Skip to main content
Security Performance Management
Continuous Monitoring
Vendor Risk Management
Trust Management Hub
Cyber Insurance
National Cybersecurity

Insights to Control Framework Mapping: Malware Presence

Ingrid

Refer to the following Malware Presence insights and assessments and how they're mapped to CIS v7 and CIS v8 controls for Control Insights:

Multiple Desktop Malware Families

The detection of multiple desktop malware families indicates weak control over malicious desktop software

Over 1 distinct event types from: [Desktop Compromised System] were observed

Assessment

x Negative

Observations

Botnet Infections

CIS v8 Controls CIS v7 Controls

Controls

10 Malware Defenses

Safeguards

  • 9.2 Use DNS Filtering Services
  • 9.3 Maintain and Enforce Network-Based URL Filters
  • 10.1 Deploy and Maintain Anti-Malware Software
  • 10.2 Configure Automatic Anti-Malware Signature Updates
  • 10.3 Disable Autorun and Autoplay for Removable Media
  • 10.4 Configure Automatic Anti-Malware Scanning of Removable Media
  • 10.5 Enable Anti-Exploitation Features
  • 10.6 Centrally Manage Anti-Malware Software

Controls

8 Malware Defenses

Safeguards

  • 8.1 Utilize Centrally Managed Anti-malware Software
  • 8.2 Ensure Anti-Malware Software and Signatures Are Updated
  • 8.3 Enable Operating System Anti-Exploitation Features/Deploy Anti-Exploit Technologies
  • 8.4 Configure Anti-Malware Scanning of Removable Devices
  • 8.5 Configure Devices to Not Auto-Run Content
  • 8.6 Centralize Anti-Malware Logging
  • 8.7 Enable DNS Query Logging
  • 8.8 Enable Command-Line Audit Logging

Multiple Mobile Malware Families

The detection of multiple mobile malware families indicates weak control over malicious mobile software

Over 1 distinct event types from: [Mobile Compromised System] were observed

Assessment

insight-ineffective.png Negative

Observations

Botnet Infections

CIS v8 Controls CIS v7 Controls

Controls

  • 1 Inventory and Control of Enterprise Assets
  • 10 Malware Defenses

Safeguards

  • 1.2 Address Unauthorized Assets
  • 10.2 Configure Automatic Anti-Malware Signature Updates
  • 10.6 Centrally Manage Anti-Malware Software

Controls

  • 1 Inventory and Control of Hardware Assets
  • 8 Malware Defenses

Safeguards

  • 1.5 Maintain Asset Inventory Information
  • 1.6 Address Unauthorized Assets
  • 8.1 Utilize Centrally Managed Anti-malware Software
  • 8.2 Ensure Anti-Malware Software and Signatures Are Updated

No Malware Infections

The lack of malware infections indicates effective malware protection or endpoint configurations.

The ratio of events of type [Compromised System] by type [Web Browser] is below 0.1%

Assessment

✓ Positive

Observations

CIS v8 Controls CIS v7 Controls

Controls

10 Malware Defenses

Safeguards

  • 9.2 Use DNS Filtering Services
  • 9.3 Maintain and Enforce Network-Based URL Filters
  • 10.1 Deploy and Maintain Anti-Malware Software
  • 10.2 Configure Automatic Anti-Malware Signature Updates
  • 10.3 Disable Autorun and Autoplay for Removable Media
  • 10.4 Configure Automatic Anti-Malware Scanning of Removable Media
  • 10.5 Enable Anti-Exploitation Features
  • 10.6 Centrally Manage Anti-Malware Software

Controls

8 Malware Defenses

Safeguards

  • 8.1 Utilize Centrally Managed Anti-malware Software
  • 8.2 Ensure Anti-Malware Software and Signatures Are Updated
  • 8.3 Enable Operating System Anti-Exploitation Features/Deploy Anti-Exploit Technologies
  • 8.4 Configure Anti-Malware Scanning of Removable Devices
  • 8.5 Configure Devices to Not Auto-Run Content
  • 8.6 Centralize Anti-Malware Logging
  • 8.7 Enable DNS Query Logging
  • 8.8 Enable Command-Line Audit Logging

Domain Generation Algorithm Malware

The presence of Domain Generation Algorithm (DGA) based malware indicates ineffective network filtering or monitoring of network security audit logs

At least one event of the following event types was detected: [Domain Generation Algorithm (DGA) Based Malware]

Assessment

x Negative

Observations

Botnet Infections

CIS v8 Controls CIS v7 Controls

Controls

  • 8 Audit Log Management
  • 10 Malware Defenses
  • 13 Network Monitoring and Defense

Safeguards

  • 8.1 Establish and Maintain an Audit Log Management Process
  • 8.2 Collect Audit Logs
  • 8.6 Collect DNS Query Audit Logs
  • 8.7 Collect URL Request Audit Logs
  • 8.10 Retain Audit Logs
  • 8.11 Conduct Audit Log Reviews
  • 9.2 Use DNS Filtering Services
  • 9.3 Maintain and Enforce Network-Based URL Filters
  • 13.1 Centralize Security Event Alerting
  • 13.2 Deploy a Host-Based Intrusion Detection Solution
  • 13.3 Deploy a Network Intrusion Detection Solution
  • 13.4 Perform Traffic Filtering Between Network Segments
  • 13.5 Manage Access Control for Remote Assets
  • 13.6 Collect Network Traffic Flow Logs
  • 13.7 Deploy a Host-Based Intrusion Prevention Solution
  • 13.8 Deploy a Network Intrusion Prevention Solution
  • 13.10 Perform Application Layer Filtering

Controls

  • 6 Maintenance, Monitoring and Analysis of Audit Logs
  • 8 Malware Defenses
  • 12 Boundary Defense

Safeguards

  • 6.5 Central Log Management
  • 6.6 Deploy SIEM or Log Analytic Tools
  • 6.7 Regularly Review Logs
  • 6.8 Regularly Tune SIEM
  • 8.7 Enable DNS Query Logging
  • 12.1 Maintain an Inventory of Network Boundaries
  • 12.2 Scan for Unauthorized Connections Across Trusted Network Boundaries
  • 12.3 Deny Communications With Known Malicious IP Addresses
  • 12.4 Deny Communication Over Unauthorized Ports
  • 12.5 Configure Monitoring Systems to Record Network Packets
  • 12.6 Deploy Network-Based IDS Sensors
  • 12.7 Deploy Network-Based Intrusion Prevention Systems
  • 12.8 Deploy NetFlow Collection on Networking Boundary Devices
  • 12.9 Deploy Application Layer Filtering Proxy Server
  • 12.10 Decrypt Network Traffic at Proxy

Old or Abandoned Malware

The presence of malware infections from old, abandoned, malware families indicates ineffective malware prevention, intrusion detection, boundary defense, or incident response

At least one event of the following event types was detected: [Abandoned Malware]

Assessment

insight-ineffective.png Negative

Observations

Botnet Infections

CIS v8 Controls CIS v7 Controls

Controls

  • 10 Malware Defenses
  • 13 Network Monitoring and Defense
  • 17 Incident Response Management

Safeguards

  • 9.2 Use DNS Filtering Services
  • 9.3 Maintain and Enforce Network-Based URL Filters
  • 10.1 Deploy and Maintain Anti-Malware Software
  • 10.2 Configure Automatic Anti-Malware Signature Updates
  • 10.3 Disable Autorun and Autoplay for Removable Media
  • 10.4 Configure Automatic Anti-Malware Scanning of Removable Media
  • 10.5 Enable Anti-Exploitation Features
  • 10.6 Centrally Manage Anti-Malware Software
  • 13.2 Deploy a Host-Based Intrusion Detection Solution
  • 13.3 Deploy a Network Intrusion Detection Solution
  • 13.4 Perform Traffic Filtering Between Network Segments
  • 13.5 Manage Access Control for Remote Assets
  • 13.6 Collect Network Traffic Flow Logs
  • 13.7 Deploy a Host-Based Intrusion Prevention Solution
  • 13.8 Deploy a Network Intrusion Prevention Solution
  • 17.1 Designate Personnel to Manage Incident Handling
  • 17.2 Establish and Maintain Contact Information for Reporting Security Incidents
  • 17.3 Establish and Maintain an Enterprise Process for Reporting Incidents
  • 17.4 Establish and Maintain an Incident Response Process
  • 17.6 Define Mechanisms for Communicating During Incident Response

Controls

  • 8 Malware Defenses
  • 12 Boundary Defense
  • 19 Incident Response and Management

Safeguards

  • 8.1 Utilize Centrally Managed Anti-malware Software
  • 8.2 Ensure Anti-Malware Software and Signatures Are Updated
  • 8.3 Enable Operating System Anti-Exploitation Features/Deploy Anti-Exploit Technologies
  • 8.4 Configure Anti-Malware Scanning of Removable Devices
  • 8.5 Configure Devices to Not Auto-Run Content
  • 8.6 Centralize Anti-Malware Logging
  • 8.7 Enable DNS Query Logging
  • 8.8 Enable Command-Line Audit Logging
  • 12.1 Maintain an Inventory of Network Boundaries
  • 12.2 Scan for Unauthorized Connections Across Trusted Network Boundaries
  • 12.3 Deny Communications With Known Malicious IP Addresses
  • 12.4 Deny Communication Over Unauthorized Ports
  • 12.5 Configure Monitoring Systems to Record Network Packets
  • 12.6 Deploy Network-Based IDS Sensors
  • 12.7 Deploy Network-Based Intrusion Prevention Systems
  • 12.8 Deploy NetFlow Collection on Networking Boundary Devices
  • 12.9 Deploy Application Layer Filtering Proxy Server
  • 19.1 Document Incident Response Procedures
  • 19.2 Assign Job Titles and Duties for Incident Response
  • 19.3 Designate Management Personnel to Support Incident Handling
  • 19.4 Devise Organization-wide Standards for Reporting Incidents
  • 19.5 Maintain Contact Information For Reporting Security Incidents
  • 19.8 Create Incident Scoring and Prioritization Schema

Malware Infections

The presence of malware infections indicates ineffective malware protection or endpoint configurations

The ratio of events of type [Compromised System] by type [Web Browser] is above 0.5%

Assessment

x Negative

Observations

CIS v8 Controls CIS v7 Controls

Controls

  • 9 Email and Web Browser Protections
  • 10 Malware Defenses

Safeguards

  • 9.1 Ensure Use of Only Fully Supported Browsers and Email Clients
  • 9.2 Use DNS Filtering Services
  • 9.3 Maintain and Enforce Network-Based URL Filters
  • 9.6 Block Unnecessary File Types
  • 9.7 Deploy and Maintain Email Server Anti-Malware Protections
  • 10.1 Deploy and Maintain Anti-Malware Software
  • 10.2 Configure Automatic Anti-Malware Signature Updates
  • 10.3 Disable Autorun and Autoplay for Removable Media
  • 10.4 Configure Automatic Anti-Malware Scanning of Removable Media
  • 10.5 Enable Anti-Exploitation Features
  • 10.6 Centrally Manage Anti-Malware Software

Controls

  • 7 Email and Web Browser Protections
  • 8 Malware Defenses

Safeguards

  • 7.1 Ensure Use of Only Fully Supported Browsers and Email Clients
  • 7.2 Disable Unnecessary or Unauthorized Browser or Email Client Plugins
  • 7.3 Limit Use of Scripting Languages in Web Browsers and Email Clients
  • 7.4 Maintain and Enforce Network-Based URL Filters
  • 7.5 Subscribe to URL-Categorization Service
  • 7.6 Log All URL requester
  • 7.7 Use of DNS Filtering Services
  • 7.8 Implement DMARC and Enable Receiver-Side Verification
  • 7.9 Block Unnecessary File Types
  • 7.10 Sandbox All Email Attachments
  • 8.1 Utilize Centrally Managed Anti-malware Software
  • 8.2 Ensure Anti-Malware Software and Signatures Are Updated
  • 8.3 Enable Operating System Anti-Exploitation Features/Deploy Anti-Exploit Technologies
  • 8.4 Configure Anti-Malware Scanning of Removable Devices
  • 8.5 Configure Devices to Not Auto-Run Content
  • 8.6 Centralize Anti-Malware Logging
  • 8.7 Enable DNS Query Logging
  • 8.8 Enable Command-Line Audit Logging

Malware on Exposed IoT Device

The presence of malware on an exposed Internet-of-Things (IoT) device indicates ineffective control of hardware assets on the network

At least one event from all of the following event types were detected: [Internet-of-Things (IoT) System Compromised with Worm, Internet-of-Things (IoT) Service Port]

Assessment

insight-ineffective.png Negative

Observations

CIS v8 Controls CIS v7 Controls

Controls

1 Inventory and Control of Enterprise Assets

Safeguards

  • 1.1 Establish and Maintain Detailed Enterprise Asset Inventory
  • 1.2 Address Unauthorized Assets
  • 1.3 Utilize an Active Discovery Tool
  • 1.5 Use a Passive Asset Discovery Tool

Controls

1 Inventory and Control of Hardware Assets

Safeguards

  • 1.1 Utilize an Active Discovery Tool
  • 1.2 Use a Passive Asset Discovery Tool
  • 1.4 Maintain Detailed Asset Inventory
  • 1.5 Maintain Asset Inventory Information
  • 1.6 Address Unauthorized Assets

Persistent or Recurring Infections

The presence of persistent or recurring malware infections indicates ineffective malware protections or incident response

At least one event of the following event types was present for at least 1 month(s)[Compromised System]

Assessment

insight-ineffective.png Negative

Observations

CIS v8 Controls CIS v7 Controls

Controls

  • 10 Malware Defenses
  • 17 Incident Response Management

Safeguards

  • 10.1 Deploy and Maintain Anti-Malware Software
  • 10.2 Configure Automatic Anti-Malware Signature Updates
  • 10.3 Disable Autorun and Autoplay for Removable Media
  • 10.4 Configure Automatic Anti-Malware Scanning of Removable Media
  • 10.5 Enable Anti-Exploitation Features
  • 10.6 Centrally Manage Anti-Malware Software
  • 17.1 Designate Personnel to Manage Incident Handling
  • 17.2 Establish and Maintain Contact Information for Reporting Security Incidents
  • 17.3 Establish and Maintain an Enterprise Process for Reporting Incidents
  • 17.4 Establish and Maintain an Incident Response Process
  • 17.6 Define Mechanisms for Communicating During Incident Response

Controls

  • 8 Malware Defenses
  • 19 Incident Response and Management

Safeguards

  • 8.1 Utilize Centrally Managed Anti-malware Software
  • 8.2 Ensure Anti-Malware Software and Signatures Are Updated
  • 8.3 Enable Operating System Anti-Exploitation Features/Deploy Anti-Exploit Technologies
  • 8.4 Configure Anti-Malware Scanning of Removable Devices
  • 8.5 Configure Devices to Not Auto-Run Content
  • 8.6 Centralize Anti-Malware Logging
  • 19.1 Document Incident Response Procedures
  • 19.2 Assign Job Titles and Duties for Incident Response
  • 19.3 Designate Management Personnel to Support Incident Handling
  • 19.4 Devise Organization-wide Standards for Reporting Incidents
  • 19.5 Maintain Contact Information For Reporting Security Incidents
  • 19.6 Publish Information Regarding Reporting Computer Anomalies and Incidents
  • 19.7 Conduct Periodic Incident Scenario Sessions for Personnel
  • 19.8 Create Incident Scoring and Prioritization Schema
  • April 1, 2025: Published.

Related articles

Feedback

0 comments

Please sign in to leave a comment.