Listen | Align | Execute


Malware Capability Assessment

Traditional security (firewalls, anti-virus, intrusion detection, etc.) is based on the concept of identifying and stopping the known bad.  Intrusion detection (IDS/IPS) and anti-virus (AV) are primarily based on being able to detect the known bad based on a blacklist (signatures) of previously identified malware.  So much new malware is being created everyday and so much malware is never identified that the known bad list never matches the actual bad software, websites, and domains.

Known Bad versus Known Good

Most experts agree that signature based security products are about 30% effective (Cyveillance study).  The 2011 Verizon Data Breach Survey stated that approximately 1% of breaches were detected by AV or IDS.  Amazingly, organizations spend around 97% of their IT security budget on these types of protective controls.

Malware Detection Rates

The data is conclusive that attempting to prevent attacks by stopping the known bad isn’t successful.  The grey area between known bad and known good is too large.  Because this grey area includes mostly good executables and URLs, organizations tend to shy away from the more secure approach – only allowing the known good (whitelisting) does have an impact on users being denied accessed to legitimate sites.

A complete Critical Start Malware Capability Assessment includes the following services:

Assessment Services

Components

Tasks

Phishing Campaign

Social Engineering and Spear Phishing

Perform phishing attempts against selected internal employee groups (up to 50 users) over a period of 4 attempts to have the employee visit a website, enter confidential data, or open attachments.

Risk Assessment

Network

Conduct high level analysis of network segmentation design and analysis.

Windows Security

Provide assessment of Windows security architecture in regards to malware infections.    

Patching and Vulnerability

Provide assessment of patching and vulnerability program in regards to preventing malware infections.   Review endpoint procedures that ensure only legitimate (whitelisted) applications are executed. 

Web Content and DNS  Controls

Review current controls used to limit access to medium and high risk Internet content.

Impact of Mobile Devices and BYOD

Conduct high level analysis of security and visibility of mobile devices as an infection and data exfiltration point.

Investigation, Blocking, and Response

Capability to detect /block and investigate evidence of command and control traffic.  The detection capability should leverage local and global threat intelligence.

Indicators of Compromise  Detection

Existing malware detection

Identify infected hosts and files (executable, PDF, Office Documents) through the use of Network Based Malware Analysis Tools (static malware analysis, dynamic malware analysis, and Command and Control traffic assessment utilizing Global threat intelligence).

Internet Forensic Analysis

Advanced Threat Detection

Identify threat activity by analyzing indicators of deception in your Internet traffic.  This activity isolates traffic that appears to conform to approved protocol flows but contains unusual content.  The analysis reveals traffic on non-standard ports, such as encrypted traffic where unencrypted traffic should be observed (or vice versa). 
Copyright © 2011. Critical Start, LLC. All Rights Reserved. Sitemap | Privacy Policy
facebook Like us on Facebook twitter Follow us on Twitter