The following bulletin from the DHS National Cybersecurity and Communications Integration Center was obtained from the website of the Jewish Community Relations Council of New York.
National Cybersecurity and Communications Integration Center
- 6 pages
- November 1, 2013
As related to malware which may exhibit a potentially destructive capability, organizations should increase vigilance and evaluate their capabilities encompassing planning, preparation, detection, and response for such an event. Destructive malware presents a direct threat to an organization’s daily operations, directly impacting the availability of critical assets and data. In addition, the response required for such an event can be extremely resource intensive.
This publication provides recommended guidance and considerations for an organization to address as part of their network architecture, security baseline, continuous monitoring, and Incident Response practices.
While specific indicators and modules related to destructive malware may evolve over time, it is critical that an organization assess their capability to actively prepare for and respond to such an event.
Potential Distribution Vectors
As actual methods for initial compromise may vary2, this publication is focused on the threat of enterprise-scale distributed propagation methods for malware, the potential impact to critical resources within an organization, and countermeasures for mitigation.
Destructive malware has the capability to target a large scope of systems, and can potentially execute across multiple systems throughout a network. As a result, it is important that an organization assess their environment for atypical channels from which malware could potentially be delivered and/or propagate throughout the environment.
Enterprise Applications – particularly those which have the capability to directly interface with and impact multiple hosts and endpoints. Common examples include:
o Patch Management Systems
o Asset Management Systems
o Remote Assistance software (typically utilized by the corporate Help Desk)
o Systems assigned to system and network administrative personnel
o Centralized Backup Servers
o Centralized File Shares
While not applicable to malware specifically, threat actors could compromise additional resources to impact the availability of critical data and applications. Common examples include:
Centralized storage devices
o Potential Risk – direct access to partitions and data warehouses
o Potential Risk – capability to inject false routes within the routing table, delete specific routes from the routing table, or remove/modify configuration attributes – which could isolate or degrade availability of critical network resources