and outbound traffic looking for anomalies, indicators of malware, and compromised systems.

15. Advanced: Deploy "reputation-based technologies" on all endpoint devices to cover the gap of signature-based technologies.

16. Advanced: Enable domain name system (DNS) query logging to detect hostname lookup for known malicious C2 domains.

17. Advanced: Apply proxy technology to all communication between internal network and the Internet.