logo

A Guide to CIS Control 10: Malware Defenses

Control 10 of CIS Critical Security Controls version 8 is focused on malware defenses. It describes safeguards to prevent or control the installation, spread and execution of malicious applications, code and scripts on enterprise assets. (In CIS version 7, this topic was covered by Control 8.)

Malware, especially ransomware, has become a pressing security issue in recent years. Ransomware restricts users from accessing their systems or information, typically threatening to publish or destroy data unless the owner pays a ransom. Expert predictions state that by 2031, there will be a new assault every 2 seconds and ransomware costs will reach $265 billion per year.

Malicious software is designed to help attackers gain access to and control over systems and networks, usually with the intent to extract sensitive data. In addition to ransomware, malware can come in the form of a trojan horse that is disguised as a regular program; viruses and worms that alter affected systems to serve the attacker’s purposes; and more. Malware increases business risk by stealing data, capturing credentials, encrypting or destroying data, and identifying other targets in your network.

Signs of a malware infection can include:

  • Spam and pop-up ads
  • A slow or frozen system
  • Frequent crashes
  • Unknown processes and services being created or started
  • New files or folders being created without permission
  • Redirections from known websites to unknown sites

Malware threats can evolve and adapt using machine learning techniques, and can enter your organization’s systems through multiple vulnerabilities while avoiding, deceiving and disabling defenses against it.

To protect your organization from malware infections and ensure prompt incident response, follow the CIS Control 10 safeguards detailed below.

10.1. Deploy and maintain anti-malware software on all enterprise assets

Anti-malware software identifies malware using different techniques, including:

  • Definitions or signatures — Each piece of malware has a definition or signature that can be captured and stored in a database. Anti-malware solutions perform continuous scans and compare code entering or present on the system to the signatures in the database to identify and flag malware.
  • Heuristic analysis — Since code changes happen frequently, heuristics are used to identify malware by its behavior and characteristics instead of comparing the code to a signature. They can help with detection of previously undiscovered malware.
  • Sandboxing— Anti-malware solutions use this testing technique to run a suspicious program in a protected space and monitors its behavior as it executes as though it has full system access. If it determines that the program is malicious, the anti-malware terminates it. Otherwise, it is allowed to execute outside the sandbox.

Once malware is identified, most anti-malware software can either remove it or quarantine it in a protected file. Anti-malware software is not 100% effective, but it’s still an essential security element.

10.2. Configure automatic anti-malware signature updates

Signatures (definitions) are algorithms or hashes unique to a specific piece of malware. Anti-malware tools compare files on your systems against a set of signatures in order to flag malware.

Because malware changes and adapts all the time, anti-malware must adapt along with it to remain effective. Updates are the only method of ensuring that anti-malware recognizes the latest malicious code.

Automatic updates are more efficient and reliable than asking users or your IT team to install updates. Updates can be released every hour or every day, and any delay in installation can leave your system open to bad actors.

10.3. Disable autorun and autoplay for removable media

Removable media, such as thumb drives and portable hard drives, are susceptible to malware, just like every other computer system. These media can be set to automatically download, install, play or run programs the moment you plug them into your computer. Malware can infect your device before you can stop it.

By disabling auto-execute functionality as part of your secure configuration management, you can prevent malware infections that could cause data breaches, system downtime, reputation damage and financial loss.

10.4. Configure automatic anti-malware scanning of removable media

Some hackers leave thumb drives lying around, waiting for someone to pick them up and plug them in, if only for curiosity’s sake. Other times, removable media that is out of your control can have malware installed, or it could be used to transfer malware from one system to another, inadvertently or by design.

Setting your anti-virus software to automatically scan removable media immediately upon connection helps detect malware and quarantine or terminate it before it can infect the system it’s plugged into. Best practices suggest limiting the use of removable media and practicing strict control over its whereabouts. Group training is helpful for building awareness around the risks of removable media.

10.5. Enable anti-exploitation features

This control suggests enabling anti-exploitation features on enterprise assets and software where possible. Examples include Microsoft Data Execution Prevention (DEP), Windows Defender Exploit Guard (WDEG), and Apple System Integrity Protection (SIP) and Gatekeeper.

Anti-exploitation features provide generic protection against exploits instead of looking for known malware like anti-virus or signature-based anti-malware. Most are built into current operating systems to prevent malware penetration, but the features are disabled by default, so you must enable them to take advantage of them.

Anti-exploitation security is especially effective against the most common exploits that cause mass infection, like drive-by download sites, phishing campaigns and malicious iframes. These features also mitigate zero-day vulnerabilities, which are previously unknown vulnerabilities that have no patches or fixes yet available. The features also help stop buffer overflows and other memory corruption attacks.

10.6. Centrally manage anti-malware software

If you have multiple anti-malware solutions that won’t talk to each other, you risk not being able to detect malware or trends across the enterprise. You must deal with each silo separately.

Close this security gap with the implementation of a single, centrally managed anti-malware solution that scans and reports on every device across your organization. Doing so reduces the expertise you need to cover different solutions and ensures you don’t miss anything because it fell through the cracks between solutions. And in the event of a data breach, you need to look in just one place for information.

10.7. Use behavior-based anti-malware software

Signature-based solutions only identify code that is already known. Today’s malware is often smart enough to evade these tools through built-in ambiguities that result in variable code executions.

Behavior-based solutions can identify malicious files that signature-based solutions would not recognize because they can analyze every line of code and all its potential actions. For example, these solutions can analyze execution of operating system-level instructions; low-level rootkit code; and critical or irrelevant files, processes and internal services.

However, behavior-based software has some disadvantages. While signature-based anti-malware identifies malware in real time, behavior-based anti-malware software has some built-in latency because of the need for dynamic analysis across multiple dimensions. Additionally, behavior-based solutions are unlikely to detect malware with anti-sandboxing capabilities.

On the positive side, behavior-based anti-malware software provides flexibility in finding different forms of malware unknown to signature-based software. It improves intrusion detection, threat analysis, and user analytics, and allows you to create or modify policies to allow or disallow specific requirements for your industry or organization. Most behavior-based software follows a policy-based control mechanism, so flexibility is important for administrative purposes.

More tips for malware prevention and mitigation

  • Use secure authentication methods, including strong passwords, multifactor authentication (MFA) or biometric tools.
  • Use administrator accounts only when absolutely necessary.
  • Adhere to the least-privilege model: Grant users the minimum access to system capabilities, services and data they need to complete their work.
  • Implement email security and spam protection solutions.
  • Build awareness of common malware tactics and keep users updated on cybersecurity trends and best practices. In particular, advise them to only join secure networks using VPNs when working outside the office.
  • Encourage users to report unusual system behavior.

Summary

Following CIS critical security controls can help a company strengthen security, achieve regulatory compliance and improve business resilience, both on premises and in the cloud.

Control 10 recommends using both behavior-based anti-malware and signature-based tools with automatic updates turned on, and managing the software centrally. Also be sure to enable the anti-exploit features in your operating systems, and strictly control the use of removable media on your devices, if you allow it at all. By following these best practices, you can reduce your risk of a devastating malware infection.

Dirk Schrader is a Resident CISO (EMEA) and VP of Security Research at Netwrix. A 25-year veteran in IT security with certifications as CISSP (ISC²) and CISM (ISACA), he works to advance cyber resilience as a modern approach to tackling cyber threats. Dirk has worked on cybersecurity projects around the globe, starting in technical and support roles at the beginning of his career and then moving into sales, marketing and product management positions at both large multinational corporations and small startups. He has published numerous articles about the need to address change and vulnerability management to achieve cyber resilience.