Threat Level: green Handler on Duty: Russell Eubanks

SANS ISC: InfoSec Handlers Diary Blog - Is Anti-Virus Dead? InfoSec Handlers Diary Blog

Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!

Is Anti-Virus Dead?

Published: 2008-07-31
Last Updated: 2008-07-31 16:23:20 UTC
by John Bambenek (Version: 1)
1 comment(s)

Each SANSFIRE, the Handlers who can make it to DC get together for a panel discussion on the state of information security. Besides discussion of the hot DNS issue, between most of us there is a large consensus into some of the biggest problems that we face.  Two come to mind, the fact that "users will click anything" and that "anti-virus is no longer sufficient".  These are actually both related in my mind.

Users will click anything

Some studies show that the success rate of a well-formatted phishing attempt can garner about a 10% click-through rate.  However, with targeting techniques, such as using what would be expected to be legitimate content in a phishing attempt this can go upwards of 80%.  An example, if you got a random PDF file from someone named "fbtgsertgrwetgfe" with the Subject "Angelina Jolie NEKKID!" you would most likely not click on the e-mail.  Even better, your anti-spam solution might even filter that message.  However, if you got a PDF file from your CEO with the subject "Important Changes to Health Care Plans", you would likely take a gander.  The better targeted a phishing attack, the more likely even savvy people get infected.  It isn't even necessarily targeting via email that can be widely successful.  How many of you add every facebook application that gets forwarded to you without even bothering to do any examination of the content?

However, the fundamental problem behind this isn't so much that users will click anything, but that whatever the user says goes.  Or, to put it another way, we tend to operate desktops under the principle of most privilege.  How many of you allow your users administrator rights in the workplace?  At home, everyone has local administrator.  This allows the "bad guys" free reign.  If you look at the development of the various phishing kits, they aren't really high tech.  For them, its lather, rinse, repeat all day long.  The real development of malware tends to be on the command & control side, the phishing kits, web sites and to a lesser extend, the droppers, don't seem to be evolving all that quickly.  They simply don't have to evolve fast, what they do keeps on working.

Is Anti-Virus Dead?

"I can't get infected by malware. I have anti-virus!" The absurdity of that statement needs no explanation at this point. This has led to people considering anti-virus a dead technology because it is always one-step behind attackers. This isn't necessarily untrue, but anti-virus by its very nature is reactive... it will only block against known threats.  Additionally, anti-virus signatures are essentially public. Any number of resources exist to scan your malware to see if it detects.  In short, you know ahead of time if you have the first ~24 hours of free reign.  If you target your attack, you can have far longer because you have a higher potential of floating under the radar and getting your bad bytes captures by the AV guys and/or security researchers like us.  AV, like all reactive technologies, suffers from the "First Win problem".  It isn't so much that they are "one-step behind"; it is that fundamentally it can never be ahead of the attackers.

Does that mean AV solutions should just be chucked?  Of course not.  AV is a "90% solution", it still does protect against known threats.  Is it sufficient?  No, but it also never has been sufficient.  Blacklisting technologies are far more effective when combined with whitelisting technologies.  For instance, the combination of AV protection with a good perimeter firewall brings you a little farther down the road of security.  While there is a debate on whitelisting vs. blacklisting technologies for binaries, a good step would be to start digitally signing binaries and go to a "bayesian" method of determining risk.  Not perfect, but better.  Heuristics would also be another good step (although heuristics is still basically a blacklisting technology and reactive).

What now?

So how do we protect ourselves from malware?  That's the million dollar question but here are some suggestions.  Please send in your feedback and we'll do a follow on post.

-- We need to shift our paradigm in what we protect.  We ought not to primarily be concerned with protecting "machines".  Machines are a means to an end, not an end in and of themselves.  We protect "information" not hardware.  For instance, we simply cannot protect consumer PCs.  They are inherently insecure and insecurable and it's fundamentally unsound and unfair to expect consumers to be able to harden their own machines.  We need to accommodate our electronic commerce to this fact.  For instance, we assume that the "cloud" of the Internet between point A and point B is insecure.  That is why we have things like VPNs; we simply bypass the problem with encryption.  The same should be true of consumer PCs; we need to find ways to do commerce on an insecure system so that information cannot be stolen... or at least enough information by which we can totally jack someone's identity.  The same is true on the corporate side... we don't protect hardware for the sake of protecting hardware.  We are securing intellectual property and in that sense, we need to "redraw" our perimeter around the logical information flows of confidential data.

-- As I mentioned before, digital signatures for binaries and "bayesian" style scoring for binaries/scripts.

-- Stop operating under a Principle of Most Privilege for the desktops.  In a corporate environment this is far easier.  A little more difficult in an academic environment (I've been party to debates in academia on why we can't do information security because it impedes academic freedom... luckily much of this has subsided, but still a problem).  It is a very difficult problem at home, but there are still some things that we can do and some things that operating systems shouldn't allow.

-- We've conditioned our users to operate their computers in a "button mash" method.  The infinite series of "Are you sure?" messages no longer mean anything, whether it's installing programs or getting AV warnings or pop-up windows.  The UI needs to stop the information spam to unsophisticated users because the overload causes people to shutdown their thought processes in looking at it and simply mash "Next... Next... Next...".

What else would you add?

John Bambenek
bambenek /at/ gmail /dot/ com



1 comment(s)
Diary Archives