Facebook Google Plus Twitter LinkedIn YouTube RSS Menu Search Resource - BlogResource - WebinarResource - ReportResource - Eventicons_066 icons_067icons_068icons_069icons_070

CCC 5: Search for Malware and Intruders

by Cody Dumont
June 26, 2015

The fifth of the Tenable Critical Cyber Controls is "Search for Malware and Intruders." Attackers acquire new technologies every day; staying one step ahead of them requires proactively managing systems with real-time, continuous scanning for viruses, malware, attackers, and inside threats. This Assurance Report Card (ARC) will provide alerts on potential malware infections, intrusions, and data leakage.

The Search for Malware and Intruders Assurance Report Card (ARC) provides the CISO and the operations team with a high-level view of potential malware and intrusion threats on the network. Policy statements are included to help the CISO understand at a glance if systems on the network are infected with malware, have remotely exploitable vulnerabilities, or have intrusion events or data leakage events.  

This ARC is available in the Tenable.sc Feed, a comprehensive collection of dashboards, reports, assurance report cards and assets. The ARC can be easily located in the Feed by selecting category Executive. The ARC requirements are:

  • Tenable.sc 5.0
  • Nessus 8.5.1
  • LCE 6.0.0
  • NNM 5.9.0

This ARC uses all aspects of continuous network monitoring, including scanning, sniffing, and log correlation. Using each of these technologies allows Tenable to provide a unique combination of detection, reporting, and pattern recognition utilizing industry recognized algorithms and models. Tenable.sc Continuous View integrates with many technologies such as patch management, mobile device management, malware defenses, network infrastructure, cloud services, and other log analysis platforms to provide a holistic approach to threat detection and risk analysis.

ARC Policy Statements:

No systems have been detected with active traces of malware: This policy statement displays Compliant in green if no known bad processes were detected in Windows, Linux and OS X systems. This detection uses threat intelligence to analyzes millions of malware samples a month and generates actionable content to empower security teams to proactively defend against attacks and malware outbreaks.

Less than 10% of systems with malware are capable of remote attacker access: This policy statement displays Compliant in green if less than 10% of systems have vulnerabilities that can be exploited remotely. Remotely exploitable vulnerabilities are identified through the CVSS metrics associated with the vulnerabilities.

There are no systems with data leakage events communicating outside the network: This policy statement displays Compliant in green if no systems that connect externally (e.g., browse the Internet) have had data leakage events detected on them. Any potential data leakage from externally connected systems should be investigated.

Systems with data leakage events have been found to have exploitable vulnerabilities: This policy statement displays Compliant in green if no systems that have potentially exploitable vulnerabilities also have had data leakage events detected on them. Data leakage detected from a vulnerable system is a strong indicator that the system has been compromised; the system should be investigated immediately.

No systems have been detected communicating with known botnets: This policy will show compliant in green when there are no systems detected having botnet activity.  Botnet activity is tracked using active and passive plugins. The active plugins look at the netstat tables and DNS entries and compare them to a known list of botnet hosts.  The passive detection can detect botnet server and client activity on several different protocols, such as IRC and HTTP.

No web server has been detected as part of a botnet or hosting botnet content: This policy reviews all systems with a web interface and detects if the servers are hosting malicious hyperlinks to known botnets.  Often, a web server will be compromised and the adversaries will put links for users to follow that lead to botnets or other malicious code. This policy will show compliant in green when no systems are discovered with this activity.

Less than 15% of all vulnerabilities actively being exploited by malware:  This policy shows the executive how many systems currently have vulnerabilities that are known to be exploited by malware.  If this is a high number, then the organization should review its patching priorities.  This policy will show compliant in green when less than 15% of systems are vulnerable.

 

 

Tenable Vulnerability Management

Enjoy full access to a modern, cloud-based vulnerability management platform that enables you to see and track all of your assets with unmatched accuracy.

Your Tenable Vulnerability Management trial also includes Tenable Lumin and Tenable Web App Scanning.

Tenable Vulnerability Management

Enjoy full access to a modern, cloud-based vulnerability management platform that enables you to see and track all of your assets with unmatched accuracy. Purchase your annual subscription today.

100 assets

Choose Your Subscription Option:

Buy Now

Tenable Vulnerability Management

Enjoy full access to a modern, cloud-based vulnerability management platform that enables you to see and track all of your assets with unmatched accuracy.

Your Tenable Vulnerability Management trial also includes Tenable Lumin and Tenable Web App Scanning.

Tenable Vulnerability Management

Enjoy full access to a modern, cloud-based vulnerability management platform that enables you to see and track all of your assets with unmatched accuracy. Purchase your annual subscription today.

100 assets

Choose Your Subscription Option:

Buy Now

Tenable Vulnerability Management

Enjoy full access to a modern, cloud-based vulnerability management platform that enables you to see and track all of your assets with unmatched accuracy.

Your Tenable Vulnerability Management trial also includes Tenable Lumin and Tenable Web App Scanning.

Tenable Vulnerability Management

Enjoy full access to a modern, cloud-based vulnerability management platform that enables you to see and track all of your assets with unmatched accuracy. Purchase your annual subscription today.

100 assets

Choose Your Subscription Option:

Buy Now

Try Tenable Web App Scanning

Enjoy full access to our latest web application scanning offering designed for modern applications as part of the Tenable One Exposure Management platform. Safely scan your entire online portfolio for vulnerabilities with a high degree of accuracy without heavy manual effort or disruption to critical web applications. Sign up now.

Your Tenable Web App Scanning trial also includes Tenable Vulnerability Management and Tenable Lumin.

Buy Tenable Web App Scanning

Enjoy full access to a modern, cloud-based vulnerability management platform that enables you to see and track all of your assets with unmatched accuracy. Purchase your annual subscription today.

5 FQDNs

$3,578

Buy Now

Try Tenable Lumin

Visualize and explore your exposure management, track risk reduction over time and benchmark against your peers with Tenable Lumin.

Your Tenable Lumin trial also includes Tenable Vulnerability Management and Tenable Web App Scanning.

Buy Tenable Lumin

Contact a Sales Representative to see how Tenable Lumin can help you gain insight across your entire organization and manage cyber risk.

Try Tenable Nessus Professional Free

FREE FOR 7 DAYS

Tenable Nessus is the most comprehensive vulnerability scanner on the market today.

NEW - Tenable Nessus Expert
Now Available

Nessus Expert adds even more features, including external attack surface scanning, and the ability to add domains and scan cloud infrastructure. Click here to Try Nessus Expert.

Fill out the form below to continue with a Nessus Pro Trial.

Buy Tenable Nessus Professional

Tenable Nessus is the most comprehensive vulnerability scanner on the market today. Tenable Nessus Professional will help automate the vulnerability scanning process, save time in your compliance cycles and allow you to engage your IT team.

Buy a multi-year license and save. Add Advanced Support for access to phone, community and chat support 24 hours a day, 365 days a year.

Select Your License

Buy a multi-year license and save.

Add Support and Training

Try Tenable Nessus Expert Free

FREE FOR 7 DAYS

Built for the modern attack surface, Nessus Expert enables you to see more and protect your organization from vulnerabilities from IT to the cloud.

Already have Tenable Nessus Professional?
Upgrade to Nessus Expert free for 7 days.

Buy Tenable Nessus Expert

Built for the modern attack surface, Nessus Expert enables you to see more and protect your organization from vulnerabilities from IT to the cloud.

Select Your License

Buy a multi-year license and save more.

Add Support and Training