Defend against malware - Best practices
Intro
In this blog post I want to share some best practices in what you can do to defend against malware. Elements that are crucial in having a good Cybersecurity posture. When discussing the different aspects, you can also find references to sources if you want to learn more and links to different solutions. I'll limit the focus to the ones that Gartner recognizes as leaders in their area.
Updates and patches
One of the most important things. Plan for updates and patches. The number of times I've come across systems that didn't receive an update for years is troublesome. Especially in OT environments.
And when talking about updates and patches, we aren't just talking about the operating system but also about installed software, drivers, and device firmware updates. Just a quick check... When is the last time that you updates the firmware of your printer? Right...
What is more, you should have a clearly defined policy and procedure to plan and execute updates. And not only for "planned" updates but also for critical updates. So if there is a zero-day vulnerability that is released that is critical, there is a procedure in place to perform this update.
Anti-malware solution
Maybe the most obvious one is looking at this blog post's title, but another crucial part in defending against malware. Have a good Anti Virus solution installed that does regular updates but also performs a complete scan from time to time.
Have a policy and a procedure for when these scans happen or what should trigger them. Or even consider upgrading to an EDR or XDR solution ((Managed)Endpoint detection and response).
Some solutions to consider here are:
Carbon Unit Training
Carbon Units or humans are still the weakest link in the entire system.
But you can and should provide training for your users. And not only for the end users in your environment but also training for the admins.
Let training be a part of their KPIs for their evaluation (Key Performance Indicators).
A good average here is to spend no less than 2-4 hours per week learning.
End-user training:
Learn end-users the best practices on how to treat suspicious mail. How to not click on just any link. Not to install free software that promises all kinds of fantastic things.
You can do this by performing simulated phishing campaigns and giving feedback to the users on where they did wrong and where they did well.
And don't just do this once. It should be a continuous cycle, with new content regularly. Also, don't limit this training to mail bount threats. But throw in some other angles like web or phone as well.
Some good sources:
Admin training
The admins are the gatekeepers for your organization. Their knowledge of the systems is vital. They need to stay on point with all the solutions in the organization but also have the time to investigate new vulnerabilities, resolve issues in your environment, and perform all daily tasks to keep your environment running as securely as possible.
Provide your admins with the tools and means to expand their knowledge. Maybe even an ethical hacking course, so they get more insights into how malicious actors gain access to your environment. Help them get the knowledge to recognize weaknesses in the company's defenses.
Some good sources:
Backups
Backups are needed if everything else fails. And with back-up, we don't mean having your files stored in one drive or the ghost copy/ system restore point from your pc. There is a simple rule for having a good backup policy. It's called the 3-2-1 rule.
This means that you should at all times have three instances of your data, your data should be on two different types of media and one should be off-site.
There is also your retention policy that you should investigate. How far back do your backups need to go? What kind of data needs to be backed up? Your miles may vary depending on the industry you are in and the compliancy rules that apply.
Some good solutions:
Logging & Monitoring
When you aren't monitoring your systems, and logging events. You have no insights into when an event occurs. There are multiple things that you should log and correlate:
- System access & authentication: How many attempts are there to access a system? When should there be alarms going off? If you aren't monitoring this, you can't see when there is someone trying to brute force access to an account
- Account creation: should a system get breached, one of the things that malicious actors could do is create an extra account on the system so they can get back in, should a user change their password, or their malware is discovered.
- File integrity: Some files in a system are static and don't change (or not often) when these files get changed there are definitely some alarm bells that should go off.
- Network traffic: Is there data passing over the network that isn't consistent with normal operation. This can be an indicator of something malicious on a system.
There are solutions that monitor and log these activities like Syslog Solutions or SIEM solutions. They will even correlate this data so that it is easier to understand and can make links between different events so that you have a clear view of the IoCs (Indicators of Compromise)
Some good solutions:
Blocking
Some good advice: If it isn't needed, block it. It is part of best practices to block the things that aren't needed on a system. There are multiple items that you should consider:
System firewall: Block ports that aren't needed. If you don't require a port for a specific reason, that port should be closed.
Disable PowerShell: If you don't use PowerShell in your organization, disable it, or at least configure it so that it only can run specific scripts or have a whitelist of scripts that it can run. Once malicious actors gain access to a system, they use PowerShell to fetch additional malware or execute commands to gain a persistent presence on a system. By disabling cmd and PS you can limit what a malicious actor can do.
Protocols and services: Only keep the services that are required and disable the services that aren't. Ensure you have a good baseline of the services you need to have active for normal operation. Report when a service that isn't required gets activated. Do the same thing for protocols. If it isn't needed on the system, the protocol should be disabled.
Applications: Make it so only apps from trusted sources can be installed, or even create a whitelist of apps that a user can install. This limits the number of applications you need to monitor and has a patch management policy.
Principle of least privilege. Block a user’s access to environments and data that it doesn't require access. This is a Principle of Least Privilege. Ask yourself: "Is access to this data or this source needed?" If the answer is "no" then the user shouldn't have those rights.
System hardening
It isn't required to reinvent the wheel. There are guides available on how to harden a system. System hardening is the practice of tuning a system so that malicious actors will have a hard time trying to breach a system. Some valuable resources here are:
CIS Benchmarks
ANSSI Best Practices
NIST csrc
Defense-in-depth
When we talk about defense-in-depth strategy or Multilayered defense, you should implement all of the above countermeasures or as many as possible.
This is all part of the strategy of limiting the possible attack surface as much as possible.
I invite you to thoroughly review your policies and procedures to check if all elements are present.
Should you need a review of the policies and procedures in place or create missing ones that are aligned with your business and industry standards, Walnut tree Consulting can help you in this process. Please feel free to reach out and contact us.