The news over the last several years has been filled with data compromises at a number of high profile American companies, including a few banks. A number of these compromises were due to cyber attackers using malware to gain a foothold on a machine on the internal network, then using that machine as an observation point to further learn about and exploit the systems housing sensitive data. And, as we've learned, the malware we don't know about is the most dangerous kind. This trend puts signature based antivirus products at a disadvantage, since they are primarily designed to detect known malware.
On March 30, 2015, the Federal Financial Institutions Examination Council (FFIEC) released a joint statement titled Destructive Malware to help financial institutions understand the current threats posed by malware, and they also provided a list of controls to help reduce the likelihood of a malware infection. While the FFIEC guidance is informative, it is rather broad in its control recommendations. Below is a list of specific controls that can help reduce the threats posed by malware infections.
Endpoint (Host) Controls
- Deploy Microsoft's Enhanced Mitigation Experience Toolkit (EMET). EMET is designed to block exploit techniques commonly used by malware authors. It is considered a defense in depth control that is complementary to antivirus software, but should not be considered a replacement for such. EMET integrates directly into Active Directory, providing central configuration and management. The tool is freely available from Microsoft.
- Use antivirus software that has heuristic detection capability. Heuristic analysis techniques provides antivirus software the added capability to analyze the characteristics and operating behavior of a flagged file to help determine if the file is indeed malware. This process helps identify previously unidentified malware that "acts" similar to known malware.
- Implement an application control or whitelisting software product that can enforce the running of only "whitelisted" applications on specific systems. This process limits the running of programs (including malware) that have not been previously authorized by administrators.
- Implement a network intrusion prevention system (IPS) that employs not only signatures, but also anomaly or behavior analysis. IPSs are commonly deployed in financial environments, but a number of the systems currently on the market rely solely upon signature based detection of attacks and malware. A better solution is to utilize a product that provides signature based detection along with a form of anomaly or behavior based detection. This additional capability identifies network traffic that does not meet the previously base lined profile. For example, one or more workstations suddenly communicating to an unknown system on the Internet would likely trigger an alert.
- Prevent employees from visiting web-based email sites and known malicious websites via web content filtering. Email is a commonly used vector for malware, and these websites likely do not apply the same level of controls on email storage as the company's internal email system. It is also prudent to block inbound email containing specific attachments, such as executables. Plus, the evolution of smartphones has largely eliminated the need for access to personal email sites. Web content filtering can also be used to limit access to known malicious websites and can block web advertisements, and such, that can harbor malicious code.
- Limit inbound email from your own internal domain to help prevent spoofed spear phishing. Spear phishing is proven to be very effective, especially when an email looks to be originating from an internal email address, but is really coming from an unknown external sender. This is email spoofing. Technical controls are available with most email systems or gateways that disallow external email from entering the network that is from the company's own domain. It would also be prudent to block inbound email containing specific attachments, such as executables.
- Implement egress filtering. By default firewalls allow internal traffic to proceed outbound, unless an access control list is applied to allow only specific traffic. Therefore, it is recommended to limit outgoing traffic to only that which is necessary to conduct business. This process can help block communications with unauthorized external entities and potentially prevent data exfiltration.
And lastly, please, please, train your employees to recognize and report social engineering attempts. We (humans) are the weak link that is often taken advantage of by cyber-attackers. Recent attacks have taught us that it only takes one person not doing the right thing to allow cyber-attackers a foothold.