Insights to Control Framework Mapping: Malware Presence Ingrid Refer to the following Malware Presence insights and assessments and how they're mapped to CIS v7 and CIS v8 controls for Control Insights: Multiple Desktop Malware Families The detection of multiple desktop malware families indicates weak control over malicious desktop software Over 1 distinct event types from: [Desktop Compromised System] were observed Assessment Negative Observations Botnet Infections CIS v8 Controls CIS v7 Controls Controls 10 Malware Defenses Safeguards 9.2 Use DNS Filtering Services 9.3 Maintain and Enforce Network-Based URL Filters 10.1 Deploy and Maintain Anti-Malware Software 10.2 Configure Automatic Anti-Malware Signature Updates 10.3 Disable Autorun and Autoplay for Removable Media 10.4 Configure Automatic Anti-Malware Scanning of Removable Media 10.5 Enable Anti-Exploitation Features 10.6 Centrally Manage Anti-Malware Software Controls 8 Malware Defenses Safeguards 8.1 Utilize Centrally Managed Anti-malware Software 8.2 Ensure Anti-Malware Software and Signatures Are Updated 8.3 Enable Operating System Anti-Exploitation Features/Deploy Anti-Exploit Technologies 8.4 Configure Anti-Malware Scanning of Removable Devices 8.5 Configure Devices to Not Auto-Run Content 8.6 Centralize Anti-Malware Logging 8.7 Enable DNS Query Logging 8.8 Enable Command-Line Audit Logging Multiple Mobile Malware Families The detection of multiple mobile malware families indicates weak control over malicious mobile software Over 1 distinct event types from: [Mobile Compromised System] were observed Assessment Negative Observations Botnet Infections CIS v8 Controls CIS v7 Controls Controls 1 Inventory and Control of Enterprise Assets 10 Malware Defenses Safeguards 1.2 Address Unauthorized Assets 10.2 Configure Automatic Anti-Malware Signature Updates 10.6 Centrally Manage Anti-Malware Software Controls 1 Inventory and Control of Hardware Assets 8 Malware Defenses Safeguards 1.5 Maintain Asset Inventory Information 1.6 Address Unauthorized Assets 8.1 Utilize Centrally Managed Anti-malware Software 8.2 Ensure Anti-Malware Software and Signatures Are Updated No Malware Infections The lack of malware infections indicates effective malware protection or endpoint configurations. The ratio of events of type [Compromised System] by type [Web Browser] is below 0.1% Assessment Positive Observations Botnet Infections Spam Propagation Desktop Software Mobile Software CIS v8 Controls CIS v7 Controls Controls 10 Malware Defenses Safeguards 9.2 Use DNS Filtering Services 9.3 Maintain and Enforce Network-Based URL Filters 10.1 Deploy and Maintain Anti-Malware Software 10.2 Configure Automatic Anti-Malware Signature Updates 10.3 Disable Autorun and Autoplay for Removable Media 10.4 Configure Automatic Anti-Malware Scanning of Removable Media 10.5 Enable Anti-Exploitation Features 10.6 Centrally Manage Anti-Malware Software Controls 8 Malware Defenses Safeguards 8.1 Utilize Centrally Managed Anti-malware Software 8.2 Ensure Anti-Malware Software and Signatures Are Updated 8.3 Enable Operating System Anti-Exploitation Features/Deploy Anti-Exploit Technologies 8.4 Configure Anti-Malware Scanning of Removable Devices 8.5 Configure Devices to Not Auto-Run Content 8.6 Centralize Anti-Malware Logging 8.7 Enable DNS Query Logging 8.8 Enable Command-Line Audit Logging Domain Generation Algorithm Malware The presence of Domain Generation Algorithm (DGA) based malware indicates ineffective network filtering or monitoring of network security audit logs At least one event of the following event types was detected: [Domain Generation Algorithm (DGA) Based Malware] Assessment Negative Observations Botnet Infections CIS v8 Controls CIS v7 Controls Controls 8 Audit Log Management 10 Malware Defenses 13 Network Monitoring and Defense Safeguards 8.1 Establish and Maintain an Audit Log Management Process 8.2 Collect Audit Logs 8.6 Collect DNS Query Audit Logs 8.7 Collect URL Request Audit Logs 8.10 Retain Audit Logs 8.11 Conduct Audit Log Reviews 9.2 Use DNS Filtering Services 9.3 Maintain and Enforce Network-Based URL Filters 13.1 Centralize Security Event Alerting 13.2 Deploy a Host-Based Intrusion Detection Solution 13.3 Deploy a Network Intrusion Detection Solution 13.4 Perform Traffic Filtering Between Network Segments 13.5 Manage Access Control for Remote Assets 13.6 Collect Network Traffic Flow Logs 13.7 Deploy a Host-Based Intrusion Prevention Solution 13.8 Deploy a Network Intrusion Prevention Solution 13.10 Perform Application Layer Filtering Controls 6 Maintenance, Monitoring and Analysis of Audit Logs 8 Malware Defenses 12 Boundary Defense Safeguards 6.5 Central Log Management 6.6 Deploy SIEM or Log Analytic Tools 6.7 Regularly Review Logs 6.8 Regularly Tune SIEM 8.7 Enable DNS Query Logging 12.1 Maintain an Inventory of Network Boundaries 12.2 Scan for Unauthorized Connections Across Trusted Network Boundaries 12.3 Deny Communications With Known Malicious IP Addresses 12.4 Deny Communication Over Unauthorized Ports 12.5 Configure Monitoring Systems to Record Network Packets 12.6 Deploy Network-Based IDS Sensors 12.7 Deploy Network-Based Intrusion Prevention Systems 12.8 Deploy NetFlow Collection on Networking Boundary Devices 12.9 Deploy Application Layer Filtering Proxy Server 12.10 Decrypt Network Traffic at Proxy Old or Abandoned Malware The presence of malware infections from old, abandoned, malware families indicates ineffective malware prevention, intrusion detection, boundary defense, or incident response At least one event of the following event types was detected: [Abandoned Malware] Assessment Negative Observations Botnet Infections CIS v8 Controls CIS v7 Controls Controls 10 Malware Defenses 13 Network Monitoring and Defense 17 Incident Response Management Safeguards 9.2 Use DNS Filtering Services 9.3 Maintain and Enforce Network-Based URL Filters 10.1 Deploy and Maintain Anti-Malware Software 10.2 Configure Automatic Anti-Malware Signature Updates 10.3 Disable Autorun and Autoplay for Removable Media 10.4 Configure Automatic Anti-Malware Scanning of Removable Media 10.5 Enable Anti-Exploitation Features 10.6 Centrally Manage Anti-Malware Software 13.2 Deploy a Host-Based Intrusion Detection Solution 13.3 Deploy a Network Intrusion Detection Solution 13.4 Perform Traffic Filtering Between Network Segments 13.5 Manage Access Control for Remote Assets 13.6 Collect Network Traffic Flow Logs 13.7 Deploy a Host-Based Intrusion Prevention Solution 13.8 Deploy a Network Intrusion Prevention Solution 17.1 Designate Personnel to Manage Incident Handling 17.2 Establish and Maintain Contact Information for Reporting Security Incidents 17.3 Establish and Maintain an Enterprise Process for Reporting Incidents 17.4 Establish and Maintain an Incident Response Process 17.6 Define Mechanisms for Communicating During Incident Response Controls 8 Malware Defenses 12 Boundary Defense 19 Incident Response and Management Safeguards 8.1 Utilize Centrally Managed Anti-malware Software 8.2 Ensure Anti-Malware Software and Signatures Are Updated 8.3 Enable Operating System Anti-Exploitation Features/Deploy Anti-Exploit Technologies 8.4 Configure Anti-Malware Scanning of Removable Devices 8.5 Configure Devices to Not Auto-Run Content 8.6 Centralize Anti-Malware Logging 8.7 Enable DNS Query Logging 8.8 Enable Command-Line Audit Logging 12.1 Maintain an Inventory of Network Boundaries 12.2 Scan for Unauthorized Connections Across Trusted Network Boundaries 12.3 Deny Communications With Known Malicious IP Addresses 12.4 Deny Communication Over Unauthorized Ports 12.5 Configure Monitoring Systems to Record Network Packets 12.6 Deploy Network-Based IDS Sensors 12.7 Deploy Network-Based Intrusion Prevention Systems 12.8 Deploy NetFlow Collection on Networking Boundary Devices 12.9 Deploy Application Layer Filtering Proxy Server 19.1 Document Incident Response Procedures 19.2 Assign Job Titles and Duties for Incident Response 19.3 Designate Management Personnel to Support Incident Handling 19.4 Devise Organization-wide Standards for Reporting Incidents 19.5 Maintain Contact Information For Reporting Security Incidents 19.8 Create Incident Scoring and Prioritization Schema Malware Infections The presence of malware infections indicates ineffective malware protection or endpoint configurations The ratio of events of type [Compromised System] by type [Web Browser] is above 0.5% Assessment Negative Observations Botnet Infections Spam Propagation Desktop Software Mobile Software CIS v8 Controls CIS v7 Controls Controls 9 Email and Web Browser Protections 10 Malware Defenses Safeguards 9.1 Ensure Use of Only Fully Supported Browsers and Email Clients 9.2 Use DNS Filtering Services 9.3 Maintain and Enforce Network-Based URL Filters 9.6 Block Unnecessary File Types 9.7 Deploy and Maintain Email Server Anti-Malware Protections 10.1 Deploy and Maintain Anti-Malware Software 10.2 Configure Automatic Anti-Malware Signature Updates 10.3 Disable Autorun and Autoplay for Removable Media 10.4 Configure Automatic Anti-Malware Scanning of Removable Media 10.5 Enable Anti-Exploitation Features 10.6 Centrally Manage Anti-Malware Software Controls 7 Email and Web Browser Protections 8 Malware Defenses Safeguards 7.1 Ensure Use of Only Fully Supported Browsers and Email Clients 7.2 Disable Unnecessary or Unauthorized Browser or Email Client Plugins 7.3 Limit Use of Scripting Languages in Web Browsers and Email Clients 7.4 Maintain and Enforce Network-Based URL Filters 7.5 Subscribe to URL-Categorization Service 7.6 Log All URL requester 7.7 Use of DNS Filtering Services 7.8 Implement DMARC and Enable Receiver-Side Verification 7.9 Block Unnecessary File Types 7.10 Sandbox All Email Attachments 8.1 Utilize Centrally Managed Anti-malware Software 8.2 Ensure Anti-Malware Software and Signatures Are Updated 8.3 Enable Operating System Anti-Exploitation Features/Deploy Anti-Exploit Technologies 8.4 Configure Anti-Malware Scanning of Removable Devices 8.5 Configure Devices to Not Auto-Run Content 8.6 Centralize Anti-Malware Logging 8.7 Enable DNS Query Logging 8.8 Enable Command-Line Audit Logging Malware on Exposed IoT Device The presence of malware on an exposed Internet-of-Things (IoT) device indicates ineffective control of hardware assets on the network At least one event from all of the following event types were detected: [Internet-of-Things (IoT) System Compromised with Worm, Internet-of-Things (IoT) Service Port] Assessment Negative Observations Botnet Infections Open Ports CIS v8 Controls CIS v7 Controls Controls 1 Inventory and Control of Enterprise Assets Safeguards 1.1 Establish and Maintain Detailed Enterprise Asset Inventory 1.2 Address Unauthorized Assets 1.3 Utilize an Active Discovery Tool 1.5 Use a Passive Asset Discovery Tool Controls 1 Inventory and Control of Hardware Assets Safeguards 1.1 Utilize an Active Discovery Tool 1.2 Use a Passive Asset Discovery Tool 1.4 Maintain Detailed Asset Inventory 1.5 Maintain Asset Inventory Information 1.6 Address Unauthorized Assets Persistent or Recurring Infections The presence of persistent or recurring malware infections indicates ineffective malware protections or incident response At least one event of the following event types was present for at least 1 month(s)[Compromised System] Assessment Negative Observations Botnet Infections Spam Propagation CIS v8 Controls CIS v7 Controls Controls 10 Malware Defenses 17 Incident Response Management Safeguards 10.1 Deploy and Maintain Anti-Malware Software 10.2 Configure Automatic Anti-Malware Signature Updates 10.3 Disable Autorun and Autoplay for Removable Media 10.4 Configure Automatic Anti-Malware Scanning of Removable Media 10.5 Enable Anti-Exploitation Features 10.6 Centrally Manage Anti-Malware Software 17.1 Designate Personnel to Manage Incident Handling 17.2 Establish and Maintain Contact Information for Reporting Security Incidents 17.3 Establish and Maintain an Enterprise Process for Reporting Incidents 17.4 Establish and Maintain an Incident Response Process 17.6 Define Mechanisms for Communicating During Incident Response Controls 8 Malware Defenses 19 Incident Response and Management Safeguards 8.1 Utilize Centrally Managed Anti-malware Software 8.2 Ensure Anti-Malware Software and Signatures Are Updated 8.3 Enable Operating System Anti-Exploitation Features/Deploy Anti-Exploit Technologies 8.4 Configure Anti-Malware Scanning of Removable Devices 8.5 Configure Devices to Not Auto-Run Content 8.6 Centralize Anti-Malware Logging 19.1 Document Incident Response Procedures 19.2 Assign Job Titles and Duties for Incident Response 19.3 Designate Management Personnel to Support Incident Handling 19.4 Devise Organization-wide Standards for Reporting Incidents 19.5 Maintain Contact Information For Reporting Security Incidents 19.6 Publish Information Regarding Reporting Computer Anomalies and Incidents 19.7 Conduct Periodic Incident Scenario Sessions for Personnel 19.8 Create Incident Scoring and Prioritization Schema April 1, 2025: Published. Related articles Insights to Control Framework Mapping How are Bitsight Security Ratings Calculated? Open Port Finding Messages: Detected Services How is the Malware Servers Risk Vector Observed? Data Collection Methods Overview Feedback 0 comments Please sign in to leave a comment.