Vulnerabilities / Threats
6/5/2012
05:16 PM
Connect Directly
RSS
E-Mail
50%
50%

When Antivirus Fails, All Is Not Lost

Following Flame, Stuxnet, and Duqu, even the antivirus industry is questioning its ability to stop targeted attacks. Yet other technologies exist to catch malware in the corporate network

Starting in late 2011, unknown attackers attempted to install malicious code on a computer belonging to a client of security firm Bit9. The attack, which occurred around 6 a.m. each day, failed because the company's whitelisting technology did not recognize the program as an approved application and so blocked its installation.

Only recently was the attack given another name: Flame.

Although Bit9 and its client, which the company would not name but says is based in the Middle East, did not investigate the routine security incidents last year, recent events convinced Bit9 to search through its database of hashes to identify past executables that its technology had blocked. When it found a match, the company -- with permission -- performed forensics using the client's local database of security events. Bit9 found that a dropper had attempted to install at least two different files on the targeted system.

"Somebody had remotely targeted that system and compromised it enough to try to remotely drop executables on the computer, and we flagged them as unauthorized," says Harry Sverdlove, chief technology officer with Bit9. "It attempted to run. We said no, and that was the end of it."

Following Flame, the most recent targeted attack to hit the headlines, antivirus companies are facing a great deal of criticism for missing signs of the attack for more than four years. Even one of the industry's own, Mikko Hypponen of F-Secure, issued a mea culpa in Wired, saying that the company and its competitors could do better.

"All of us had missed detecting this malware for two years, or more," F-Secure's chief research officer wrote. "That's a spectacular failure for our company, and for the antivirus industry in general."

[ Microsoft issued an emergency patch for all versions of Windows after it discovered the attackers had abused one of its digital certificates to help spread the Flame infection from one machine to others within the targeted organization. See Flame Burns Microsoft With Digital Certificate Hack. ]

Historically, however, antivirus software's strength has been in detecting viruses, worms, and other mass attacks. More recent improvements, such as threat communities and cloud analysis, continue to shorten the delay between detection and the distribution of specific protections. Yet antivirus and anti-malware programs continue to be ill-suited to detect the low-volume threats like targeted attacks.

It's not just nation-state attacks, such as Stuxnet and Duqu, both of which spread for at least 12 months before detection. Cybercriminals routinely run their own targeted attacks against antivirus firms' software to make sure they are not detected. In more than 300 investigations performed by security firm Trustwave in 2011, all involved malware and none were detected by the antivirus software installed on the clients' systems, the company stated in its Global Security Report earlier this year.

"The clients would say, 'We were running antivirus on this system, and we know we updated all of our signatures -- why wasn't this caught?'" says Nick Percoco, senior vice president and head of Trustwave's SpiderLabs. "The vast majority of people don't understand that the bad guys can test target an environment and write a piece of malware to evade detection."

To detect targeted threats, companies must first be more aware of what is going on in their networks, Percoco says. By watching for events -- and not just suspicious activity -- a company can detect the existence of an infection. Known as indicators of compromise, or IOCs, these events can tip a company off that something unwanted is inside the firewall.

"We have found that a chain of three or four positive events -- such as a successful login followed by Web activity and an uptick in disk utilization -- can equal something negative, a compromise," he says.

What works at the network level can also work at the systems level. Because there are so many attack vectors today, it is hard to watch every one; instead, companies can monitor systems and memory for the telltale evidence that something bad is happening, says Pascal Longpre, chief technology officer for anti-malware firm Silicium Security. The company's software analyzes events in the system memory to detect anomalies that may indicate an infection.

"Our approach looks at the behavior of the system," he says. "And then we send that to a central server, where a security expert can make the call."

Finally, companies can take the "deny all" approach to applications, just like the recommended practice for firewall rules. Known as whitelisting, the defensive technology allows only known good programs to run on systems. With millions of variants of malware being generated every year, focusing on the 10,000 to 25,000 programs running on a typical system make more sense, Bit9's Sverdlove says.

"Just trying to keep up with the bad stuff and trying to identify more and more malware is not an effective solution," he says.

Sverdlove stresses that whitelisting has grown up. Once known for its difficulty to maintain the trusted applications lists, whitelisting now focuses on accepted general policies.

In the end, it's not so much that antivirus is not working, but that people are expecting software created to detect commoditized attacks to work against made-to-order targeted attacks. Companies need to use the right defenses for the job, Silicium's Longpre says.

"If you want to protect your office, you put a lock on the door, but there is only so much a lock can do," he says. "Instead, you start adding other defenses, such as video cameras and motion sensors. Thats the approach we need to take."

Have a comment on this story? Please click "Add Your Comment" below. If you'd like to contact Dark Reading's editors directly, send us a message.

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Cryptodd
50%
50%
Cryptodd,
User Rank: Apprentice
6/6/2012 | 3:55:18 AM
re: When Antivirus Fails, All Is Not Lost
As youGve said, application whitelisting is not a foolproof method for ensuring corporate data is protected. The fact remains that Flame breached the network perimeter and was able to compromise the targeted systems even though Bit9 blocked the Flame .exe drop. Because APTs like this one tend to fly low and slow under the radar, itGs unlikely most enterprises will be able to keep them at bay. Companies canGt simply lock the door, they need to classify their most valuable data, then apply access controls, data leak monitoring, and encryption.-
@Cryptodd @Vormetric
Register for Dark Reading Newsletters
White Papers
Flash Poll
Current Issue
Cartoon
Video
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2014-4907
Published: 2014-07-11
Cross-site scripting (XSS) vulnerability in share/pnp/application/views/kohana_error_page.php in PNP4Nagios before 0.6.22 allows remote attackers to inject arbitrary web script or HTML via a parameter that is not properly handled in an error message.

CVE-2014-4908
Published: 2014-07-11
Multiple cross-site scripting (XSS) vulnerabilities in PNP4Nagios through 0.6.22 allow remote attackers to inject arbitrary web script or HTML via the URI used for reaching (1) share/pnp/application/views/kohana_error_page.php or (2) share/pnp/application/views/template.php, leading to improper hand...

CVE-2014-2963
Published: 2014-07-10
Multiple cross-site scripting (XSS) vulnerabilities in group/control_panel/manage in Liferay Portal 6.1.2 CE GA3, 6.1.X EE, and 6.2.X EE allow remote attackers to inject arbitrary web script or HTML via the (1) _2_firstName, (2) _2_lastName, or (3) _2_middleName parameter.

CVE-2014-3310
Published: 2014-07-10
The File Transfer feature in WebEx Meetings Client in Cisco WebEx Meetings Server and WebEx Meeting Center does not verify that a requested file was an offered file, which allows remote attackers to read arbitrary files via a modified request, aka Bug IDs CSCup62442 and CSCup58463.

CVE-2014-3311
Published: 2014-07-10
Heap-based buffer overflow in the file-sharing feature in WebEx Meetings Client in Cisco WebEx Meetings Server and WebEx Meeting Center allows remote attackers to execute arbitrary code via crafted data, aka Bug IDs CSCup62463 and CSCup58467.

Best of the Web
Dark Reading Radio
Archived Dark Reading Radio
Marilyn Cohodas and her guests look at the evolving nature of the relationship between CIO and CSO.