`
`
`
`
`
`•
`
`
`
`
`
`<
`
`)
`
`
`
`INFORMATION
`TECHNOLOGY
`LABORATORY
`
`
`
`December 2005
`December 2005
`
`ADVISING USERS ON INFORMATION TECHNOLOGY BBuulllleettiinn
`
`BuiThtin
`
`ADVISING USERS ON INFORMATION TECHNOLOGY
`
`
`Guide to Malware Incident Handling
`PREVENTING AND HANDLING
`Guide to Malware Incident Handling
`PREVENTING AND HANDLING
`Guide to Malware Incident Handling
`PREVENTING AND HANDLING
`and Prevention: Recommendations of
`MALWARE INCIDENTS: HOW TO
`and Prevention: Recommendations of
`MALWARE INCIDENTS: HOW TO
`MALWARE INCIDENTS: HOW TO
`and Prevention: Recommendations of
`the National Institute of Standards and
`PROTECT INFORMATION
`the National Institute of Standards and
`PROTECT INFORMATION
`PROTECT INFORMATION
`the National Institute of Standards and
`Technology
`TECHNOLOGY SYSTEMS FROM
`Technology
`TECHNOLOGY SYSTEMS FROM
`TECHNOLOGY SYSTEMS FROM
`Technology
`MALICIOUS CODE AND
`MALICIOUS CODE AND
`
`MALICIOUS CODE AND
`SOFTWARE
`SOFTWARE
`NIST's Information Technology
`NIST's Information Technology
`NIST's Information Technology
`SOFTWARE
`
`Laboratory recently published NIST
`Laboratory recently published NIST
`Laboratory recently published NIST
`Special Publication (SP) 800-83, Guide to
`Special Publication (SP) 800-83, Guide to
`
`Shirley Radack, Editor Shirley Radack, Editor
`Special Publication (SP) 800-83, Guide to
`Shirley Radack, Editor
`Malware Incident Handling and
`Malware Incident Handling and
`
`Computer Security Division Computer Security Division
`Malware Incident Handling and
`Computer Security Division
`Prevention: Recommendations of the
`Prevention: Recommendations of the
`
`Information Technology Laboratory Information Technology Laboratory
`Prevention: Recommendations of the
`Information Technology Laboratory
`National Institute of Standards and
`National Institute of Standards and
`National Institute of Standards and
`National Institute of Standards and
`National Institute of Standards and
`Technology. The guide assists
`Technology. The guide assists
`
`Technology National Institute of Standards and Technology
`technology. The guide assists
`Technology National Institute of Standards
`
`organizations and users in planning and
`organizations and users in planning and
`organizations and users in planning and
`The term malware is used to describe
`The term malware is used to describe
`implementing security programs to prevent
`implementing security programs to prevent
`The term malware is used to describe
`implementing security programs to prevent
`malicious code and malicious software
`potential malware incidents and to limit
`malicious code and malicious software
`potential malware incidents and to limit
`malicious code and malicious software
`potential malware incidents and to limit
`that are covertly inserted into an
`damage from unforeseen incidents that
`that are covertly inserted into an
`damage from unforeseen incidents that
`damage from unforeseen incidents that
`that are covertly inserted into an
`information technology (IT) system to
`might occur.
`information technology (IT) system to
`might occur.
`information technology (IT) system to
`might occur.
`
`compromise the confidentiality, integrity,
`compromise the confidentiality, integrity,
`compromise the confidentiality, integrity,
`Written by Peter Mell of NIST and Karen
`or availability of the data, applications, or
`Written by Peter Mell of NIST and Karen
`or availability of the data, applications, or
`Written by Peter Mell of NIST and Karen
`or availability of the data, applications, or
`Kent and Joseph Nusbaum of Booz Allen
`operating system, or to annoy or disrupt
`Kent and Joseph Nusbaum of Booz Allen
`operating system, or to annoy or disrupt
`Kent and Joseph Nusbaum of Booz Allen
`operating system, or to annoy or disrupt
`Hamilton, NIST SP 800-83 discusses the
`the system’s owner. Malware incidents are
`Hamilton, NIST SP 800-83 discusses the
`the system’s owner. Malware incidents are
`Hamilton, NIST SP 800-83 discusses the
`the system's owner. Malware incidents are
`different types of malware and
`a significant external threat to the security
`different types of malware and
`a significant external threat to the security
`a significant external threat to the security
`different types of malware and
`recommends prevention and incident
`of many IT systems, often causing
`recommends prevention and incident
`of many IT systems, often causing
`of many IT systems, often causing
`recommends prevention and incident
`handling techniques. The appendices
`widespread damage and disruption, and
`handling techniques. The appendices
`widespread damage and disruption, and
`widespread damage and disruption, and
`handling techniques. The appendices
`provide additional resources on malware
`forcing users and organizations to carry
`provide additional resources on malware
`forcing users and organizations to carry
`forcing users and organizations to carry
`provide additional resources on malware
`prevention and handling methods, and
`out extensive, costly efforts to restore
`prevention and handling methods, and
`out extensive, costly efforts to restore
`out extensive, costly efforts to restore
`prevention and handling methods, and
`include detailed techniques and scenarios.
`system security.
`include detailed techniques and scenarios.
`system security.
`system security.
`include detailed techniques and scenarios.
`
`A glossary of the many specialized terms
`A glossary of the many specialized terms
`A glossary of the many specialized terms
`Malware includes five categories of
`used in the guide, a list of acronyms, and
`Malware includes five categories of
`used in the guide, a list of acronyms, and
`used in the guide, a list of acronyms, and
`Malware includes five categories of
`inserted programs: viruses, worms, Trojan
`an extensive reference list of print and
`inserted programs: viruses, worms, Trojan
`an extensive reference list of print and
`inserted programs: viruses, worms, Trojan
`an extensive reference list of print and
`horses, malicious mobile code, and
`online resources are also provided. The
`horses, malicious mobile code, and
`online resources are also provided. The
`horses, malicious mobile code, and
`online resources are also provided. The
`blended attacks. Viruses and worms are
`publication is available in electronic
`blended attacks. Viruses and worms are
`publication is available in electronic
`blended attacks. Viruses and worms are
`publication is available in electronic
`usually designed to carry out their
`format from NIST’s website:
`usually designed to carry out their
`format from NIST’s website:
`format from NIST's website:
`usually designed to carry out their
`functions without the user’s knowledge.
`functions without the user’s knowledge.
`
`http://csrc.nist.gov/publications/nistpubs/index.http://csrc.nist.gov/publications/nistpubs/index.
`http://csrc.nist.gov/publicationsinistpubs/index.
`functions without the user's knowledge.
`html.
`Blended attacks use a combination of
`Blended attacks use a combination of
`html.
`Blended attacks use a combination of
`
`techniques to insert malicious programs.
`techniques to insert malicious programs.
`techniques to insert malicious programs.
`Malware: What it is
`Malware also includes other attacker tools
`Malware also includes other attacker tools
`Malware: What it is
`Malware also includes other attacker tools
`
`such as backdoors, rootkits, and keystroke
`such as backdoors, rootkits, and keystroke
`such as backdoors, rootkits, and keystroke
`Malware includes the following major
`Malware includes the following major
`loggers, and tracking cookies which are
`loggers, and tracking cookies which are
`loggers, and tracking cookies which are
`categories of malicious code and
`used as spyware. Spyware, when inserted
`used as spyware. Spyware, when inserted
`categories of malicious code and
`used as spyware. Spyware, when inserted
`programs:
`into a user’s system, threatens personal
`into a user’s system, threatens personal
`programs:
`into a user's system, threatens personal
`
`privacy and enables the attacker to monitor
`privacy and enables the attacker to monitor
`privacy and enables the attacker to monitor
`personal activities and to carry out
`personal activities and to carry out
`personal activities and to carry out
`financial fraud.
`financial fraud.
`financial fraud.
`
`
`
`
`
`
`
`• Viruses are self-replicating codes
`• Viruses are self-replicating codes
`that insert copies of the virus into
`that insert copies of the virus into
`host programs or data files.
`host programs or data files.
`Viruses often result from user
`Viruses often result from user
`interactions, such as opening a
`interactions, such as opening a
`file or running a program, and
`file or running a program, and
`include:
`include:
`(Continued on Page 2)
`(Continued on Page 2)
`
`ITL Bulletins are published by the Information
`ITL Bulletins are published by the Information
`Technology Laboratory (ITL) of the National Institute
`Technology Laboratory (ITL) of the National Institute
`of Standards and Technology (NIST). Each bulletin
`of Standards and Technology (NIST). Each bulletin
`presents an in-depth discussion of a single topic of
`presents an in-depth discussion of a single topic of
`significant interest to the information systems
`significant interest to the information systems
`community. Bulletins are issued on an as-needed
`community. Bulletins are issued on an as-needed
`basis and are available from ITL Publications,
`basis and are available from ITL Publications,
`National Institute of Standards and Technology, 100
`National Institute of Standards and Technology, 100
`Bureau Drive, Stop 8900, Gaithersburg, MD 20899-
`Bureau Drive, Stop 8900, Gaithersburg, MD 20899-
`8900, telephone (301) 975-2832. To be placed on a
`8900, telephone (301) 975-2832. To be placed on a
`mailing list to receive future bulletins, send your
`mailing list to receive future bulletins, send your
`name, organization, and business address to this
`name, organization, and business address to this
`office. You will be placed on this mailing list only.
`office. You will be placed on this mailing list only.
`Bulletins issued since August 2004:
`Bulletins issued since August 2004:
`(cid:153) Electronic Authentication: Guidance for
`•
`Electronic Authentication: Guidance for
`Selecting Secure Techniques, August 2004
`Selecting Secure Techniques, August 2004
`(cid:153) Information Security Within the System
`Information Security Within the System
`Development Life Cycle, September 2004
`Development Life Cycle, September 2004
`(cid:153) Securing Voice Over Internet Protocol (IP)
`Securing Voice Over Internet Protocol (IP)
`Networks, October 2004
`Networks, October 2004
`(cid:153) Understanding the New NIST Standards and
`Understanding the New NIST Standards and
`Guidelines Required by FISMA,
`Guidelines Required by FISMA,
` November 2004
`November 2004
`(cid:153) Integrating IT Security into the Capital
`Integrating IT Security into the Capital
`Planning and Investment Control Process,
`Planning and Investment Control Process,
`January 2005
`January 2005
`(cid:153) Personal Identity Verification (PIV) of Federal
`Personal Identity Verification (PIV) of Federal
`Employees and Contractors: Federal
`Employees and Contractors: Federal
`Information Processing Standard (FIPS) 201
`Information Processing Standard (FIPS) 201
`Approved by the Secretary of Commerce,
`Approved by the Secretary of Commerce,
`March 2005
`March 2005
`(cid:153) Implementing the Health Insurance Portability
`Implementing the Health Insurance Portability
`and Accountability Act (HIPAA) Security Rule,
`and Accountability Act (HIPAA) Security Rule,
`April 2005
`April 2005
`(cid:153) Recommended Security Controls for Federal
`Recommended Security Controls for Federal
`Information systems: Guidance of Selecting
`Information systems: Guidance of Selecting
`Cost-effective Controls Using a Risk-based
`Cost-effective Controls Using a Risk-based
`Process, May 2005
`Process, May 2005
`(cid:153) NIST’s Security Configuration Checklists
`NIST's Security Configuration Checklists
`Program for IT Products, June 2005
`Program for IT Products, June 2005
`(cid:153) Implementation of FIPS 201, Personal Identify
`Implementation of FIPS 201, Personal Identify
`Verification (PIV) of Federal Employees and
`Verification (PIV) of Federal Employees and
`Contractors, August 2005
`Contractors, August 2005
`(cid:153) Biometric Technologies: Helping to Protect
`Biometric Technologies: Helping to Protect
`Information and Automated Transactions I
`Information and Automated Transactions I
`Information Technology Systems, September
`Information Technology Systems, September
`2005
`2005
`(cid:153) National Vulnerability Database: Helping
`National Vulnerability Database: Helping
`Information Technology System Users and
`Information Technology System Users and
`Developers Find Current Information About
`Developers Find Current Information About
`Cyber Security Vulnerabilities, October 2005
`Cyber Security Vulnerabilities, October 2005
`(cid:153) Securing Microsoft Windows XP Systems:
`Securing Microsoft Windows XP Systems:
`NIST Recommendations for Using a Security
`NIST Recommendations for Using a Security
`Configuration Chccklist, November 2005
`Configuration Chccklist, November 2005
`
`National Institute of Standards and Technology • Technology Administration • U.S. Department of Commerce
`
`
`
`WIZ, Inc. EXHIBIT - 1024
`WIZ, Inc. v. Orca Security LTD.
`
`WIZ, Inc. EXHIBIT - 1024
`WIZ, Inc. v. Orca Security LTD.
`
`

`

`
`
`
`
`
`
`December 2005
`
`December 2005
`• Tracking cookies are persistent
`• Tracking cookies are persistent
`cookies that are accessed by
`cookies that are accessed by
`many websites, allowing a third
`many websites, allowing a third
`party to create a profile of a
`party to create a profile of a
`user’s behavior. Tracking cookies
`user's behavior. Tracking cookies
`are often used in conjunction with
`are often used in conjunction with
`web bugs, which are tiny graphics
`web bugs, which are tiny graphics
`on websites and which are
`on websites and which are
`referenced within the HTML
`referenced within the HTML
`content of a web page or e-mail.
`content of a web page or e-mail.
`The purpose of the graphic is to
`The purpose of the graphic is to
`collect information about the user
`collect information about the user
`viewing the content.
`viewing the content.
`
`Who We Are
`Who We Are
`The Information Technology Laboratory
`The Information Technology Laboratory
`(ITL) is a major research component of the
`(ITL) is a major research component of the
`National Institute of Standards and
`National Institute of Standards and
`Technology (NIST) of the Technology
`Technology (NIST) of the Technology
`Administration, U.S. Department of
`Administration, U.S. Department of
`Commerce. We develop tests and
`Commerce. We develop tests and
`measurement methods, reference data,
`measurement methods, reference data,
`proof-of-concept implementations, and
`proof-of-concept implementations, and
`technical analyses that help to advance
`technical analyses that help to advance
`the development and use of new
`the development and use of new
`information technology. We seek to
`information technology. We seek to
`overcome barriers to the efficient use of
`overcome barriers to the efficient use of
`information technology, and to make
`information technology, and to make
`systems more interoperable, easily usable,
`systems more interoperable, easily usable,
`scalable, and secure than they are today.
`scalable, and secure than they are today.
`Our website is http://www.itl.nist.gov.
`Our website is http://www.itl.nist.gov.
`
`
`
`• Attacker tools might be
`• Attacker tools might be
`delivered to a system as part of a
`delivered to a system as part of a
`malware infection or other system
`malware infection or other system
`compromises. These tools allow
`compromises. These tools allow
`attackers to have unauthorized
`attackers to have unauthorized
`access to or use of infected
`access to or use of infected
`systems and their data, or to
`systems and their data, or to
`launch additional attacks.
`launch additional attacks.
`Popular types of attacker tools
`Popular types of attacker tools
`include:
`include:
`o Backdoors are
`o Backdoors are
`malicious programs that
`malicious programs that
`listen for commands on
`listen for commands on
`a certain TCP or UDP
`a certain TCP or UDP
`port. Most backdoors
`port. Most backdoors
`allow an attacker to
`allow an attacker to
`perform a certain set of
`perform a certain set of
`actions on a system,
`actions on a system,
`such as acquiring
`such as acquiring
`passwords or executing
`passwords or executing
`arbitrary commands.
`arbitrary commands.
`Backdoors include
`Backdoors include
`zombies (also known as
`zombies (also known as
`bots), which are installed
`bots), which are installed
`on a system to cause it to
`on a system to cause it to
`
`o Network service worms
`o Network service worms
`that take advantage of
`that take advantage of
`vulnerabilities in
`vulnerabilities in
`network services to
`network services to
`propagate and infect
`propagate and infect
`other systems.
`other systems.
` Mass mailing worms
`o Mass mailing worms
`that are similar to e-
`that are similar to e-
`mail–borne viruses but
`mail—borne viruses but
`are self-contained, rather
`are self-contained, rather
`than infecting an
`than infecting an
`existing file.
`existing file.
`
` o
`
`
`
`• Trojan horses are self-contained,
`• Trojan horses are self-contained,
`non-replicating programs that
`non-replicating programs that
`appear to be benign, but that
`appear to be benign, but that
`actually have a hidden malicious
`actually have a hidden malicious
`purpose. Trojan horses either
`purpose. Trojan horses either
`replace existing files with
`replace existing files with
`malicious versions or add new
`malicious versions or add new
`malicious files to systems. They
`malicious files to systems. They
`often deliver other attacker tools
`often deliver other attacker tools
`to systems.
`to systems.
`
` Malicious mobile code is
`• Malicious mobile code is
`software with malicious intent
`software with malicious intent
`that is transmitted from a remote
`that is transmitted from a remote
`system to a local system. The
`system to a local system. The
`inserted programs are executed
`inserted programs are executed
`on the local system, usually
`on the local system, usually
`without the user’s explicit
`without the user's explicit
`instruction. Programs delivered in
`instruction. Programs delivered in
`this way can be used by many
`this way can be used by many
`different operating systems and
`different operating systems and
`applications, such as web
`applications, such as web
`browsers and e-mail clients.
`browsers and e-mail clients.
`Although the mobile code may be
`Although the mobile code may be
`benign, attackers use it to
`benign, attackers use it to
`transmit viruses, worms, and
`transmit viruses, worms, and
`Trojan horses to the user’s
`Trojan horses to the user's
`workstation. Malicious mobile
`workstation. Malicious mobile
`code does not infect files or
`code does not infect files or
`attempt to propagate itself, but
`attempt to propagate itself, but
`exploits vulnerabilities by taking
`exploits vulnerabilities by taking
`advantage of the default
`advantage of the default
`privileges granted to mobile code.
`privileges granted to mobile code.
`Languages used for malicious
`Languages used for malicious
`mobile code include Java,
`mobile code include Java,
`ActiveX, JavaScript, and
`ActiveX, JavaScript, and
`VBScript.
`VB Script.
`
` •
`
`• Blended attacks use multiple
`• Blended attacks use multiple
`methods of infection or
`methods of infection or
`transmission. A blended attack
`transmission. A blended attack
`could combine the propagation
`could combine the propagation
`methods of viruses and worms.
`methods of viruses and worms.
`
`
`
`
`
`
`
`
`
`
`o Compiled viruses that
`o Compiled viruses that
`are executed by an
`are executed by an
`operating system. These
`operating system. These
`include file infector
`include file infector
`viruses, which attach
`viruses, which attach
`themselves to executable
`themselves to executable
`programs; boot sector
`programs; boot sector
`viruses, which infect the
`viruses, which infect the
`master boot records of
`master boot records of
`hard drives or the boot
`hard drives or the boot
`sectors of removable
`sectors of removable
`media; and multipartite
`media; and multipartite
`viruses, which combine
`viruses, which combine
`the characteristics of file
`the characteristics of file
`infector and boot sector
`infector and boot sector
`viruses.
`viruses.
` Interpreted viruses that
`o
`Interpreted viruses that
`are executed by an
`are executed by an
`application. These
`application. These
`include macro viruses
`include macro viruses
`that take advantage of
`that take advantage of
`the capabilities of the
`the capabilities of the
`macro programming
`macro programming
`language to infect
`language to infect
`application documents
`application documents
`and document templates;
`and document templates;
`and scripting viruses that
`and scripting viruses that
`infect scripts and are
`infect scripts and are
`understood by scripting
`understood by scripting
`languages processed by
`languages processed by
`services on the operating
`services on the operating
`system.
`system.
`
` o
`
`• Worms are self-replicating, self-
`• Worms are self-replicating, self-
`contained programs that usually
`contained programs that usually
`perform without user
`perform without user
`intervention. Worms create fully
`intervention. Worms create fully
`functional copies of themselves,
`functional copies of themselves,
`and they do not require a host
`and they do not require a host
`program to infect a system.
`program to infect a system.
`Attackers often insert worms
`Attackers often insert worms
`because they can potentially
`because they can potentially
`infect many more systems in a
`infect many more systems in a
`short period of time than a virus
`short period of time than a virus
`can. Worms include:
`can. Worms include:
`
`
`
`2
`2
`
`
`
`IITTLL BBuulllleettiinnss VViiaa EE--MMaaiill
`ITL Bulletins Via E-Mail
`We now offer the option of delivering your ITL
`We now offer the option of delivering your ITL
`Bulletins in ASCII format directly to your e-mail
`Bulletins in ASCII format directly to your e-mail
`address. To subscribe to this service, send an
`address. To subscribe to this service, send an
`e-mail message from your business e-mail
`e-mail message from your business e-mail
`account to listproc@nist.gov with the message
`account to listproc@nist.gov with the message
`subscribe itl-bulletin, and your name, e.g.,
`subscribe itl-bulletin, and your name, e.g.,
`John Doe. For instructions on using listproc,
`John Doe. For instructions on using listproc,
`send a message to listproc@nist.gov with the
`send a message to listproc@nist.gov with the
`message HELP. To have the bulletin sent to
`message HELP. To have the bulletin sent to
`an e-mail address other than the FROM
`an e-mail address other than the FROM
`address, contact the ITL editor at
`address, contact the ITL editor at
`301-975-2832 or elizabeth.lennon@nist.gov
`301-975-2832 or elizabeth.lennon@nist.gov
`
`

`

`
`
`types of utilities and
`types of utilities and
`scripts that can be used
`scripts that can be used
`to probe and attack
`to probe and attack
`systems, such as packet
`systems, such as packet
`sniffers, port scanners,
`sniffers, port scanners,
`vulnerability scanners,
`vulnerability scanners,
`password crackers,
`password crackers,
`remote login programs,
`remote login programs,
`and attack programs and
`and attack programs and
`scripts.
`scripts.
`
`
`
`• Common non-malware threats
`• Common non-malware threats
`associated with malware include
`associated with malware include
`phishing, which uses computer-
`phishing, which uses computer-
`based means to trick users into
`based means to trick users into
`revealing financial information
`revealing financial information
`and other sensitive data. Phishing
`and other sensitive data. Phishing
`attacks frequently place malware
`attacks frequently place malware
`or attacker tools on systems.
`or attacker tools on systems.
`Virus hoaxes, which are false
`Virus hoaxes, which are false
`warning of new malware attacks,
`warning of new malware attacks,
`are another common threat.
`are another common threat.
`
`
`Recommendations for Preventing
`Recommendations for Preventing
`Malware Incidents
`Malware Incidents
`
`Organizations should protect their
`Organizations should protect their
`information and information systems from
`information and information systems from
`malware through their ongoing IT security
`malware through their ongoing IT security
`planning, management, and
`planning, management, and
`implementation activities. NIST
`implementation activities. NIST
`recommends that organizations take the
`recommends that organizations take the
`following actions to prevent malware
`following actions to prevent malware
`incidents and to respond effectively and
`incidents and to respond effectively and
`efficiently to any attacks that might occur.
`efficiently to any attacks that might occur.
`
`Develop and implement an approach to
`Develop and implement an approach to
`malware incident prevention, based on
`malware incident prevention, based on
`the attack methods that are most likely to
`the attack methods that are most likely to
`be used, both currently and in the near
`be used, both currently and in the near
`future. Choose prevention techniques that
`future. Choose prevention techniques that
`are appropriate to the computing
`are appropriate to the computing
`environment and system, and provide for
`environment and system, and provide for
`policy statements, awareness programs for
`policy statements, awareness programs for
`users and IT staff, and vulnerability and
`users and IT staff, and vulnerability and
`threat mitigation efforts.
`threat mitigation efforts.
`
`Ensure that policies support the
`Ensure that policies support the
`prevention of malware incidents and
`prevention of malware incidents and
`provide for user and IT staff awareness,
`provide for user and IT staff awareness,
`vulnerability mitigation, and security tool
`vulnerability mitigation, and security tool
`deployment and configuration. Malware
`deployment and configuration. Malware
`prevention should be stated clearly in
`prevention should be stated clearly in
`policies, which should be as general as
`policies, which should be as general as
`possible to allow for flexibility in
`possible to allow for flexibility in
`implementation and to reduce the need for
`implementation and to reduce the need for
`frequent updates. At the same time, policy
`frequent updates. At the same time, policy
`statements should be specific enough to
`statements should be specific enough to
`make their intent and scope clear and to
`make their intent and scope clear and to
`
`
`December 2005
`
`December 2005
`achieve consistent and effective results.
`achieve consistent and effective results.
`Policies should include provisions that are
`Policies should include provisions that are
`applicable to remote workers, both those
`applicable to remote workers, both those
`using systems controlled by the
`using systems controlled by the
`organization and those using systems
`organization and those using systems
`outside of the organization’s control such
`outside of the organization's control such
`as contractor computers, home computers,
`as contractor computers, home computers,
`computers of business partners, and
`computers of business partners, and
`mobile devices.
`mobile devices.
`
`Incorporate malware incident
`Incorporate malware incident
`prevention and handling into awareness
`prevention and handling into awareness
`programs and provide guidance and
`programs and provide guidance and
`training to users. Users should be alerted
`training to users. Users should be alerted
`to the ways that malware spreads, the risks
`to the ways that malware spreads, the risks
`that malware poses, the inability of
`that malware poses, the inability of
`technical controls to prevent all incidents,
`technical controls to prevent all incidents,
`and the role of users in preventing
`and the role of users in preventing
`incidents. Users should be aware of
`incidents. Users should be aware of
`policies and procedures for incident
`policies and procedures for incident
`handling, including how to detect malware
`handling, including how to detect malware
`on a computer, how to report suspected
`on a computer, how to report suspected
`infections, and what can be done to assist
`infections, and what can be done to assist
`the incident handlers.
`the incident handlers.
`
`Establish capabilities to mitigate
`Establish capabilities to mitigate
`vulnerabilities and to help prevent
`vulnerabilities and to help prevent
`malware incidents through documented
`malware incidents through documented
`policy, technical processes, and
`policy, technical processes, and
`procedures. Appropriate techniques or
`procedures. Appropriate techniques or
`combinations of techniques should be used
`combinations of techniques should be used
`for patch management, application of
`for patch management, application of
`security configuration guides and
`security configuration guides and
`checklists, and host protection to address
`checklists, and host protection to address
`vulnerabilities effectively.
`vulnerabilities effectively.
`
`Establish threat mitigation capabilities
`Establish threat mitigation capabilities
`to assist in containing malware incidents
`to assist in containing malware incidents
`by detecting and stopping malware before
`by detecting and stopping malware before
`it can affect systems. NIST strongly
`it can affect systems. NIST strongly
`recommends that organizations install
`recommends that organizations install
`antivirus software on all systems when
`antivirus software on all systems when
`such software is available. Other technical
`such software is available. Other technical
`controls that can be used are intrusion
`controls that can be used are intrusion
`prevention systems, firewalls, routers, and
`prevention systems, firewalls, routers, and
`certain application configuration settings.
`certain application configuration settings.
`
`Establish a robust incident response
`Establish a robust incident response
`process capability that addresses
`process capability that addresses
`malware incident handling through
`malware incident handling through
`preparation, detection and analysis,
`preparation, detection and analysis,
`containment/‌eradication/‌recovery, and
`containmenVeradication1recovery, and
`post-incident activities.
`post-incident activities.
`
`
`• Preparation. Develop malware-
`• Preparation. Develop malware-
`specific incident handling
`specific incident handling
`policies and procedures.
`policies and procedures.
`Regularly conduct malware-
`Regularly conduct malware-
`oriented training and exercises;
`oriented training and exercises;
`
`
`attack other systems, and
`attack other systems, and
`remote administration
`remote administration
`tools, which are installed
`tools, which are installed
`on a system to enable a
`on a system to enable a
`remote attacker to gain
`remote attacker to gain
`access to the system’s
`access to the system's
`functions and data.
`functions and data.
` Keystroke loggers
`o Keystroke loggers
`monitor and record
`monitor and record
`keyboard use. Some
`keyboard use. Some
`require the attacker to
`require the attacker to
`retrieve the data from
`retrieve the data from
`the system, while other
`the system, while other
`loggers actively transfer
`loggers actively transfer
`the data to another
`the data to another
`system through e-mail,
`system through e-mail,
`file transfer, or other
`file transfer, or other
`means.
`means.
`o Rootkits are collections
`o Rootkits are collections
`of files that are installed
`of files that are installed
`on a system to alter its
`on a system to alter its
`standard functionality in
`standard functionality in
`a malicious and stealthy
`a malicious and stealthy
`way. A rootkit can make
`way. A rootkit can make
`many changes to a
`many changes to a
`system to hide the
`system to hide the
`rootkit’s existence,
`rootkit's existence,
`making it very difficult
`making it very difficult
`for the user to determine
`for the user to determine
`that the rootkit is present
`that the rootkit is present
`and