Today, I will be going over Control 8 from version 7 of the top 20 CIS Controls – Malware Defenses. I will go through the eight requirements and offer my thoughts on what I’ve found.
Key Takeaways for Control 8
- Back to the basics. Install AV and run updates regularly. This has been ingrained in IT professionals for decades. The only key aspects is to make sure the AV solution meets the needs of your organization in terms of capabilities.
- Integrate your security tools. So many security tools can work together to orchestrate the response to a malware infection. While an AV product can quarantine and delete an infected file, integrating with change management and other SCM tools can remediate an entire system back to a clean state.
Requirement Listing for Control 8
1. Utilize Centrally Managed Anti-malware Software
Description: Utilize centrally managed anti-malware software to continuously monitor and defend each of the organization’s workstations and servers.
Notes: Any enterprise class AV software will have this capability. By having a centrally managed AV, you can easily enable requirements 2 and 6 below.
2. Ensure Anti-Malware Software Signatures are Updated
Description: Ensure that the organization’s anti-malware software updates its scanning engine and signature database on a regular basis.
Notes: The AV is only as good as it’s signatures. While pure signature-based detection is no longer viable, even anomaly-based engines need to be updated on a regular basis. Ensure that the updates are rolled out automatically and use tools to verify that the signatures are actually up-to-date. Tripwire Enterprise can help with the latter, ensuring that your AV is installed, running, and up-to-date.
3. Enable Operating System Anti-Exploitation Features/Deploy Anti-Exploit Technologies
Description: Enable anti-exploitation features such as Data Execution Prevention (DEP) or Address Space Layout Randomization (ASLR) that are available in an operating system or deploy appropriate toolkits that can be configured to apply protection to a broader set of applications and executables.
Notes: This sounds like it can be complex, but it’s really not. The DISA hardening guides provide step-by-step instructions on enabling these settings and so much more. If you implemented the hardening guidelines as outlined in Control 5, you’re already ahead of the game.
4. Configure Anti-Malware Scanning of Removable
Description: Configure devices so that they automatically conduct an anti-malware scan of removable media when inserted or connected.
Notes: Most AVs have this capability turned on by default, but it’s still important to verify that it’s actually still enabled. Malware coming in via a USB stick is a viable attack vector for nearly every organization.
5. Configure Devices to Not Auto-run Content
Description: Configure devices to not auto-run content from removable media.
Notes: For the same reason why you do not want to scan it, you also don’t want it to run when it’s mounted. This is a pretty quick setting to enable, and both CIS and DISA hardening guides have step-by-step instructions on disabling auto-run. A SCM tool like Tripwire Enterprise can quickly check every endpoint in your environment to make sure this setting is disabled.
6. Centralize Anti-malware Logging
Description: Send all malware detection events to enterprise anti-malware administration tools and event log servers for analysis and alerting.
Notes: I would expect this setting to come in Control 6 rather than here. It’s odd this is the only section that calls out sending logs to a centralized location (outside of Control 6). The important aspect of this requirement is getting the logs off of the endpoint so a malware infection doesn’t clear them out.
7. Enable DNS Query Logging
Description: Enable Domain Name System (DNS) query logging to detect hostname lookups for known malicious domains.
Notes: This is a great passive way to monitor for malware in an environment. Going back to Control 12.6 (Deploy Network-based IDS Sensors), these sensors can log all of these queries without having to pull them off of the endpoint. Looking for new DNS queries and those that look to be computer-generated will be quick wins in terms of hunting out malware infections.
8. Enable Command-line Audit Logging
Description: Enable command-line audit logging for command shells, such as Microsoft PowerShell and Bash.
Notes: On high interaction systems, this can be quite noisy. From a forensics standpoint, it will be quite valuable. PowerShell and Bash are popular among malware families, but don’t limit it to just those languages.
See how simple and effective security controls can create a framework that helps you protect your organization and data from known cyber attack vectors by downloading this guide here.
Read more about the 20 CIS Controls here:
Control 20 – Penetration Tests and Red Team Exercises
Control 19 – Incident Response and Management
Control 18 – Application Software Security
Control 17 – Implement a Security Awareness and Training Program
Control 16 – Account Monitoring and Control
Control 15 – Wireless Access Control
Control 14 – Controlled Access Based on the Need to Know
Control 13 – Data Protection
Control 12 – Boundary Defense
Control 11 – Secure Configuration for Network Devices, such as Firewalls, Routers, and Switches
Control 10 – Data Recovery Capabilities
Control 9 – Limitation and Control of Network Ports, Protocols, and Services
Control 8 – Malware Defenses
Control 7 – Email and Web Browser Protections
Control 6 – Maintenance, Monitoring, and Analysis of Audit Logs
Control 5 – Secure Configurations for Hardware and Software on Mobile Devices, Laptops, Workstations, and Servers
Control 4 – Controlled Use of Administrative Privileges
Control 3 – Continuous Vulnerability Management
Control 2 – Inventory and Control of Software Assets
Control 1 – Inventory and Control of Hardware Assets
You can also learn more about the CIS controls here.