Malware Defense-in-Depth 2.0

A practical  approach to secure your enterprise against viruses,

 worms and rootkits

Aa’ed Alqarta

The ProblemSecurity defenses can’t keep up

with latest threatsMalware is penetrating the

network and infecting computersAntivirus software is not a silver

bullet for all threatsWe are losing the war against

malware

4

What is a Malware?According to NIST, “Malware (NIST, 2005) refers to a

program that is inserted into a system, usually covertly, with the intent of compromising the confidentiality, integrity, or availability of the victim’s data, applications, or operating system (OS) or of otherwise annoying or disrupting the victim.”

NIST: National Institute of Standards and Technology

Types of MalwaresVirusesWormsBackdoorsSpywaresBots “Botnets”RootkitsRansomware

Top Malware Targets

Attack AnatomyAttackers discover vulnerabilities and

write exploits for them (e.x JS)They infect web sites to attack visitorsA visitor browse the site and

immediately get infected A virus will be installed in the

background and infect the client software

Infected computers will attack internal clean machines (Workstations/Servers)

Web URL FilteringEnable AV scanning for malicious

files/URLsBlock access to malicious

categories (Porn/Hacking/Downloads/Video/P2P/Torrent/Blogs/Infected Hosts/IM)

Block downloads of executables (exe/dll/com)

Inspect SSL traffic for malicious traffic

Application Control (Whitelisting)Allow business approved applications

only◦Office, Accounting, Finance, …etc

Protect critical system files from modifications

Block any unapproved applications (including malwares)

The ability to block zero-day malware if AV is not detecting it

Monitoring of all applications usage in the net

Device Control

Block the usage of removable drives (Flash / IPod / H.D / Camera)

If you should allow Flash drives in the network:

- Use “Secure” Flash disks (Encryption, AV, Password

- Disable “Autorun” and block exe/Autorun.inf

Network Access ControlOnly allows compliance computers

in the network◦AV is running and updated◦FW is running◦Latest Service Pack◦Domain User

Quarantine infected computers in a separate “Remediation Environment” ◦WSUS, AV Server, Proxy

FW Best PracticesNo “Any Any” rulesOut-bound SMTP for Exchange

servers onlyHTTP/HTTPS/FTP are a good start

for end userBlock Infected computersEnabled outbound denied logging

Case Study: Conficker/DownadupWindows Server service vulnerability

(MS08-067)W32.Downadup A, B, C, EPropagates through network file

shares, flash disksDisables User Accounts in ADBlocks access to security sites and MS

updatesStops security tools and softwares

“self-protection”

SummaryUse a good antivirus which has a

high detection ratePatch OS + 3rd party applicationsUse Application Whitelisting +

Device ControlBlock access to malicious, media,

downloads, and blogs Network segmentationsWeb content filtering policy

Thank You

E-mail me: a.qarta@gmail.com http://extremesecurity.blogspot.com