Maksim Kabakou - Fotolia
Security Think Tank: Basic steps to countering malware comms
As attackers begin to use multiple command and control systems to communicate with backdoors and other malware, how can organisations ensure they detect such methods and that all C&C systems are removed, including "sleepers" designed to be activated at a future date
For an IT security person or IT administrator/technician charged with maintaining good security on a company’s IT systems, life doesn’t get any easier. The attack vectors include company staff visiting websites that have been compromised to deliver a malicious payload, staff opening email infected attachments from unknown (and sometimes known) sources and outright hacking of company IT assets with the intent of lodging software with malicious intent or modifying existing software to create a backdoor.
Often, malicious software, irrespective of how it got into the company’s IT, will need to phone home and establish command and control channels or wait in a dormant state ready to be activated. To improve malware effectiveness, developers are adding more than one command and control mechanism which then makes the IT security job ever more “interesting”.
What to do? The first and obvious route is prevention of a malware infection in the first place and the second is to maintain an effective detection and eradication regime. Easier said than done, of course.
The basics of preventing infection in the first place start with maintaining all software to a supported release and latest patch levels. Second, ensuring all software is appropriately configured, review all default settings and adjust as necessary, if something is not necessary, remove it, and if the software has inbuilt passwords as part of its operation, change the default.
Also, ensure IT and security staff have two network IDs, one for administration/audit and one for day-to-day use, and normal users should not have any administrator privilege even local to their PC.
Internet and third-party network access should be via a DMZ [demilitarised zone] and proxy and firewall rule sets should be specific, not generalised. For example, outgoing rules should identify the internal source as being from a specific IP address and port that should be on the DMZ.
Also, the DMZ should have a different address range to that of the main network. Guest (WiFi) access to the internet should also be over a separate network to the main company networks with no bridging between guest and company.
Read more from Computer Weekly’s Security Think Tank about malware comms
Another recommended piece of the prevention pie comes from tying a company’s DNS server to the Quad9 DNS service. This is a free DNS service from the Global Cyber Alliance, a group (co-founded by City of London Police) that checks requested uniform resource identifiers (URIs) against IBM X-Force’s threat intelligence database.
Looking at detection and eradication, it should go without saying that servers, proxies and PCs should all be running up-to-date antivirus and anti-malware software. Email gateways that include spam filtering, antivirus and anti-malware features should also be part of the arsenal and can be on-site or a bought-in service.
Analytic tools for large companies include paid-for products from LogRythm, Splunk and others, while SME/SMB’s can look to deploying some of the “free” analytic tools such as PRTG and Microsoft Network Monitor.
These tools can detect anomalous behaviours on a network that could indicate the presence of malicious software such as large, unexpected or unusual traffic flows, slow scanning of a network, unauthorised attempted access to services, unusually high resource utilisation, etc. and can issue alerts/alarms and reports. See the Security Think Tank article Reducing dwell has never been more important for more information.
A full IT security health check (ITSHC) should be carried out annually at a minimum, preferably every six months, and should cover not just penetration testing from the internet but also detailed security scanning of the internal networks, servers and PCs, not forgetting printers, Wi-Fi devices, IP cameras, etc.
It is recommended that internet-only penetration testing be additionally carried out monthly or more frequently based on a risk assessment. There are many companies that offer these tests as an automated service. Don’t just file test reports, review them, understand them and act on them.
A final thought. Ensure the IT estate is fully and regularly backed up and that those backups are tested for viability. While not part of detecting and eliminating malware and their command and control channels, it is your “get out of jail” card should things go awry.