Another Nail in the Coffin: Dwindling Trust in Anti-Virus solutions
Security practitioners with a sense of humor will love The Chronicles of George. George is a low-level IT admin with terrible grammar, spelling, and a grasp of IT in general. In his opening salvo, he asks for help with an anti-Norton virus.
While this is yet another example of George's struggle with the English language, many readers here would not mind having an anti-Norton virus, the commodity software that made billions of dollars for Symantec and Peter Norton a very wealthy man. Other namesakes in information security such as McAfee got their start selling anti-virus (AV) software to home users and enterprises alike. While Peter Norton went on to achieve great things, John McAfee took a turn for the weird.
Almost thirty years after Peter Norton sold Norton Anti-virus to Symantec, the importance and emphasis on having anti-virus running on the endpoint dwindles every day as attackers get more clever and stay one step ahead of the AV vendors with increasingly sophisticated evasion techniques. There are many examples of AV failing to protect systems in a high-profile attack and once as recently as last week.
One of the world's largest aluminum (pronounced al-loo-MIN-ee-um in the UK) producers Norsk Hydro was the victim of a successful ransomware attack that caused its production line to grind to a halt for several days. Norsk was able to switch over key processing lines over to manual control to continue operations, but other critical IT systems were still affected for days and most of their 35,000 employees were unable to work. The world had not seen such an impactful cyber-to-real-world attack since Danish shipping company Maersk was hit with NotPetya and stopped global shipping. As industries turn more towards interconnectivity and automation, these types of attacks will continue and become more impactful. At the time of writing, no ransom demands have been met and Norsk Hydro plans to recover their systems using their latest backups. This attack continues the trend of attackers using ransomware without giving the victims capabilities to recover their data; effectively using it as a disk wiper or crypto-erase rather than extortion.
The strain of ransomware used in this attack is a relatively new one now dubbed LockerGoga. Upon analysis, LockerGoga appears fairly unsophisticated in its attack mechanism and running it should throw up more red flags than a Chinese Military parade to AV software. LockerGoga consumes all available CPU cores and threads (typically caught by behavioral or anomaly detection), causes Windows Explorer to crash repeatedly (users should be notifying IT about this), and consumes so many system resources that it becomes difficult if not impossible to run other processes. Because of its excessively high resource usage, these flaws also allow an entire system to be encrypted in just a few minutes and a user would effectively have to be asleep at their computer or be idle to go unnoticed.
A cascade of failures in the AV industry allowed this attack to happen and what sophistication LockerGoga lacks in its ransomware payload, it makes up for with evasion. On March 8, before the Norsk Hydro attack a stunning 0 out of 67 vendors were able to detect LockerGoga according to VirusTotal.
While there are some criticisms of using this methodology to detect malware evasion capabilities, it is an awful sign that no AV security vendor was able to detect LockerGoga even after a high profile attack against Altran used this malware. While there is nothing new to this story, that an employee likely clicked a malicious link or downloaded a malicious file and ran it on the network, the fact that even at the time of writing and a second highly publicized attack, only 25 of the 69 AV vendors that participate in VirusTotal's program detected the file as malicious.
Greatly improving its standing with AV software, the malware sample has a valid digital signature from a code signing certificate issued by Sectigo (formerly Comodo), a certificate authority trusted by Windows by default. After the Altran attack, several people in the security industry called for the revocation of the code signing certificate, but this request fell on deaf ears and the code signing certificate is still valid and is used to sign other strains of malware, not just LockerGoga. Even if Sectigo revoked the code signing certificate, most AV solutions do not check the validity or revocation status of the certificates used to sign software. LockerGoga uses an unconventional sprading mechanism to again evade standard AV controls and detection. While malware like WanaCry and NotPetya use vulnerabilities like Eternal Blue to spread laterally, it makes much noise on the network and leads to eventual detection and blocking. LockerGoga spreads through Active Directory through the use of scheduled tasks and services. A copy of the malicious executable is copied to \\SHAREVOL, a folder every active directory-connected machine has access to and a task is added to run that file on every machine at a predetermined time. Many AV vendors only identified LockerGoga as malicious through file reputation or generic blocks rather than the specific threat type.
AV, hash and signature-based detection detect less than 5% of threats blocked by the world's largest security cloud. For previously unknown threats and threats not blocked by traditional AV engines, a sandbox solution is a highly effective detection and prevention tool. A sandbox allows organizations to run (detonate) unknown files in a controlled environment isolated from the production network. The file is then observed in the environment to determine if it performs any suspicious behaviors such as logging keystrokes, waiting for the system to reboot several times before executing a payload, or phoning home to a command and control server. If the observed file performs enough suspicious behavior, the file becomes classified as malicious and the sandbox will block users from downloading the file. Most sandbox solutions deployed in TAP mode, where a copy of the files is sent to the sandbox for analysis, are not sufficient to block modern threats. Users are still allowed to download the file until the sandbox renders a verdict whether the file is malicious or benign.
The use of a cloud sandbox in combination with an inline cloud security proxy gives several benefits over traditional on-premise sandboxing solutions. Cloud sandbox solutions can be deployed inline which allow the proxy to hold a file for analysis (quarantine) before a user is allowed to download it. If the file is determined to be malicious, the sandbox and proxy block the user from downloading the file, effectively preventing a patient-0 infection. Combining the cloud sandbox with SSL inspection at scale significantly enhances its detection capabilities. The world's largest security cloud sees about 83% of all traffic passing through to be encrypted with SSL or TLS encryption and saw approximately 400% rise in the number of threats using encrypted channels. The use of cloud-hosted services also allows users to be protected with the same level of protection once they leave the office without the need for VPN to backhaul the traffic to a security stack in a datacenter.
While AV used to be an essential component in a defense in depth strategy, its importance is dwindling to the point where it becomes a checkbox for an auditor because it mostly relies on static analysis. With the computing power and tools available today, attackers can continually evade and circumvent security controls implemented by many AV solutions. A cloud sandbox with SSL inspection offers the best opportunity to detect and block previously unknown threats that are missed by traditional AV solutions.