Security Event Primer – Malware

Overview

This white paper provides information on general malware operations, IDS event types, requirements, recommendations, and references.

Technical Summary

Malware (malicious software) is code designed to damage systems operation, steal data, or gain unauthorized access to a network. Common types of malware are viruses, worms, trojans, botnets, ransomware, cryptominer, and remote administration tools (RAT). A common flow for malware on a system is as follows:

  1. An unsuspecting user installs, authorizes, and/or is running vulnerable software that allows malicious code to download a payload that will compromise and infect your system with malware.
  2. Once your system is infected with malware it will communicate with command and control infrastructure (c2) to receive instructions.
  3. After malware establishes communication with its c2 infrastructure it can allow an attacker to perform a number of different actions depending on the type of malware and security posture of the affected system.

Common Malware event types include:

  • Exploit Kit (EK) – Exploit Kits are malicious toolkit that is used to identify and exploit outdated software (Java, Flash, Silverlight) for the purpose of spreading and downloading additional malware. EKs are automated not requiring user interaction however they do require out of date software/browser. These events are not confirmed infection.
  • Potentially Malicious Download – Malicious downloads are files or applications that have malicious code that require a user to open or run in the targeted application. Malicious downloads pose as legitimate software, which rely on user interaction to infect the host. These events are not confirmed infection.
  • Command and Control (c2) – Command and Control (c2) is used to report the status of the infected host, exfiltration of data, and send commands to the infected system. C2 events indicate a host on your network is infected with malware.

Requirements

The following requirements will mitigate the risks of most malware infections and outbreaks. These technologies are included as part of your Microsoft Windows environment and generally do not incur any additional licensing costs.

  • Security policy to authorize software: This is a very important step as it allows Information Technology teams to manage their systems and networks more effectively while enabling cybersecurity teams to effectively respond to incidents and report to management. Authorized software is any software that is acceptable for use on your organization’s information technology resources.
  • Principles of Least Privilege (POLP): The principle of least privilege is a concept that should be applied as part of your cybersecurity strategy. POLP is the practice of limiting access for users to resources they need to perform their duties. This concept should be applied to every aspect of the organization’s resources that these users will access. In this case, we will focus on two components to effectively secure user workstations.
    • Application Whitelisting: Application Whitelisting to prevent unauthorized software from executing on a managed system. This can be as simple as baselining your system and only allowing what’s already installed reducing implementation time. It is also possible to whitelist applications from common directories such as c:\program files\. This requires the appropriate windows 10 licensing, however, you can also achieve similar results using Software Restriction Policies (SRP).
    • Local Administrative Permission: This is commonly an abused aspect of computer security. Commonly misconfigured security permissions and user rights:
      • User accounts are added to the local administrator group of multiple systems.
      • Local administrator accounts use shared passwords.
      • Service accounts are added to local administrator groups and assigned user rights on a workstation without appropriate security policies to govern these accounts.
      • User account controls are disabled. POLP concepts should be focused on end-user accounts as it is more common to be the permissions these accounts have that allow a system to be infected with malware.

With a combination of Application Whitelisting and restricting the user accounts permissions to only required security groups, you can minimize the effect malware will have on the system or prevent infection altogether.

  • Some caveats to consider when implementing POLP:
    • With SRP you will also need to allow system libraries to run such as allowing the c:\windows\ directory. In addition, you will also need to allow the directories of the applications that are being authorized on the system.
    • Office macros will also require the configuration of Microsoft Office macros to restrict client configurations from allowing users to enable and run macros in documents such as Microsoft Word. These documents are generally delivered as Malspam and are better filtered out with an anti-spam appliance or software.
  • Windows Server Update Services (WSUS): WSUS can be used to install critical security updates to managed systems. This can be done with minimal disruption using WSUS by grouping workstations and servers accordingly to effectively target systems. The priority systems will be end-users.
    • Starting with version 3.0, WSUS includes local publishing APIs that, for the first time, let developers write code to publish custom updates to WSUS.
      • https://localupdatepubl.sourceforge.io/
    • Windows host-based firewall: The Windows Firewall is a security application created by Microsoft and built into Windows, designed to filter network data transmissions to and from your Windows system and block harmful communications and/or the programs that are initiating them. It is important to restrict workstation to workstation communication and enable logging for inbound and outbound traffic.

Recommendations

We have the following recommendations:

  • It is recommended to investigate the host at the affected IP for signs of compromise and remediate appropriately.
  • It is recommended to restrict access to internet resources to only authorized hosts and to limit outbound traffic to only authorized internet services such as HTTP/s and FTP.
  • It is recommended to investigate the affected host for out of date software and update after appropriate testing.

Related CIS Sub-Controls

  • 2.1 Maintain Inventory of Authorized Software – Maintain an up-to-date list of all authorized software that is required in the enterprise for any business purpose on any business system. Sensor: Software Application Inventory.
  • 2.2 Ensure Software is Supported by Vendor – Ensure that only software applications or operating systems currently supported by the software’s vendor are added to the organization’s authorized software inventory. Unsupported software should be tagged as unsupported in the inventory system. (maps back to WSUS)
  • 2.7 Utilize Application Whitelisting – Utilize application whitelisting technology on all assets to ensure that only authorized software executes and all unauthorized software is blocked from executing on assets. Sensor: Software Whitelisting System.
  • 3.4 Deploy Automated Operating System Patch Management Tools – Deploy automated software update tools in order to ensure that the operating systems are running the most recent security updates provided by the software vendor. Sensor: Patch Management System.
  • 3.5 Deploy Automated Software Patch Management Tools -Deploy automated software update tools in order to ensure that third-party software on all systems is running the most recent security updates provided by the software vendor. Sensor: Patch Management System.
  • 4.1 Maintain Inventory of Administrative Accounts – Use automated tools to inventory all administrative accounts, including domain and local accounts, to ensure that only authorized individuals have elevated privileges. Sensor: Privileged Account Management System.
  • 4.3 Ensure the Use of Dedicated Administrative Accounts – Ensure that all users with administrative account access use a dedicated or secondary account for elevated activities. This account should only be used for administrative activities and not internet browsing, email, or similar activities. (POLP)
  • 4.4 Use Unique Passwords – Where multi-factor authentication is not supported (such as local administrator, root, or service accounts), accounts will use passwords that are unique to that system. (POLP)
  • 4.8 Log and Alert on Changes to Administrative Group Membership – Configure systems to issue a log entry and alert when an account is added to or removed from any group assigned administrative privileges. (POLP)
  • 7.1 Ensure Use of Only Fully Supported Browsers and Email Clients – Ensure that only fully supported web browsers and email clients are allowed to execute in the organization, ideally only using the latest version of the browsers and email clients provided by the vendor. Sensor: Software Whitelisting System
  • 7.2 Disable Unnecessary or Unauthorized Browser or Email Client Plugins – Uninstall or disable any unauthorized browser or email client plugins or add-on applications. Sensor: Software Whitelisting System
  • 9.4 Apply Host-based Firewalls or Port Filtering – Apply host-based firewalls or port filtering tools on end systems, with a default-deny rule that drops all traffic except those services and ports that are explicitly allowed. Sensor: Host-Based Firewall
  • 16.8 Disable Any Unassociated Accounts – Disable any account that cannot be associated with a business process or business owner. (POLP)
  • 16.9 Disable Dormant Accounts – Automatically disable dormant accounts after a set period of inactivity. (POLP)

References