Facebook Google Plus Twitter LinkedIn YouTube RSS Menu Search Resource - BlogResource - WebinarResource - ReportResource - Eventicons_066 icons_067icons_068icons_069icons_070

CCC 5: Search for Malware and Intruders

by Cody Dumont
June 26, 2015

The fifth of the Tenable Critical Cyber Controls is "Search for Malware and Intruders." Attackers acquire new technologies every day; staying one step ahead of them requires proactively managing systems with real-time, continuous scanning for viruses, malware, attackers, and inside threats. This Assurance Report Card (ARC) will provide alerts on potential malware infections, intrusions, and data leakage.

The Search for Malware and Intruders Assurance Report Card (ARC) provides the CISO and the operations team with a high-level view of potential malware and intrusion threats on the network. Policy statements are included to help the CISO understand at a glance if systems on the network are infected with malware, have remotely exploitable vulnerabilities, or have intrusion events or data leakage events.  

This ARC is available in the SecurityCenter Feed, a comprehensive collection of dashboards, reports, assurance report cards and assets. The ARC can be easily located in the Feed by selecting category executive. The ARC requirements are:

  • SecurityCenter 5.0
  • Nessus 6.3.6
  • LCE 4.4.1
  • PVS 4.2.0

This ARC uses all aspects of continuous network monitoring, including scanning, sniffing, and log correlation. Using each of these technologies allows Tenable to provide a unique combination of detection, reporting, and pattern recognition utilizing industry recognized algorithms and models. SecurityCenter Continuous View integrates with many technologies such as patch management, mobile device management, malware defenses, network infrastructure, cloud services, and other log analysis platforms to provide a holistic approach to threat detection and risk analysis.

ARC Policy Statements:

No systems have been detected with active traces of malware: This policy statement displays Compliant in green if no known bad processes were detected in Windows, Linux and OS X systems. This detection uses threat intelligence to analyzes millions of malware samples a month and generates actionable content to empower security teams to proactively defend against attacks and malware outbreaks.

Less than 10% of systems with malware are capable of remote attacker access: This policy statement displays Compliant in green if less than 10% of systems have vulnerabilities that can be exploited remotely. Remotely exploitable vulnerabilities are identified through the CVSS metrics associated with the vulnerabilities.

There are no systems with data leakage events communicating outside the network: This policy statement displays Compliant in green if no systems that connect externally (e.g., browse the Internet) have had data leakage events detected on them. Any potential data leakage from externally connected systems should be investigated.

Systems with data leakage events have been found to have exploitable vulnerabilities: This policy statement displays Compliant in green if no systems that have potentially exploitable vulnerabilities also have had data leakage events detected on them. Data leakage detected from a vulnerable system is a strong indicator that the system has been compromised; the system should be investigated immediately.

No systems have been detected communicating with known botnets: This policy will show compliant in green when there are no systems detected having botnet activity.  Botnet activity is tracked using active and passive plugins. The active plugins look at the netstat tables and DNS entries and compare them to a known list of botnet hosts.  The passive detection can detect botnet server and client activity on several different protocols, such as IRC and HTTP.

No web server has been detected as part of a botnet or hosting botnet content: This policy reviews all systems with a web interface and detects if the servers are hosting malicious hyperlinks to known botnets.  Often, a web server will be compromised and the adversaries will put links for users to follow that lead to botnets or other malicious code. This policy will show compliant in green when no systems are discovered with this activity.

Less than 15% of all vulnerabilities actively being exploited by malware:  This policy shows the executive how many systems currently have vulnerabilities that are known to be exploited by malware.  If this is a high number, then the organization should review its patching priorities.  This policy will show compliant in green when less than 15% of systems are vulnerable.