Chief Technology Officer, Endpoint and Innovation
VP and CTO, Endpoint Security Simon Hunt has more than 20 years experience in software development, design and ...
The recent press activity around the New York Times Cyberattack, and the response from their vendor are causing quite a stir in the malware protection community – so much in fact that some journalists have gone as far as claiming that
“antivirus protection alone barely represents a speed bump to determined hackers”
Surprisingly, I actually wholeheartedly agree.
“Antivirus” as Andy calls it, or blacklisting as it’s commonly known in malware protection circles is a pretty simple technique – and fundamentally flawed unfortunately. I’ll break it down to show you why.
1. Someone gets an infected email, or visits a compromised web site.
2. The malware is new, and thus not identified by their blacklisting technology, so it installs and they get infected
3. Somehow some time later, this comes to the attention of their blacklisting software vendor
4. The infection gets broken down and analyzed – a unique “fingerprint” or “signature” is created
5. This signature gets distributed out to all the other customers of the blacklisting vendor, and also the blacklisting community
6. Now, everyone else is protected from this particular threat
Do you see the problems? Firstly of course, it requires a sacrificial sheep – yes, no blacklisting software will detect things it does not know about, so all you have to do to be a successful hacker, is create something new.
Secondly, even when your malware gets detected, there’s a significant delay before the world catches on – much like a new strain of Flu, it can affect thousands of people before anyone realizes, and then it can take days for an appropriate remedy to be put in place. Blacklisting is the same – there’s a lead time between companies like McAfee getting a sample, and us distributing the detection and cure back to our customers. It can take days after the first infection using this old method.
Thirdly, the most damming problem, is that your blacklisting software is always on the defense, it’s always reacting to things that happened in the past – Modern programming techniques mean that creating dynamic, or “Polymorphic”code is trivial, so everyone who gets infected might be infected by a different version of the malware – can you imagine what trouble that causes a blacklisting system? Not only does everyone get what seems to be a new piece of malware, but even when you’ve analyzed it, there’s little point telling the rest of the world about it, as each malware sample will probably only be seen once.
Maybe that explains why there’s a differing opinion on how much malware exists – anything between 70 million and 150 million examples depending on who you ask.
Blacklisting is valuable as it catches the common, repeat offender malware. The stuff that’s been circulating around for months, if not years, the old examples which keep getting recycled into the field – but as a mechanism to protect you from novel, bleeding edge threats? Not a chance.
So with that said I expect you’re waiting for me to say that there’s no point renewing your subscriptions and you might as well give in now? Thankfully not – nothing could be further from the truth.
Going back to the vendors press release, there’s a key paragraph I want to point out:
Turning on only the signature-based anti-virus components of endpoint solutions alone are not enough in a world that is changing daily from attacks and threats. We encourage customers to be very aggressive in deploying solutions that offer a combined approach to security. Anti-virus software alone is not enough.”
There you have all my advice summed up. Blacklisting, or signature based detection is not enough – and luckily, It’s only one of the many techniques leading edge anti-malware products use to protect you.
One of the alternates, which many vendors use (though I am proud to say McAfee lead the market with) is cloud based reputation detection. We call it “File Reputation” though you may have heard it called Artemis which was our code name for the project – This is a technique where, rather than basing decisions on whether the file you downloaded in an email, or got from the web, is “known to be bad” by virtue of it being on a blacklist, we look at attributes of the file, where it came from, whether it’s signed etc, in fact around 80 different things to work out how “suspicious” we think it is, and based on that our products reach out to the McAfee cloud and start asking questions. Very quickly, in fact pretty much instantly as far as you could tell, we can determine the likelihood of anything being malicious or not, whether we’ve seen it before or not.
Better still, that “reputation” can be bolstered by looking at who else is asking questions about the same file – Malware distribution often follows predictable patterns, distribution from known bad domains, geographic peculiarities etc – all this information can be combined to make a judgment on whether your latest financial results spreadsheet which “appears” to in an email from your boss is genuine or not.
This reputation data, or “Global Threat Intelligence” as we call it, is absolutely critical and baked into pretty much every product we offer. Without GTI, you’re really not protected from novel threats. Not by half.
My colleague Rees Johnson posted a video about McAfee’s GTI reputation engine a while ago. He gave a great example of one of our larger customers, who reported 12,000 potential virus samples to McAfee in 2011 – 7200 of which were not detected by the McAfee blacklisting engine.
We already had our cloud reputation engine in place, but that customer had not turned it on – much like it seems the NY Times were not using cloud based reputation technology from their vendor (supposition on my part of course).
As an academic exercise we turned our reputation system on, set it to the least aggressive level, and re-ran the samples.
The reputation engine, even at this most basic level immediately detected 50% more malware immediately. Turning the reputation system up to its highest level it caught it all – 100% of the samples our customer had were correctly identified.
On average the reputation engines offer protection around 127 hours in advance of the blacklists, or looking at it the other way around, 5+ days opportunity for you to get infected without it.
If our customer had McAfee File Reputation enabled, not one of those 12,000 samples would have got through to infect their machines – they would have been 100% protected. Generally, enabling the McAfee cloud based reputation services improves the effectiveness of our products by an additional 10-30% when it comes to novel threats – even if every advanced feature of the product are enabled, there’s ALWAYS more protection.
You can imagine our customer was pretty surprised to have such power on hand, and was pretty fast to click the few buttons to enable it on all their 100,000+ machines.
“What about false positives?”- well I must confess there’s always the possibility – we average 0.0001%, or 1 in 100,000 pieces of software are misidentified. Can you live with a 1:100,000 chance of your malware protection product blocking something new? I know I can.
Let’s re-run the scenario I started with.
1. Someone gets an infected email, or visits a compromised web site.
2. The malware is new, and thus not identified by their blacklisting technology, so it gets checked out by the cloud reputation system
3. It’s bad, so it gets blocked
Game over, everyone happy, everyone safe.
And after all, “Safe Never Sleeps” is our motto.
I want to leave it here as I want to compare apples with apples, but blacklisting, and cloud reputation are not the end of the story – They are both valuable techniques to protect against threats, but still not (in my mind) the most sophisticated, nor the ones we will be using for years to come.
Alongside the simplistic blacklisting, current products have technologies which are more behavioral based – At McAfee we call it “Host Intrusion Prevention” or HIPS for short – It couples a dynamic firewall, again with global reputation knowledge, vulnerability shielding making sure malware can’t take advantages of know software flaws, and behavioral protection for commonly used attack strategies – Turning on HIPS stops malware from making changes to your systems – so again, it’s absolutely essential in preventing the novel new attacks that blacklisting is unaware of. Unfortunately, like reputation, lots of people buy this feature but never turn it on, so they really miss out on the advanced protection it offers.
Finally, I am tremendously excited by advances in whitelisting techniques – the idea of instead of trying to know about all the bad stuff, and trying to make judgment calls on unknown things, we turn that on its head and instead strive to know about the good stuff, and consider everything else bad or suspicious. You can imagine how disruptive that will be to cyber criminals who survive only because they can create new malware faster than we can identify it – all of a sudden anything new is closely watched, blocked, constrained.
Polymorphic malware would be no longer effective, “Advanced Persistent Threats” disappear, we can ignore 30 years of cumulative malware because it’s all ineffective overnight. McAfee calls this “Application Control”, and I fully believe it’s where, as an industry, we should be moving
But in the mean time – at least turn on the advanced features of the products you bought and get the best protection you can ?
Tags: NY Times