This is Part 5 of a 'How-To' effort to compile a list of tools (free and commercial) that can help IT administrators comply with SANS’ Security Controls. In Part 1 we looked at Inventory of Authorized and Unauthorized Devices. In Part 2 we looked at Inventory of Authorized and Unauthorized Software. In Part 3 we looked at Secure Configurations. In Part 4 we looked at Continuous Vulnerability Assessment and Remediation. Now in Part 5 we'll take on Malware Defenses.
5-1 Employ automated tools to continuously monitor workstations, servers, and mobile devices with anti-virus, anti-spyware, personal firewalls, and host-based IPS functionality. All malware detection events should be sent to enterprise anti-malware administration tools and event log servers.
Rather that start up a circle jerk of "which AV is better" I'm listing things maybe most people don't know about. Go search the community for "free anti virus", I won't list them here!
- PlagueScanner - Open Source on-premise virus scanner framework. Like Jotti's malware scan, but you don’t have to upload potentially sensitive data to the internet because it's hosted in house.
5-2 Employ anti-malware software that offers a remote, cloud-based centralized infrastructure that compiles information on file reputations or have administrators manually push updates to all machines.
Again, I'm not going to list items here. It's all been listed before...
5-3 Configure laptops, workstations, and servers so that they will not auto-run content from removable media, like USB tokens (i.e., "thumb drives"), USB hard drives, CDs/DVDs, FireWire devices, external serial advanced technology attachment devices, and mounted network shares.
- Group Policy - Simple.
5-4 Configure systems so that they automatically conduct an anti-malware scan of removable media when inserted.
This depends on your AV vendor. Been listed before.
5-5 - Scan and block all e-mail attachments entering the organization's e-mail gateway if they contain malicious code or file types that are unnecessary for the organization's business.
- MIMEDefang - email attachment overlord. Can strip attachments from emails and store them on file servers, where authentication is required over secure connection (HTTPS). can create attachment policies, and work with other email scanning devices/software.
- Network mail firewall devices like Barracuda, Watchguard...
- Any of the Commercial tools listed under section 2-1.
5-6 Enable anti-exploitation features such as Data Execution Prevention (DEP), Address Space Layout Randomization (ASLR), virtualization/containerization, etc. For increased protection, deploy capabilities such as Enhanced Mitigation Experience Toolkit (EMET) that can be configured to apply these protections to a broader set of applications and executables.
5-7 Limit use of external devices to those that have a business need. Monitor for use and attempted use of external devices.
See tools listed under control 1-1
5-8 Ensure that automated monitoring tools use behavior-based anomaly detection to complement traditional signature-based detection.
- AlienVault OSSIM - contains behavioral monitoring. And a lot of other stuff.
- Observable - I had a chance to demo this product for several months as it built up an analysis of network traffic. It was amazing.
- AlienVault USM - Commercial release of OSSIM
5-9 Use network-based anti-malware tools to identify executables in all network traffic and use techniques other than signature-based detection to identify and filter out malicious content before it arrives at the endpoint.
Most modern firewalls (UTM) devices can do this. Maybe yours can already?
5-10 Implement an incident response process that allows the IT support organization to supply the security team with samples of malware running on corporate systems that do not appear to be recognized by the enterprise's anti-malware software.
This is more of a process than a tool. As I have no working experience as a malware analyst, I will leave this one to the community to comment on.
5-11 Enable domain name system (DNS) query logging to detect hostname lookup for known malicious C2 domains.
- Spiceworks - Integrates with AlienVault's OTX
- AlienVault OTX
- PassiveDNS - A network sniffer that logs all DNS server replies for use in a passive DNS setup
- Many Modern Browsers do this - Comodo Ice Dragon, and Comodo Dragon offer ComodoDNS built in to filter for malicious domains.
- OSSEC - I guide to detect malicious DNS lookups
- AlienVault USM
- Many modern Firewalls can do this.
About the Author:
Rich Johnson is currently a Systems Security Administrator with 15 years of professional experience working in IT (more if you count the years programming in Basic on the Commodore 64 and repairing Nintendo consoles as a child). Rich has a bachelor degree in Information Technology, but feels his real knowledge has been gained through hands on experience, exploring security tools, and attending various security conventions. Rich currently resides in Utah and is probably learning some new interesting thing at this moment.