Top 20 CIS Critical Security Controls (CSC) Through the Eyes of a Hacker – CSC 8 

Top 20 CIS Critical Security Controls (CSC) Through the Eyes of a Hacker – CSC 8

In this blog series I am covering the top 20 Center for Internet Security (CIS) Critical Security Controls (CSC), showing an attack example and explaining how the control could have prevented the attack from being successful. Please read previous posts covering:

 

 

CSC 8 Featured

 

CSC 8: Malware Defenses

 

The Control

 

Control the installation, spread, and execution of malicious code at multiple points in the enterprise, while optimizing the use of automation to enable rapid updating of defense, data gathering, and corrective action.

 

The Attack

 

Malware is a broad category that identifies any sort of malicious software. This includes viruses, trojans, worms, spyware, crimeware, scareware and ransomware as the primary types. Malware is not a new concept. The first virus is documented as being created in 1971, 45 years ago! In those 45 years, malware has transformed from a simple self-replicating worm into the crime and ransomware that has been impacting companies and recently headlining news articles. The most notorious of these is the crypto-locker ransomware which locks all files on the system until the end user pays the ransom fee.

 

For my example attack in this blog post, I am going to demonstrate exactly how easy it is for someone to create a virus and infect a user. With the mainstream of security testing tools, the process has never been easier for a “script kiddie,” a hacker possessing hacking software with a low technical aptitude, to create malware which can pose a significant risk. In the screenshot below, we can see how a simple command that requires very little technical aptitude can be run in order to generate a virus. This virus is configured to launch a remote connection back to the attackers, giving them access to the infected computer.

 

CSC 8.1

 

Figure 1: Creating a virus

 

By uploading this file to specialty websites which can scan the files using several different virus scanners, we can see that this file is clearly malicious. Twenty-six of the 42 tested antivirus vendors identified that this file was a virus. Of the vendors which did not detect the virus, a majority of them were niche antivirus software and not enterprise grade solutions.

 

CSC 8.2

 

Figure 2: The virus is detected by most enterprise level antivirus solutions

 

If the attacker is able to social engineer a target without antivirus into opening this file, either through email phishing or a malicious website, the file will not be detected. Additionally, an attacker might be able to attack a machine on the network and upload the malicious file to the system. I should note that in today’s day and age, most endpoint systems which have users using them on a day-to-day basis contain antivirus software. However, it is not uncommon to find servers such as domain controllers that do not have antivirus because of concerns regarding performance.

 

CSC 8.3

 

Figure 3: File is sent to or uploaded to victim system

 

Finally, once the file is on the system and has not been detected, the only thing left is to execute it. Often attackers will use social engineering techniques in order to convince people to open these files. In the example above, the file is named “Payroll Info” in order to entice users to open it. Once opened, the virus initiates a remote connection back to the attacker’s system resulting in a compromise.

 

CSC 8.4

 

The Solution

 

The implementation of this control is rather easy, however the proper and secure implementation of complete endpoint malware protection is much more exhaustive. The first step should be to ensure that every system, including systems that are often times skipped such as servers, Mac OSX, and Linux systems, should contain enterprise-grade antivirus software. This software should be configured to send real time alerts to a centralized server so that if infection is possible, it doesn’t have the opportunity to delete logs from the system, masking the infection. This centralized server should also have the ability to monitor and report on clients who have an out-of-date virus database.

 

Several additional endpoint hardening processes can be implemented as well. A file reputation system should be configured to block files with a low reputation. In most cases, reputation is monitored and calculated by a quality antivirus solution which tracks metrics to determine if the file is safe. Malware historically accessed computers through removable media so USB ports should be disabled on sensitive systems to ensure that the system does not get infected through an infected USB drive. Finally, anti-exploitation software should be deployed to attempt to mitigate threats associated with exploit attacks. These attacks are typically used in order to deliver malware to the system, and by preventing the exploit, it is possible to prevent the malware from being executed.

 

The implementation of network-based anti-malware is a great option because it provides companies with the ability to track malware even if the malware has disabled alerting and monitoring on an endpoint system. Network based devices should be able to monitor systems for suspicious behavior, such as DNS requests to known malware command and control servers, or to identify the infected system attempting to attack other systems on the network. 

 

By implementing all of these controls, you will have a more secure environment. However, it should be noted that most antivirus solutions can be bypassed by either encrypting the malware or writing custom malware that has not been flagged as a virus. It is important that organizations take steps to monitor systems for suspicious behavior even if they have implemented a solid anti-malware solution.

 

The next post will cover CSC 9: Limitation and Control of Network Ports, Protocols, and Services.

Joshua Platz
Principal Security Consultant | Optiv
Joshua Platz is a principal security consultant in Optiv’s advisory services threat practice on the attack and penetration team. Joshua’s role is to execute advanced service offerings such as the advanced threat simulation purple team activity and provide thought leadership and mentorship to the practice. Joshua also executes internal and external network penetration testing, enterprise password audits, and was one of the designers and first executers of the attack surface management offering.