4:30 min read |
Malware is a type of computer program designed to infect a legitimate user’s computer with the intent to inflict harm. Malware comes in various forms such as, viruses, Trojans, spyware, worms, etc. Malware is a huge and growing problem, costing businesses millions of dollars and typically exposes or damages vital data. New forms constantly appear and can be hard to catch. CIS Control #8 addresses recommendations that should be implemented to reduce an organization’s risk.
The degree of damage caused by malware varies according to the type of malware, the type of device that is infected and the nature of the data that is stored or transmitted by the device. As a result, defense strategy needs to act on multiple levels. Defenses need to prevent malware from being installed, from running if it is installed, and from spreading if it runs. This is defense-in-depth and requires a strong set of automated tools.

Software defenses

Automated malware detection and removal software is an absolute requirement. It needs to cover everything on the network: servers, workstations, mobile devices, and anything else that has a processor and runs code. Regular updates are necessary to keep up with new threats, and machines should be checked to make sure they’re getting the updates. Also, periodic vulnerability scans, along with malware detection and blocking should prevent a network from being compromised and succumbing to a botnet.
Shadow IT increases risk. If people are running machines that aren’t authorized, they aren’t going to be consistently monitored and protected. The first and second CIS controls stress the importance of keeping track of everything on a network, and malware protection is one of the reasons that makes such inventories so important.
It isn’t enough to put protective software on each machine without an overall plan. Defenses are very hard to manage if haphazardly installed. Each machine would need its own updates, and hostile code that gets blocked on one system could get through on another. Centrally administered and automated protection gives your network a more consistent defense.
Keeping track of what protective software finds is important. It should be set up to log all incidents, and part of administrators’ responsibilities is to review the logs. If an issue turns up on one machine, it may be present elsewhere as well. If an attack occurs repeatedly, it’s time to check the defenses against it and strengthen them as necessary.

Network monitoring needs to check for traffic that could indicate malware. The most popular malware model today is the Command & Control (C&C), where it reports to a server, sends information, and gets instructions. The monitoring system should log DNS queries in order to catch requests to C&C domains. Effective firewalls can capture suspicious file transfers and block hostile traffic. This isn’t limited to blocking ports and IP addresses; the best software can catch malicious packets at the application level, after SSL decryption.
If a device is caught running malware, the network protection software should quarantine it immediately. Keeping malware from spreading buys time to fix the problem in spite of its urgency.

Limiting the attack surface

External devices, such as thumb drives, are inherently convenient and yet they create risks. Many are too trusting of drives received as promotional giveaways, even legitimate ones are sometimes inadvertently infected. Auto-running when devices are inserted is a convenient feature that ought to be buried, and this feature should be disabled on all machines. Thumb drives are the most common, but the caution applies to all mountable devices brought in from the outside.
A solid defense will have anti-malware software scan for each newly mounted device. If there are suspicious files on it, the scan will automatically dismount it. Newly downloaded files need the same consideration. Each one should be scanned, and the ones that are flagged should be blocked from running.

The multi-layered approach

It’s unrealistic to expect any defense to stop all malware at the perimeter. There are just too many threats, new ones being invented and unleashed all the time, and some will make it past the first line of defense. Stopping threats requires a coordinated effort in the firewall, devices on the network edge, server protection, and monitoring.

The multi-layered approach is to:

  1. Stop malware from getting onto the machines.
  2. If it gets onto the machines, stop it from running.
  3. If it runs, stop it from doing damage.
  4. Get it off as quickly as possible.

Everyone understands that malware protection is necessary but turning it into a systematic set of practices takes a coordinated effort. Everyone involved needs to be working on the same comprehensive cybersecurity plan.