Critical Control 12: Malware Defenses

How do attackers exploit the lack of this control?

Malicious software is an integral and dangerous aspect of Internet threats, targeting end-users and organizations via web browsing, email attachments, mobile devices, and other vectors. Malicious code may tamper with the system's contents, capture sensitive data, and spread to other systems. Modern malware aims to avoid signature-based and behavioral detection, and may disable anti-virus tools running on the targeted system. Anti-virus and anti-spyware software, collectively referred to as anti-malware tools, help defend against these threats by attempting to detect malware and block its execution.

How can this control be implemented, automated, and its effectiveness measured?

1. QW: Organizations should monitor workstations, servers, and mobile devices for active, up-to-date anti-malware protection with anti-virus, anti-spyware, and host-based Intrusion Prevention System functionality. Enterprise administrative features should be used to check daily the number of systems that do not have the latest anti-malware signatures, keeping the number of such systems small or eliminating them entirely through rapid and continuous updates. All malware detection events should be sent to enterprise anti-malware administration tools and event log servers.
2. QW: Organizations should employ anti-malware software and signature auto update features or have administrators manually push updates to all machines on a daily basis. After applying an update, automated systems should verify that each system has received its signature update.
3. QW: Organizations should configure laptops, workstations, and servers so that they will not auto-run content from USB tokens (i.e., "thumb drives"), USB hard drives, CDs/DVDs, Firewire devices, external SATA devices, mounted network shares, or other removable media.
4. QW: Organizations should configure systems so that they conduct an automated anti-malware scan of removable media when it is inserted.
5. Advanced: Organizations should deploy honeypots or tarpits as detection mechanisms that can also slow down an attacker's progress inside a network.
6. Advanced: Organizations should deploy Network Access Control (NAC) tools to verify security configuration and patch level compliance before granting access to a network.

Associated NIST SP 800-53 Rev 3 Priority 1 Controls:

SC-18, SC-26, SI-3 (a, b, 1, 2, 5, 6)

Procedures and tools for implementing this control:

Relying on policy and user action to keep anti-malware tools up to date has been widely discredited, as many users have not proven able to keep such tools up to date consistently. To ensure anti-virus signatures are up to date, effective organizations use automation. They use the built-in administrative features of enterprise end-point security suites to verify that anti-virus, anti-spyware, and host-based IDS features are active on every managed system. They run automated assessments daily and review the results to find and mitigate systems that have deactivated such protections, as well as systems that do not have the latest malware definitions. For added security in depth, and for those systems that may fall outside the enterprise anti-malware coverage, some organizations use network access control technology that tests machines for compliance with security policy before allowing them to connect to the network.

Some enterprises deploy free or commercial honeypot and tarpit tools to identify attackers in their environment. Security personnel should continuously monitor honeypots and tarpits to determine whether traffic is directed to them and account logins are attempted. When they identify such events, these personnel should gather the source address from which this traffic originates and other details associated with the attack for a follow-on investigation.

Control 12 Metric:

The system must identify any malicious software that is installed, attempted to be installed, executed, or attempted to be executed on a computer system within one hour, alerting or sending email notification to a list of enterprise personnel via their centralized anti-malware console or event log system. Systems must block installation, prevent execution, or quarantine malicious software within one hour, alerting or sending e-mail when this action has occurred. Every 24 hours after that point, the system must alert or send e-mail about the status of the malicious code until such time as the threat has been completely mitigated on that system. While the one hour timeframe represents the current metric to help organizations improve their current state of security, in the future, organizations should strive for even more rapid detection and malware isolation, with notification about malware in the enterprise being sent within two minutes and blocking, execution prevention, or quarantine actions occurring within five minutes.

Control 12 Test:

To evaluate the implementation of Control 12 on a periodic basis, the evaluation team must move a benign software test program which appears to be malware (such as an EICAR file or benign hacker tools) that is not included in the official authorized software list to ten systems on the network via a network share. The selection of these systems must be as random as possible and include a cross-section of the organization's systems and locations. The evaluation team must then verify that the systems generate an alert or e-mail notice regarding the benign malware within one hour. The team must also verify that the alert or e-mail is received within one hour indicating that the software has been blocked or quarantined. The evaluation team must verify that the system provides details of the location of each machine with this new test file, including information about the asset owner. The evaluation team must then verify that the file is blocked by attempting to execute or open it and verifying that it is not allowed to be accessed.

Once this test has been performed transferring the files to organization systems via removable media, the same test must be repeated, but transferring the benign malware to ten systems via e-mail instead. The organization must expect the same notification results as noted with the removable media test.

List Of Controls

• Critical Control 1: Inventory of Authorized and Unauthorized Devices
• Critical Control 2: Inventory of Authorized and Unauthorized Software
• Critical Control 3: Secure Configurations for Hardware and Software on Laptops, Workstations, and Servers
• Critical Control 4: Secure Configurations for Network Devices such as Firewalls, Routers, and Switches
• Critical Control 5: Boundary Defense
• Critical Control 6: Maintenance, Monitoring, and Analysis of Audit Logs
• Critical Control 7: Application Software Security
• Critical Control 8: Controlled Use of Administrative Privileges
• Critical Control 9: Controlled Access Based on Need to Know
• Critical Control 10: Continuous Vulnerability Assessment and Remediation
• Critical Control 11: Account Monitoring and Control
• Critical Control 12: Malware Defenses
• Critical Control 13: Limitation and Control of Network Ports, Protocols, and Services
• Critical Control 14: Wireless Device Control
• Critical Control 15: Data Loss Prevention

Additional Security Controls

The following sections identify additional controls that are important but cannot be fully automatically or continuously monitored to the same degree as the controls covered earlier in this document.

• Critical Control 16: Secure Network Engineering
• Critical Control 17: Penetration Tests and Red Team Exercises
• Critical Control 18: Incident Response Capability
• Critical Control 19: Data Recovery Capability
• Critical Control 20: Security Skills Assessment and Appropriate Training to Fill Gaps