Cybercriminals are targeting organizations successfully in spite of traditional security measures as noted recently by the NY Times and a front page article in the Wall Street Journal on cyber espionage. This issue is driven by the cybercriminal gangs’ ability to compromise vulnerable systems using sophisticated reconnaissance and penetration tactics. So, how do we solve this problem and what testing organizations can help us understand what solutions are effective?
To answer this question we must first understand the cybercriminal’s mindset and approach to breaching a large organization’s IT infrastructure. The first step taken by any cybercriminal is to simply understand their target’s network design, systems, applications and security posture. This is the reconnaissance step. It’s generally not too difficult given the extensive Internet connections any enterprise must have in place to do business. Nearly all enterprises of any size are now under constant surveillance by potential attackers.
The second step is to monitor the target organization’s patching and security behavior. Then the hacker waits for windows of vulnerability. A recent high profile attack against the Federal Reserve demonstrated that new vulnerabilities can now be attacked within an hour or two of appearing.
The most common example of this scenario is the race between industry and cybercriminal’s on Microsoft’s Patch Tuesday. That monthly “Black” Tuesday, the starting gun shoots and the race begins. If the published vulnerability is noted as critical with characteristics of “remote exploitation and code execution”, the race is a rabid one with many cybercriminals poised at the starting line with dancing hands on keyboards looking for exploit kits capable of leveraging both known and unknown vulnerabilities.
In many cases the exploit kits available pre-date the release of the software containing the vulnerabilities they exploit. Having acquired one, the cybercriminal simply inserts the IP address or domain of his target and steals the information he wants. He then very likely also injects a back door Trojan so he can enter the system more easily next time. He will then use that system as an espionage launch pad to conduct reconnaissance on other networks and domains.
Antivirus software (AV) is a necessary, but insufficient defense mechanism in this ever so common scenario and here is why.
The first stage of these attacks commonly involves exploiting a known vulnerability. AV focuses way down on attack phase three where it focuses on protecting against a common payload. As an industry we must shield the vulnerability. This is done best through host and network based technologies that use vulnerability shielding techniques. Unlike inferior pattern matching signatures, we need to embrace this broader approach of vulnerability shielding. These techniques have commonly used for a decade in network devices while host based advanced protection has been more slowly adopted.
As noted by the recent NY Times article, now is the time. As an industry we must raise the bar! None of us (vendors or practitioners) can persist in believing that if we build and deploy a traditional AV certified by historical AV testing techniques, that we’ll be safe.
We must understand the way a hacker works and his basic attack steps and start the race before the starting gun goes off. That means blocking attacks as early as possible or in the model above at the vulnerability stage. The question THEN becomes, how do you KNOW if the product is performing as promised. The issue here is that the third party testing labs have historically focused their testing methodologies on the Payload phase where traditional AV products do their work. While this approach was appropriate to assess the endpoint products of five years ago, it does not provide an accurate picture of how today’s products address today’s threats.
I have personally asked the testing organizations to enhance their methodologies and adopt this more sophisticated and real world approach to measuring detection effectiveness The answer I’ve historically received is that it’s simply too expensive. I’m pleased to report that one lab, NSS Labs has now adopted testing methodologies that are consistent with the way cybercriminals now work to penetrate your networks and devices.
NSS Labs is currently unique in utilizing this new approach. They simply understand better how a cybercriminal thinks and have crafted their methodology around that mindset. First, NSS Labs creates a list of the most prevalent software that organizations use including Windows, Adobe Flash, JRE, Firefox, Google’s Chrome, Internet Explorer and MS Office. They then enumerate the associated known vulnerabilities and use weaponized exploits to attack those vulnerabilities! Voila! Just like a cybercriminal attacking your network or endpoint devices.
Due to McAfee’s strength in the enterprise segment of the market and working with governments and banks to understand the cybercriminal mindset, McAfee has developed technologies to block attacks at stage zero or vulnerability stage. We are pleased that NSS Labs tests has adopted this new and very relevant approach. They recently released two reports describing the first round of results to emerge from the new NSS Lab tests. With this background, there is little surprise that we have earned the dominant position in their latest reports.
The McAfee endpoint triad of VirusScan Enterprise, Host Intrusion Prevention, and Site Advisor Enterprise achieved the #1 ranking in both the Exploit Prevention and Exploit Evasion tests. While we are gratified by this outcome, we know our work is not over. The cybercriminal gangs and state actors that desire to breach the IT infrastructure of public and private sector enterprises will use increasingly more sophisticated techniques. McAfee will continue to develop and deploy products to address this rapidly evolving threat landscape. We look forward to working with NSS Labs and other progressive labs and analysts to provide you with the information you need to optimize your security posture.