CIS Control 8: Malware Defenses
This article breaks down CIS Control 8 and the eight sub-controls associated with the second Foundational CIS Control.
CIS Control 8 is the only control focused specifically on anti-virus and malware across an organization. Malware is a broad category that includes any sort of malicious software designed to attack systems, devices and data, which includes viruses, trojans, worms, spyware, and ransomware. Modern malware is fast-moving, constantly evolving and designed to avoid defenses, or attack and disable them.
The degree of damage caused by malware varies according to the type of malware, the device that’s infected, and the nature of the data that’s stored or transmitted by the device. Nevertheless, malware is a rapidly growing problem that must be properly managed in order to reduce an organization’s risk.
That said, AV should always be regarded as an augmentation to any good security initiative. A vital step in the fight against cybercrime but one which must not be regarded as a catchall.
For more reading and opinion, read NNT CTO Mark Kedgley’s latest article, Funerals for Glaciers and Antibiotics: Is Anti-Virus Next?
Let's dive right into the sub-controls of this essential CIS security control.
8.1: Utilize Centrally Managed Anti-Malware Softwares
- Utilize centrally managed anti-malware software to continuously monitor and defend each of the organization’s workstations and servers.
The first step to CIS Control 8 is to ensure that every system, including servers, Mac OSX, and Linux, contains enterprise-grade anti-virus software. The AV software must be configured to send real-time alerts to a centralized server so that if an infection is successful, it at least does not have the ability to delete the logs from the system and hide the infection. By addressing this sub-control, you easily enable sub controls 2 and 6 highlighted below.
8.2: Ensure Anti-Malware Software and Signatures Are Updated
- Ensure that the organization’s anti-malware software updates its scanning engine and signature database on a regular basis.
In this sub-control, organizations are advised to leverage tools to verify that the signatures are up to date and ensure that updates are rolled out automatically. For this sub-control, NNT suggests using NNT Change Tracker. Change Tracker will ensure that your AV is properly installed, running, and up to date with the latest signatures.
8.3: Enable Operating System Anti-Exploitation Features/ Deploy Anti-Exploit Technologies
- Enable anti-exploitation features such as Data Execution Prevention (DEP) and Address Space Layout Randomization (ASLR) that are available in an operating system or deploy appropriate toolkits that can be configured to apply protection to a broader set of applications and executables.
In this sub-control, organizations are advised to deploy anti-exploitation software to attempt to mitigate threats associated with exploit attacks. This sub-control may seem complicated, but it’s actually quite simple. With CIS Benchmark reports provided in NNT Change Tracker, your organization will be presented with step by step instructions to enable these settings and more.
As one of a handful of CIS Certified Vendors, NNT has access to a broad range of CIS Benchmark reports that can be leveraged to audit enterprise networks and continuously monitor for any drift from your hardened build standard, ensuring systems stay within compliance 24/7.
8.4: Configure Anti-Malware Scanning of Removable Media
- Configure devices so that they automatically conduct an anti-malware scan of removable media when inserted or connected.
In this sub-control, organizations are advised to configure devices to conduct malware scans on any removable media devices. Malware can show up anywhere, and removable media like USB drives represent a major source of infection. That’s why it’s absolutely critical for your organization to set up an AV policy that scans removable media before it’s allowed on anything, and limit who can install software in the first place. Removing privilege access (CIS Control 5) helps remove the possibility of user-installed software and malware attacking critical systems.
Most anti-virus software has this setting turned on by default, but organizations should never make assumptions and instead should make certain that this feature is enabled.
8.5: Configure Devices to Not Auto-Run Content
- Configure devices to not auto-run content from removable media.
This sub-control advises organizations to not auto-run content from removable media. Auto-running, when devices are inserted, is a convenient, yet extremely dangerous feature that should be disabled on all machines. This is a very easy setting to enable and both the CIS Benchmarks and DISA STIG hardening guides have step by step instructions on how to disable auto-run.
Using a tool like NNT Change Tracker would allow your organization to easily check each endpoint in your IT environment to ensure that this setting is disabled.
Learn more about Change Tracker in our product solution brief
8.6: Centralize Anti-Malware Logging
- Send all malware detection events to enterprise anti-malware administration tools and event log servers for analysis and alerting.
In this sub-control, organizations are encouraged to send all malware detection events to enterprise anti-malware administration tool and event log servers to analysis and alerting. As mentioned in CIS Control 6, tracking and reporting incident information at a log level is very important. Enabling logging will make it much easier for your organization to follow malicious events and understand how and what exactly happened.
8.7: Enable DNS Query Logging
- Enable Domain Name System (DNS) query logging to detect hostname lookups for known malicious domains.
In this sub-control, the CIS suggests monitoring systems to log DNS queries in order to catch requests to Command & Control (C&C) domains. This technique is an excellent way to passively monitor for malware in your environment. This can be done by reviewing your DNA logs to correlate the domain query and timestamp to identify the internal host that the DNA query originated from.
Read NNT CTO’s latest article Fear & Loathing of Log Savers
8.8: Enable Command-Line Audit Logging
- Enable command-line audit logging for command shells, such as Microsoft PowerShell and Bash.
For this sub-control, organizations are encouraged to focus on collecting logs to help organizations understand what happened within their environment, particularly by ensuring that there is logging enabled for various command-line tools, such as Microsoft PowerShell and Bash.
Cybercriminals continue to take a “live off the land” approach to help minimize the risk of getting caught. With logging enabled, it will be significantly easier for your organization to follow the events and how they happened, what happened, and how it happened.
While this control is not a part of the Basic CIS Controls group, this control is absolutely critical for organizations to adopt early on in their security journey. Malware is a huge problem and it puts everyone at risk – don’t sleep on this control. Good malware prevention techniques help actively reduce the threat to legacy systems and “high risk” networks that may not be able to patch systems for one reason or another.
Fighting against malware requires 4 steps: stop malware right in its tracks from infecting machines, and if it manages to get into the machines, stop it from running immediately. Then, if it runs, stop it from doing damage, and get it off machines as quickly as you can.
This control should be used to assess infrastructure, mobile devices, IoT devices, and anything else that can become an easy target for malicious software – not just endpoint devices.
Figure: System Entity Relationship Diagram
- CIS Control 1: Inventory and Control of Hardware Assets
- CIS Control 2: Inventory and Control of Software Assets
- CIS Control 3: Continuous Vulnerability Management
- CIS Control 4: Controlled Use of Administrative Privileges
- CIS Control 5: Secure Configuration for Hardware and Software on Mobile Devices, Laptops, Workstations and Servers
- CIS Control 6: Maintenance, Monitoring, and Analysis of Audit Logs
- CIS Control 7: Email and Web Browser Protections
- CIS Control 8: Malware Defenses
- CIS Control 9: Limitation and Control of Network Ports, Protocols, and Services
- CIS Control 10: Data Recovery Capabilities
- CIS Control 11: Secure Configuration for Network Devices, such as Firewalls, Routers, and Switches
- CIS Control 12: Boundary Defense
- CIS Control 13: Data Protection
- CIS Control 14: Controlled Access Based on the Need to Know
- CIS Control 15: Wireless Access Control
- CIS Control 16: Account Monitoring and Control
- CIS Control 17: Implement a Security Awareness and Training Program
- CIS Control 18: Application Software Security
- CIS Control 19: Incident Response and Management
- CIS Control 20: Penetration Tests and Red Team Exercises