Review of NIST Publication SP 800-83 "Guide to Malware Incident Prevention and Handling for Desktops and Laptops"

Ruslan Rakhmetov, Security Vision

In previous articles we have described the general procedure for responding to IS incidents in accordance with the recommendations of NIST SP 800-61 (Part 1, Part 2). The current article describes the steps for responding to a private but common type of cyber incident - malware infection. NIST SP 800-83, Guide to Malware Incident Prevention and Handling for Desktops and Laptops, Rev.1, provides guidance for responding to malicious software (MSP) cyber incidents, including a description of basic MSP defence tactics and response phases (preparation, detection, analysis, containment, remediation, recovery, and root cause analysis). The document was released in 2013, so some of its details are no longer relevant, but in general, the overall approach to responding to an incident of VPO infection can still be applied today.

NIST publication SP 800-83 provides a brief description of the classes of VPOs relevant at the time of the document's release:

- Viruses, including the subclasses of compiled (as PE files) and interpreted viruses (e.g., as a malicious macro, powershell/javascript code);

- Worms, including subclasses of network and email worms;

- Trojan viruses;

- Malicious mobile code (Java-based, ActiveX-based VPO);

- Mixed-type VPOs.

As types of attacker tools, the document lists:

- Backdoors (RPOs to remotely control an infected bot device);

- Keyloggers (VPOs for recording keystrokes, creating screenshots);

- Rootkits (VPO to hide malicious activity that runs before the OS boots);

- Malicious browser plug-ins (VPO for unauthorised access to website data displayed in the Internet browser of the attacked device);

- Email generators (for further distribution of VPOs or spam both within the attacked network and externally);

- Tulkits (sets of hacker utilities and scripts).

The authors of NIST SP 800-83 rightly believe that in order to effectively counter such heterogeneous types of VPOs, preventive measures should first be used to avoid the initial VPO infection. The types of measures to prevent VPO infection can be as follows:

1. Development of an internal policy to prevent the introduction of VPDs:

This document should, on the one hand, be flexible enough to avoid frequent editing, and on the other hand, it should describe the specific steps and activities that are implemented by the company to prevent VPD infection. The policy should spell out, for example, the following requirements:

1.1 Requirements for pre-scanning removable drives before they are used on company equipment;

1.2 Requirement to pre-screen email attachments before opening them. 1.3;

1.3 Prohibit the sending and receiving of certain file types (such as .exe, .lnk, .bat, .ps1, .vbs, .js, .hta, etc.; keeping in mind the often-used ploy of attackers to send VPOs in a password-protected archive that is not subject to said email filtering);

1.4 Restrict or prohibit employees from using software that is not required for the performance of their job duties (e.g., cloud file sharing software, messengers). 1.5;

1.5 Prohibit the use of removable drives on corporate devices, especially servers, critical APMs, or devices accessible outside the controlled area (e.g., point-of-sale terminals);

1.6 Identify the types of anti-virus protection tools and their policies/settings that must be installed, updated and functional on certain types of devices (e.g., APMs, servers, critical servers, mobile devices);

1.7 Restrict or prohibit the use of personal devices by company employees for remote access to company resources; 1.7.

2. Conducting awareness programmes:

Awareness programmes are used to communicate to employees the rules for the correct use of the company's computing resources, devices and information, as well as describing the types and signs of RPOs, actions to take when RPOs are detected, and actions to detect social engineering attacks by users. The awareness programme may cover topics such as:

2.1 Prohibit opening attachments and clicking on links from unexpected, suspicious email messages; prohibit visiting websites that may contain VPOs;

2.2 Prohibit clicking on links from pop-up windows;

2.3 Prohibit opening suspicious file types (such as .exe, .lnk, .bat, .ps1, .vbs, .js, .hta, etc.);

2.4 Prohibit the disabling of security features on devices (antivirus, firewall, content filtering system, etc.). 2.5;

2.5. Prohibit the use of accounts with administrative authorisation;

2.6 Prohibit downloading and running software from untrusted sources. 2.7;

2.7 Methods of identifying phishing messages, rules for handling phishing messages (prohibition to open files, enter into dialogue, report information; necessity to report phishing information to the IT/IS support service);

2.8 Methods of identifying phishing websites, prohibition on entering personal data, credentials, one-time passwords, PIN codes, etc. on them;

2.9 Methods to detect the spread of VPOs even from known email senders, the need to clarify information through alternative communication channels;

2.10. Identification of other methods of social engineering attacks (calls, messages in messengers, SMS, etc.). 2.11.

3. Vulnerability Management:

Since VPOs often exploit software vulnerabilities and the speed of vulnerability detection in many cases prevents developers from releasing updates in a timely manner, companies should consider various ways to handle vulnerabilities, such as installing updates, applying workaround before updates are released, disabling vulnerable functionality, isolating vulnerable services, and virtual patching. You should also use automation tools to control the application of vendor-recommended security policy settings, including enforcing secure configurations (this can be implemented, for example, with auto-SGRC technology). In addition, the following practices should be implemented to reduce the likelihood of VPO incidents:

3.1 Apply the principle of least privilege to avoid granting users excessive privileges that can be exploited by the VPO in an attack;

3.2 Disabling or removing redundant, additional services, services that are not used to implement business processes but can be used by the VPO to develop an attack;

3.3 Disabling unprotected shared file folders that are frequently used by the VPO;

3.4. Changing or disabling default accounts and passwords;

3.5. Disabling autorun executable files and scripts;

3.6 Change file associations for the most frequently used file types by attackers (e.g., setting notepad.exe as the default launcher for .pif, .vbs, .js files);

3.7 Provide for the possibility of automated change of software settings to the most secure ones in the event of an exploited vulnerability or when a VPO spreads over the network.

4. Reduce the likelihood of a successful VPO infection:

Despite efforts to address vulnerabilities, reduce the attack surface, and educate users, there are chances of a successful cyber attack by the creators of the VPO due to employee errors, counterparty vulnerabilities, and lack of holistic IS processes. Consequently, it is necessary to apply information protection tools that are designed to reduce the likelihood of a successful VPO infection. Such solutions (as of the year of publication of the document) were:

4.1 Anti-virus protection tools, with the functionality to scan critical host system components, scan objects in real-time at creation and startup, monitor application software behaviour on the host, scan for VPOs and hacker utilities, quarantine or cure suspicious objects;

4.2 Intrusion Prevention Systems (IPS) operating at the device level, at the network level, and behavioural traffic analysis systems;

4.3. firewalls (network and host-based);

4.4 Content filtering and traffic inspection systems to detect and block dangerous files and web page content. 4.5;

4.5 Application launch control systems to prevent users and administrators from launching unapproved or unverified software.

5. In addition to using antivirus protection, the authors of NIST SP 800-83 suggest that organisations also use additional protection measures such as:

5.1 BIOS / UEFI protection to protect and control the integrity of firmware that may be subject to targeted modification in complex cyber or supply chain attacks;

5.2 Use of sandboxing environments to isolate suspicious objects, investigate the behaviour of suspicious objects, and quickly restore to the original secure state;

5.3 Use and regularly update different browsers for different tasks to help reduce the risk of data or account compromise when using corporate web applications and visiting Internet resources on the same device;

5.4 Using virtualisation tools, such as guest OSes and VDI, will help separate potentially risky activities involving untrusted content (e.g., Internet browsing or email) from sensitive work (e.g., Internet banking or administration of OS and network devices).

In the next section, the authors of NIST SP 800-83 rightly argue that despite all measures taken, a cyberattack involving a VPO can still occur, in which case it is critical to handle this IS incident correctly and promptly. Following the general cyber incident management framework from NIST publication SP 800-61, the actions in responding to a VPO incident can be divided into the following steps:

1. Preparation:

1.1 Developing skills and competencies to analyse VPOs, including reverse-engineering, isolating VPO samples, and generating indicators of compromise of a particular VPO sample;

1.2 Ensure communication and coordination by assigning a team of staff to respond and alert users, provide information to company managers, handle user queries;

1.3 Procurement of specialised tools to respond to VPO incidents (including test devices for launching VPO samples, interactive analysis of launched VPO, forensics of infected device).

2. Detection and Analysis:

2.1 Determine the characteristics of the VPO incident to prioritise the incident by collecting information on suspected VPO activity from anti-virus protection tools, IDS, other sources (via SIEM) to ascertain the threat type (VPO category, signature name), suspicious object detection directory, type and name of the attacked device. If the signature is known, the portals of anti-virus labs can provide details about this type of VPO (exploited vulnerabilities, protocols and ports used, module names and hashes, methods of VPO distribution, negative effects on the attacked device).

2.2 Identify all infected devices using the following methods:

2.2.1. Forensic detection by searching for signs and traces of malicious activity using data from antivirus, IDS, SIEM, DNS query data, audit logs on endpoints, network sniffers, and connection logs on network devices.

2.2.2 Active identification by automated search for indicators of compromise on endpoint devices, creation of unique IDS rules to detect a specific VPO sample, application of network sniffers and traffic analysers to identify characteristic patterns of VPO network interaction.

2.2.3 Manual identification by providing detection tools (e.g., antivirus software on removable storage) to responsible employees, running manual scanning on all potentially attacked devices.

2.3 Prioritise the response to a VPO incident based on the predicted damage and characteristics of the VPO (propagation methods, type of VPO, what actions the VPO performs, what devices and networks may be attacked next).

2.4 Analysing the VPO, which can be performed in an active mode (via triggering in a controlled environment) or via forensics (analysing the state of the device after exposure to the VPO).

3. Containment:

When containment of a VPO is performed, it should stop the spread of the VPO through the network and prevent further damage to already infected devices. When containing a VPO that is not spreading through a company's network, isolating the attacked hosts from the network will suffice. If there is a threat of a virus spreading across the network, it should be protected from infecting other devices on the network as soon as possible, thereby reducing the damage done and reducing the time it takes to restore the infrastructure to normal. It should also be borne in mind that some VPOs may detect deterrent measures, such as loss of access to the attackers' C&C server due to network isolation measures, and perform destructive actions on the infected host to hide traces and indicators of the attack. In addition, consideration should be given to who will have the authority to implement containment measures during a VPO incident, under what conditions certain measures can be implemented, and for how long such restrictive measures can be deployed. Deterrence measures can be broadly categorised as follows (simultaneous use of measures from different categories is permitted):

3.1. Containment through end-user involvement may be useful where there is no centralised management of devices and protections (e.g. remote sites, working on personal devices), but this method involves the preparation of detailed instructions and utilities, and an increased burden on IT/IS support to assist staff.

3.2. Deterrence through automated means: anti-virus solutions (after sending a sample of undetected VPO to an anti-virus lab and updating the anti-virus signature database), content filtering systems (these will only be effective for static VPO and for distribution methods with unchanged attributes), network IPS (after writing and enabling a custom signature to detect the current VPO), blocking executable files (by file name, hash, publisher signature, or by blocking all untrusted applications as a whole).

3.3 Deterrence by disabling services or services may disrupt business processes, but in the case of an attack by a dangerous VPO, it can be an effective measure: consider completely disabling a service (e.g., email or webmail in the case of an Exchange vulnerability), disabling some functionality, or blocking ports for certain types of traffic. For example, when deterring a WannaCry attack, it was reasonable to disable listening for incoming SMB connections at the network perimeter and restrict SMB traffic within the network.

3.4 Deterrence by limiting network connectivity can be implemented either by blocking external domains and attacker IP addresses or the IP address of the attacked host on the LAN, or by network isolation (by software or physically disconnecting the Ethernet cable or terminating the Wi-Fi connection), or by network hardware (placing the attacked host in a quarantined VLAN, deauthenticating the host via 802. 1X, blocking the wireless connection via 802. 1X, blocking wireless connections on the Wi-Fi controller, prohibiting network connections between segments on certain ports and protocols, conducting a host health assessment before and during provisioning access to the corporate network).

4. Remediation:

Threat remediation measures are closely related to containment measures and should include measures to remove the current threat and prevent re-infection: running an antivirus tool on all devices and removing the VPO and all its components, installing updates and reconfiguring the antivirus, OS, software (first on all attacked hosts, then on all devices in the network). In cases where there is no confidence in the sufficiency of the actions performed, the OS should be reinstalled on all affected devices from the ‘golden image’ with the installation of necessary patches, as well as restore information from backups that are guaranteed to be free of VPO. Criteria for the need to perform an OS reinstallation may include the following incident characteristics:

- Attackers have gained access to the device with administrative authority;

- Unauthorised administrative level access to the device was possible for an unspecified number of individuals (e.g. via a backdoor);

- System files have been replaced with modified versions;

- The device is functioning abnormally after recovery actions have been performed;

- There are doubts about the type / extent of the infection and possible unauthorised access.

5. Recovery:

Recovery actions include restoring application and data functionality on infected hosts and removing temporarily imposed containment restrictions. Consider the amount of resources and time a company can spend on recovery in the event of a large-scale incident, and choose an appropriate recovery strategy: recovery by removing VPOs and eliminating vulnerabilities, recovery from backups, complete ‘from scratch’ recovery with reinstallation of the operating system and recovery of information from archived copies. Removal of restrictive measures, such as restoring network access or enabling services, should be performed after assessing the completeness of remediation actions on all affected devices, given the possibility that not all threats have been identified and some hosts are still infected. On the one hand, premature removal of restrictive measures may trigger a new wave of VPO infections, but on the other hand, business process downtime can be far more damaging to the business than a repeat VPO incident on a limited scale of infrastructure.

6. Post-incident actions:

After actions to handle a VPO incident are completed, key members of the response team and managers should meet to discuss the actions performed, analyse the actions taken, and develop a list of ‘lessons learned’. The discussion may result in the following recommendations:

6.1 Amend, update company IS policies to address organisational and logical vulnerabilities in cybersecurity processes (e.g. banning the use of personal removable drives, limiting authority, redesigning business processes);

6.2 Modify employee awareness programmes to increase vigilance and correct actions when an incident occurs;

6.3 Reconfigure OS and software to comply with updated IS policies; 6.4;

6.4 Reconfiguration of anti-virus protection tools, including increasing the frequency of signature updates, improving the accuracy of threat detection and reducing false positives, increasing the boundaries of threat monitoring in the infrastructure (network segments, types of devices, types of controlled objects), changing default actions upon detection of VPO, and improving the efficiency of delivering updates to all devices;

6.5 Procurement and deployment of new types of information security tools that protect against current cyber threats and reduce cyber risks of VPO incidents.