6 days to save $250 for SANS Seattle 2014
6 Days Left to Save $400 on SANS Network Security 2014

Critical Security Control: 5

Critical Security Control: 5

Malware Defenses

Control the installation, spread, and execution of malicious code at multiple points in the enterprise, while optimizing the use of automation to enable rapid updating of defense, data gathering, and corrective action.

Why Is This Control Critical?

Malicious software is an integral and dangerous aspect of Internet threats, and can be designed to attack your systems, devices, or your data. It can be fast-moving, fast-changing, and enter through any number of points like end-user devices, e-mail attachments, web pages, cloud services, user actions, and removable media. Modern malware can be designed to avoid defenses, or to attack or disable them.

How to Implement This Control

Malware defenses must be able to operate in this dynamic environment through large-scale automation, rapid updating, and integration with processes like Incident Response. They must also be deployed at multiple possible points-of-attack to detect, stop the movement of, or control the execution of malicious software. Enterprise endpoint security suites provide administrative features to verify that all defenses are active and current on every managed system.

ID # Description Category
CSC 5-1 Employ automated tools to continuously monitor workstations, servers, and mobile devices with anti-virus, anti-spyware, personal firewalls, and host-based IPS functionality. All malware detection events should be sent to enterprise anti-malware administration tools and event log servers. Quick win
CSC 5-2 Employ anti-malware software that offers a remote, cloud-based centralized infrastructure that compiles information on file reputations or have administrators manually push updates to all machines. After applying an update, automated systems should verify that each system has received its signature update. Quick win
CSC 5-3 Configure laptops, workstations, and servers so that they will not auto-run content from removable media, like USB tokens (i.e., "thumb drives"), USB hard drives, CDs/DVDs, FireWire devices, external serial advanced technology attachment devices, and mounted network shares,. Quick win
CSC 5-4 Configure systems so that they automatically conduct an anti-malware scan of removable media when inserted. Quick win
CSC 5-5 Scan and block all e-mail attachments entering the organization's e-mail gateway if they contain malicious code or file types that are unnecessary for the organization's business. This scanning should be done before the e-mail is placed in the user's inbox. This includes e-mail content filtering and web content filtering. Quick win
CSC 5-6 Enable anti-exploitation features such as Data Execution Prevention (DEP), Address Space Layout Randomization (ASLR), virtualization/containerization, etc. For increased protection, deploy capabilities such as Enhanced Mitigation Experience Toolkit (EMET) that can be configured to apply these protections to a broader set of applications and executables. Quick win
CSC 5-7 Limit use of external devices to those that have a business need. Monitor for use and attempted use of external devices. Quick win
CSC 5-8 Ensure that automated monitoring tools use behavior-based anomaly detection to complement traditional signature-based detection. Visibility/ Attribution
CSC 5-9 Use network-based anti-malware tools to identify executables in all network traffic and use techniques other than signature-based detection to identify and filter out malicious content before it arrives at the endpoint. Visibility/ Attribution
CSC 5-10 Implement an incident response process that allows the IT support organization to supply the security team with samples of malware running on corporate systems that do not appear to be recognized by the enterprise's anti-malware software. Samples should be provided to the security vendor for "out-of-band" signature creation and later deployed to the enterprise by system administrators. Advanced
CSC 5-11 Enable domain name system (DNS) query logging to detect hostname lookup for known malicious C2 domains. Advanced

CSC 5 Procedures and Tools

To ensure anti-virus signatures are up to date, organizations use automation. They use the built-in administrative features of enterprise endpoint security suites to verify that anti-virus, anti-spyware, and host-based IDS features are active on every managed system. They run automated assessments daily and review the results to find and mitigate systems that have deactivated such protections, as well as systems that do not have the latest malware definitions.

Some enterprises deploy free or commercial honeypot and "tarpit" tools to identify attackers in their environment. Security personnel should continuously monitor these tools to determine whether traffic is directed to them and account logins are attempted. When they identify such events, these personnel should gather the source address from which this traffic originates and other details associated with the attack for follow-on investigation.

CSC 5 Effectiveness Metrics

In order to test the effectiveness of the automated implementation of this control, organizations should measure the following:

1. How long does it take the system to identify any malicious software that is installed, attempted to be installed, executed, or attempted to be executed on a computer system (time in minutes)?

2. How long does it take the system to send e-mail notification to a list of enterprise personnel via their centralized anti-malware console or event log system after malicious code has been identified (time in minutes)?

3. Does the system have the ability to block installation, prevent execution, or quarantine malicious software (yes or no)?

4. Does the system have the ability to identify the business unit in the organization where the malicious software was identified (yes or no)?

5. How long does it take the organization to completely remove the malicious code from the system after it has been identified (time in minutes)?

CSC 5 Automation Metrics

In order to automate the collection of relevant data from these systems, organizations should gather the following information with automated technical sensors:

1. How many instances of malicious code have been detected within a period of time by host based anti-malware systems (by business unit)?

2. How many instances of malicious code that were detected within a period of time were automatically remediated by the organization's host based anti-malware systems (by business unit)?

3. How many instances of malicious code have been detected within a period of time by network based anti-malware systems (by business unit)?

4. How many instances of malicious code that were detected within a period of time were automatically remediated by the organization's network based anti-malware systems (by business unit)?

5. Percentage of applications on a system that are not utilizing application sandboxing products (by business unit)?

6. Percentage of systems with anti-malware systems deployed, enabled, and up-to-date (by business unit)?

CSC 5 Effectiveness Test

To evaluate the implementation of Control 5 on a periodic basis, the evaluation team must move a benign software test program that appears to be malware (such as an EICAR file or benign hacker tools), but that is not included in the official authorized software list, to 10 systems on the network via a network share. The selection of these systems must be as random as possible and include a cross-section of the organization's systems and locations. The evaluation team must then verify that the systems generate an alert or e-mail notice regarding the benign malware within one hour. The team must also verify that the alert or e-mail indicating that the software has been blocked or quarantined is received within one hour. The evaluation team must verify that the system provides details of the location of each machine with this new test file, including information about the asset owner. The team must then verify that the file is blocked by attempting to execute or open it and verifying that it is not allowed to be accessed.

Once this test has been performed transferring the files to organization systems via removable media, the same test must be repeated, but this time transferring the benign malware to 10 systems via e-mail instead. The organization must expect the same notification results as noted with the removable media test.

CSC 5 System Entity Relationship Diagram

Organizations will find that by diagramming the entities necessary to fully meet the goals defined in this control, it will be easier to identify how to implement them, test the controls, and identify where potential failures in the system might occur.

A control system is a device or set of devices to manage, command, direct, or regulate the behavior of other devices or systems. In this case, we are examining anti-malware systems and threat vectors such as removable media. The following list of the steps in the above diagram shows how the entities work together to meet the business goal defined in this control. The list also delineates each of the process steps in order to help identify potential failure points in the overall control.

Step 1: Anti-malware systems analyze production systems and removable media

Step 2: Removable media is analyzed when connected to production systems

Step 3: Email/web and network proxy devices analyze all incoming and outgoing traffic

Step 4: Network access control monitors all systems connected to the network

Step 5: Intrusion/network monitoring systems perform continuous monitoring looking for signs of malware.


Creative Commons - Attribution-NoDerivs 3.0 Unported (CC BY-ND 3.0)

This work is licensed under a Creative Commons Attribution-NoDerivs 3.0 Unported License.

To further clarify the Creative Commons license related to the 20 Critical Controls content, (i) All persons are authorized to use the content as a framework in their organization or to sell professional services related to the content (e.g. a consulting engagement to implement the 20 Critical Controls), and (ii) sale of the contents as a framework model is not authorized. Users of the 20 Critical Controls framework are also required to refer to http://www.sans.org/critical-security-controls/ when referring to the 20 Critical Controls in order to ensure that users are employing the most up to date guidance.

You may use the following code to embed the 20 Critical Controls on your site:

<iframe src="http://www.sans.org/critical-security-controls/" width="1000" height="1200" />