How do attackers exploit the absence of this control?
Malicious software is an integral and dangerous aspect of Internet threats, targeting end users and organizations via web browsing, e-mail attachments, mobile devices, and other vectors. Malicious code may tamper with the system's contents, capture sensitive data, and spread to other systems. Modern malware aims to avoid signature-based and behavioral detection, and may disable anti-virus tools running on the targeted system. Anti-virus and anti-spyware software, collectively referred to as anti-malware tools, help defend against these threats by attempting to detect malware and block its execution.How to Implement, Automate, and Measure the Effectiveness of this Control
- Quick wins: Organizations should employ automated tools to continuously monitor workstations, servers, and mobile devices for active, up-to-date anti-malware protection with anti-virus, anti-spyware, personal firewalls, and host-based IPS functionality. All malware detection events should be sent to enterprise anti-malware administration tools and event log servers.
- Quick wins: Organizations should employ anti-malware software and signature auto update features or have administrators manually push updates to all machines on a daily basis. After applying an update, automated systems should verify that each system has received its signature update.
- Quick wins: Organizations should configure laptops, workstations, and servers so that they will not auto-run content from USB tokens (i.e., "thumb drives"), USB hard drives, CDs/DVDs, Firewire devices, external serial advanced technology attachment devices, mounted network shares, or other removable media.
- Quick wins: Organizations should configure systems so that they conduct an automated anti-malware scan of removable media when it is inserted.
- Quick wins: All attachments entering the organization's e-mail gateway should be scanned and blocked if they contain malicious code or file types unneeded for the organization's business. This scanning should be done before the e-mail is placed in the user's inbox. This includes email content filtering and web content filtering.
- Visibility/Attribution: Automated monitoring tools should use behavior-based anomaly detection to complement and enhance traditional signature-based detection.
- Configuration/Hygiene: Organizations should deploy network access control tools to verify security configuration and patch-level compliance before granting access to a network.
- Advanced: Continuous monitoring should be performed on outbound traffic. Any large transfers of data or unauthorized encrypted traffic should be flagged and, if validated as malicious, the computer should be moved to an isolated VLAN.
- Advanced: Organizations should implement an incident response process that allows their IT support team to supply their security team with samples of malware running undetected on corporate systems. Samples should be provided to the anti-virus vendor for "out-of-band" signature creation and deployed to the enterprise by system administrators.
Associated NIST Special Publication 800-53, Revision 3, Priority 1 Controls
SC-18, SC-26, SI-3 (a, b, 1, 2, 5, 6)Associated NSA Manageable Network Plan Milestones and Network Security Tasks
Virus Scanners and Host Intrusion Prevention Systems (HIPS)Personal Electronic Device (PED) Management
Network Access Protection/Control (NAP/NAC)
Security Gateways, Proxies, and Firewalls
Network Security Monitoring
Procedures and Tools to Implement and Automate this Control
Relying on policy and user action to keep anti-malware tools up to date has been widely discredited, as many users have not proven capable of consistently handling this task. To ensure anti-virus signatures are up to date, effective organizations use automation. They use the built-in administrative features of enterprise end-point security suites to verify that anti-virus, anti-spyware, and host-based IDS features are active on every managed system. They run automated assessments daily and review the results to find and mitigate systems that have deactivated such protections, as well as systems that do not have the latest malware definitions. For added in-depth security, and for those systems that may fall outside the enterprise anti-malware coverage, some organizations use network access control technology that tests machines for compliance with security policy before allowing them to connect to the network.Some enterprises deploy free or commercial honeypot and tarpit tools to identify attackers in their environment. Security personnel should continuously monitor honeypots and tarpits to determine whether traffic is directed to them and account log-ins are attempted. When they identify such events, these personnel should gather the source address from which this traffic originates and other details associated with the attack for follow-on investigation.
Control 5 Metric:
The system must identify any malicious software that is installed, attempted to be installed, executed, or attempted to be executed on a computer system within one hour, alerting or sending e-mail notification to a list of enterprise personnel via their centralized anti-malware console or event log system. Systems must block installation, prevent execution, or quarantine malicious software within one hour, alerting or sending e-mail when this action has occurred. Every 24 hours after that point, the system must alert or send e-mail about the status of the malicious code until such time as the threat has been completely mitigated on that system. While the one-hour timeframe represents the current metric to help organizations improve their state of security, in the future organizations should strive for even more rapid detection and malware isolation, with notification about malware in the enterprise sent within two minutes and blocking, execution prevention, or quarantine actions taken within five minutes.Control 5 Test:
To evaluate the implementation of Control 5 on a periodic basis, the evaluation team must move a benign software test program that appears to be malware, such as a European Institute for Computer Antivirus Research (EICAR) standard anti-virus test file, or benign hacker tools, but that is not included in the official authorized software list to 10 systems on the network via a network share. The selection of these systems must be as random as possible and include a cross-section of the organization's systems and locations. The evaluation team must then verify that the systems generate an alert or e-mail notice regarding the benign malware within one hour. The team must also verify that the alert or e-mail indicating that the software has been blocked or quarantined is received within one hour. The evaluation team must verify that the system provides details of the location of each machine with this new test file, including information about the asset owner. The team must then verify that the file is blocked by attempting to execute or open it and verifying that it is not allowed to be accessed.Once this test has been performed transferring the files to organization systems via removable media, the same test must be repeated, but this time transferring the benign malware to 10 systems via e-mail instead. The organization must expect the same notification results as noted with the removable media test.
Control 5 Sensors, Measurement, and Scoring
Sensor: Anti-virus management. TrendMicro, Symantec, McAfee, and Kaspersky all have management consoles that can validate configurations and run reports.Measurement: (1) Determine if anti-virus program is running on all systems; (2) Confirm that it is configured to run whenever a file is opened or attempted to run on the system.
Score: Determine the percent of systems that are running anti-virus programs and the percent of systems that are properly configured and average the two together.
Sensor: Honeypots deployed. While there are some programs that can perform system emulation (i.e., Honeyd), virtual machines are usually utilized to create honeypots.
Measurement: Number of connections to the honeypot correlated to the number of unique IP addresses the connection is coming from.
Score:
Sensor: Patch management software. Microsoft WSUS can be used but only works with Microsoft products. BigFix, Lumension, Shavlik, and LANDesk can also be used.
Measurement: Score: 100 percent if all systems are running patch management software and fully patched. Minus 1 percent for each system not running patch management software, and 2 percent for each system that is not receiving patches in a timely manner.