freshidea - Fotolia

Manage Learn to apply best practices and optimize your operations.

Security lessons from the NSA malware defense report

The NSA's Information Assurance Directorate released a report on malware defense. Uncover which guidance and best practices would be fruitful to integrate into your enterprise security plan.

Critical attention has been paid to the NSA's privacy aspects over the last several years, but the agency's defensive best practices haven't gotten the attention they deserve.

New consideration should be given to the agency as its new report -- Defensive Best Practices for Destructive Malware -- contains helpful tips that should be included in an enterprise security strategy. In this tip, I will cover the key points of the NSA malware defense report and will explain which defenses may be beneficial for enterprise use.

Inside the NSA's Defensive Best Practices report

While the NSA has gotten a troublesome reputation due to recent news of surveillance and privacy issues, the agency has been working in other areas to help protect the country.

The NSA's Information Assurance Directorate (IAD), namely, is "responsible for NSA's defensive mission and is widely acknowledged for leading innovative security solutions. Partnering extensively with government, industry and academia allows IAD to ensure appropriate security solutions are in place to protect and defend information systems, as well as our Nation's critical infrastructure." As part of its mission, the IAD released the Defensive Best Practices for Destructive Malware report to provide guidance on protecting against destructive malware.

The sooner an enterprise can detect an attacker, the sooner it can limit the damage and evict it from its network.

The report outlines 11 defensive steps enterprises can take to prevent malware from compromising the security of endpoints and networks. Though the steps are primarily designed for Microsoft Windows systems, the basic points can be applied to any operating system.

The 11 best practices include: implementing strong network segmentation, protecting administrative accounts, deploying security monitors, keeping software updated and monitoring logs from security controls. The final section of the report focuses on incident response planning for destructive malware. The basic tenet is the sooner an enterprise can detect an attacker, the sooner it can limit the damage and evict it from its network.

Defenses to include in an enterprise security strategy

Many of the steps included in the NSA IAD's report have been widely known for some time. Willis Ware chaired a study in 1968 that produced the Ware Report, which had some of the same basic ideas as the 2015 IAD report. Over the past almost 50 years we have learned many things, yet many of the basics from 1968 are still the most effective -- and most difficult to execute -- for an enterprise. The SANS Institute also has a list of critical security controls that outline many of the same concepts, along with more details.

The steps outlined in the IAD report can technically be implemented by any enterprise, but they would require significant human effort to set up and maintain, which has resulted in lower adoption. Enterprises should perform risk assessments to identify their own highest areas of risk and create a plan for implementation of these basic security controls using rigorous implementation.

The strong network segmentation security control recommendation can either stop or make it much more difficult for an attacker to hop from one compromised host to another target. Segmentation can be completed in more than just a data center or at external connections, but rather throughout the network and even within certain networks and individual hosts by, for example, not allowing an endpoint on one network to connect to an endpoint on another network. By not allowing these connections, it makes finding an administrative or sensitive endpoint to attack more difficult. This follows the basic rule of "deny all connections unless there is a specific business need to provide the access."

These incident response steps are the bare minimum enterprises should implement.

The report also recommends protecting the keys to the kingdom by limiting administrative accounts and access. This will ensure administrative accounts can't be compromised to further infiltrate the network. Strategies for completing this include preventing pass-the-hash account compromises based on capturing credentials from an endpoint and reusing the credentials in an attack. Administrative accounts could also be configured to use multifactor authentication or limited to be used on only approved endpoints.

The report proceeds to recommend a separate security monitor for application whitelisting, monitoring activities on endpoints, using Microsoft EMET's tool to stop software exploits, and deploying antimalware tools that monitor and check the reputation of files being executed. Tools like Bit9 or FireEye MIR Endpoint Forensics can also help monitor endpoint activity in-depth, including files executed and potential malicious behavior.

The most basic, but difficult, recommendation for a distributed-heterogeneous network environment is to keep all software updated. While a difficult task to complete, it is critical to plug vulnerabilities to stop potential attackers. Enterprises should develop a formal patch management program with dedicated resources to make sure software updates are being applied in a timely manner.

The report recommends using a central console to review, monitor and analyze logs from security controls. Also, it contains a detailed reference of what to look for in the logs to identify attacks, such as an application crashing that could be due to an application exploit, disabling the Windows firewall or changing its configuration to allow a malicious connection, or clearing the event log to hide attacker activity.

These incident response steps are the bare minimum enterprises should implement. Using secure backups to protect data, having a plan for responding to destructive malware, and ensuring a "lessons learned" is collected from an incident are also critical to preventing incidents and ensuring proper incident response in the future.


While some might discount this report from the IAD because of the controversy surrounding the NSA, it should be judged on its merits.

It is a brief report with helpful pointers to more information on the individual recommendations that every enterprise should review and consider using, if they don't already. The steps outlined in the report can help enterprises defend against destructive malware -- and if they don't know where to start, it certainly serves as a useful starting point.

About the author:
Nick Lewis, CISSP, is a program manager for the Trust and Identity in Education and Research initiative at Internet2, and previously was an information security officer at Saint Louis University. Nick received Master of Science degrees in information assurance from Norwich University in 2005 and in telecommunications from Michigan State University in 2002.

Next Steps

Learn more about the NSA TAO hacking unit and why enterprises need to be aware of it

This was last published in May 2015

Dig Deeper on Malware, virus, Trojan and spyware protection and removal