Are we listening to our malware reports - effectively?

Majority of the Cyber incident faced today has the presence and involvement of ‘malware’ in one or the other phase of its kill chain.

To ensure and sustain, Trustworthy computing environment it is critical to have good control or eradication of malware presence in the network. Which also help in reducing a considerable number of IT help desk tickets related to system slowness, formatting, software corruptions etc. For this, it is essential to understand the presence and behavior of malware families, its propagation vectors, impacted user sets, the presence of new malware and weakness it is exploiting continuously.

Malware related reports collected from various control points inside our enterprise network has around 75+ data fields providing rich insights to enterprise overall security posture and effectiveness of our controls including of people practice, process, and technology

Data sources for Malware related reports collected are from

• Antivirus
• IPS / HIPS
• Firewalls
• Proxies
• DNS
• Email protection – antivirus / spam
• ATP solutions
• Sandboxes

At a high level, Malware report could provide us an overall posture of the enterprise security, based on the type of malware encountered daily and its propagation vectors – web, mail, USB, network etc

• A high presence of worms may indicate a lack of effective vulnerability management, leading to many vulnerabilities for exploits by malware and hackers     
• A high presence of adware/malvertising/downloader/web based malware indicates users nonproductive browsing pattern and security culture of the organization
• Presence of malware infection through USB / external drive may be an indication of policy noncompliance, security culture and high potential of data leakages at enterprise level or even auto play enabled forcing antivirus to scan external drive fully.
• Indicators of outbound C&C traffic at perimeter controls provides a critical alert on existing potential compromise and its control by external advisories.
• Malwares through email, may be an indication to review the effectiveness of spam, phishing and threat solution and that those users are targeted by external advisories based on their profile or public visibility or by them mixing business and personal digital identity or even that enterprise emails dumps are available in public forums.
•  Presence of many Potentially unwanted software PUP, indicates usage of unsanctioned / unauthorized software or software licensing noncompliance at enterprise level

Periodic review of overall estate coverage count and its effectiveness health, against the estate inventory, could help to understand systems running corrupted antivirus agents, broken communication to parent server, running old signatures (at least N-2) for proactive corrective actions. Periodic scan from antivirus servers could proactively help to identify rogue systems, which are many a time root cause of potential surprises and malware outbreaks.

Denied traffic at

•         proxies (malware, security, suspicious, C&C, phishing and botnet categories),
•         specific vulnerable / risky ports in firewall,
•         specific DNS resolutions
•         IPS signature trigger on outbound traffic interface

are clear indicators of potential internal compromises or rogue systems which need urgent actions.

Indicators from sandboxing like SEP, EDR ATP, PA wildfire, Symantec Blue Coat proxies, etc can be leads to zero day / targeted campaigns or ineffectiveness of internal controls. If these solutions could provide insight on if this ‘traffic is seen for the first time’ or ‘only in very recent time’ OR been ‘a known bad traffic for long time’, will help defender to classify as targeted / zero day and prioritize the action.

Malware infection time in each of the system is critical to understand, in many enterprises with mobile users there is a clear pattern on this

•         ~30% of infection is after office hours on laptops : 7 PM – 8 PM
•         High infection count on Monday morning and Friday noon
•    Weekend misuse of resources / personal activities by users
•    Friday noon - Weekly scheduled scan out put (based on the day set)

This insights helps in taking decision on if cloud proxy option is required to be enforced to protect user activities while outside office network and

clear indication of zero day malwares infection during the week getting detected with new signatures on Friday, pointing the need for additional controls or enforcements.

Large number of zero-day malware are induced to wild every day, if there are a presence, it is critical to analyze if this malware is commodity, sophisticated or advanced/hybrid/ APT threats, since handling, prioritizing and response for each of this category differs.

The response plan for Infections at the desktop to laptop to the server should be different always since the type of infection, propagation vector varies in each of this. Chances of servers getting infected are meager if external drive, direct internet access, unauthorized software, games etc controlled/restricted but if there are indicators of presence root cause has to identified and fixed since it a deviation from the norm.

Detailed analysis on emails blocked for malware to be done to identify on who those senders are and who are they targeting, this may provide many insights and indicators which can be controlled and avoid these users being continued target.

For most of the antivirus to perform properly would require enough free space on the drive partition software installed, earlier thump rule was to keep at least 25% space free to ensure updates are downloaded without space constraints, proactive action on low disc space systems could avoid failures of antivirus agents and having malware compromised systems.

Typically antivirus solutions take 3 of the following actions when it detects a malware – clean, quarantine or left alone. The ratio between clean – quarantine to the left alone is critical to understand the effectiveness of the antivirus solution. Ideally, at least 95% of detected malware should be either cleaned or quarantined. Tangible cost of a malware infection is around $120 considering the time spent by various people in this incident handling (containing, mitigating, recovering and formatting), storage space for each of this events, EPS license cost for each of this event in SIEM etc. So in a large enterprise if you have 300 malware events a day and antivirus solutions clean or quarantine only 70% of those events, the daily cost of sustenance from malware threat is around $10K. If this is the scenario, may need to revalidate each of the antivirus configuration parameters or consider looking at a more effective solution.

Incident handlers should periodically review malware reports to establish baseline on each of these malware parameters, once established controlling is comparatively easier.

This note is only to highlight the insights provided by malware reports for taking informed decisions. It is not an approach document on eradicating malware from enterprise IT network.