Incident Response, Malware, TDR

Is the era of anti-virus over?

The success of advanced malware like Flame and Shamoon has caused some security observers to declare that the era of anti-virus has come to an end.

While this is a bit of an exaggeration, it's important to consider how the strategy of anti-virus and other security solutions fits into the overall threat landscape.

There are a variety of different groups trying to break into computer networks today. Some of them are extremely sophisticated, while others barely understand how to use a command-line interface. Some have monetary and political motives, while others just do it for the “lulz.”

Each group presents a unique threat to the network environment, and there are different ways of responding to each. Tools like anti-virus have their purpose, but they can't address every problem.

The basics

Let's first talk about unsophisticated attackers. The surprising thing is that enterprise networks fall victim to not-so-advanced attacks all the time. The "2012 Verizon Data Breach Investigations Report" indicated that 96 percent of the attacks the company investigated were not highly difficult, and 97 percent were avoidable through simple or intermediate controls. Many of these attacks are launched through the guessing or stealing of access credentials, or with the use of tools that can be readily downloaded from the internet.

We can usually expect commercial security products, such as anti-virus and intrusion prevention systems (IPS), to detect and block simple attacks like these. Coupled with good vulnerability auditing and patching practices, a network should be fairly well protected against this class of attacker. Unfortunately, security teams often do not have the budget or reach that they need to consistently enforce these basic controls.

Additionally, if attackers want to evade commercial security solutions, they can do so by investing time into discovering new vulnerabilities, or buying them on the black market. They also build workshops in which they test new malware and exploits against popular security products until they can successfully evade detection. And the security industry typically is in the dark about these new attack techniques until someone discovers them being used in the wild.

For years people have been relying on a “safety in numbers” strategy for dealing with this sort of new attack technique. In the beginning, these assaults are undetectable, but security vendors have vast threat intelligence and honeypot networks that are designed to collect samples associated with broadly targeted attacks as they spread through the internet.

Once the samples are detected, signatures get released for IPS and anti-virus software. As long as your organization wasn't hit early in the lifecycle of a particular threat, those signatures should protect you.

Sophisticated, targeted attacks

This “safety in numbers” strategy breaks down when adversaries are careful to only use these new techniques in highly targeted attacks. In that case, samples from the attacks are much less likely to be picked up by the security industry.

Serious, state-sponsored attacks that are associated with malware like Flame, as well as the advanced persistent threat, fit this mold. These attacks often involve undisclosed vulnerabilities, malware that evades commercial security products, and a level of targeting that prevents them from showing up on the security industry's radar screen for a very long time. 

A recent study by Symantec researchers discovered 18 undisclosed security vulnerabilities that were used to target computer networks in the wild for up to 30 months before they were discovered, with an average window of 312 days.

This kind of evidence is challenging the assumption that we can rely entirely on intelligence about known threats and vulnerabilities to protect ourselves. So what else should we be doing to close this gap?

New strategies

First, we need to recognize that there is no silver bullet. There is no technology that companies can put in place on their networks that will automatically prevent successful compromises by sophisticated, targeted attackers. On the other hand, the situation is not hopeless. It is possible to detect sophisticated attacks by focusing on the various behaviors that attackers engage in on the network at each stage of the attack, from the initial reconnaissance, to exploitation, all the way through to exfiltration of stolen data.

It is going to take human analysts to recognize the subtle and often unpredictable patterns of evidence that sophisticated attacks leave behind. Therefore, the best strategies are going to focus on arming incident responders with the tools that they need to monitor their environments and actively hunt for active attack activity.

Although basic controls like anti-virus will always have a place in the security arsenal, they are not up to the task of defending networks against sophisticated, targeted attacks. Companies must be vigilant in maintaining the foundations of their security infrastructure, while also equipping their in-house security professionals to take a more proactive stance against increasingly sophisticated Internet threats.

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.