Anti-virus is dead.

Or that’s what malware authors would have you believe….. Personally I prefer the slightly less gloomy statement of “legacy anti-virus is terminally ill”.malware

The history lesson

In the golden days of IT security you could count the number of new viruses and malware being released into the wild per day on your fingers. This meant that engineers working for anti-virus companies were able to capture, analyse and update their products in a fairly timely fashion that managed to protect most users.

The method of detection and protection used in these anti-virus products is to generate a “signature” or pattern that allowed the product to detect and delete the malware.

As time marched on the number of malware released into the wild started to grow exponentially, outstripping the pace anti-virus companies could hire engineers to manually capture, analyse and produce signatures for their respective products. To solve this all major vendors developed (or purchased) technology designed to automate this process. Vast networks of “honeypots” exist to attract and capture malware which are fed into systems that automatically analyse the sample, produce a signature and provide it for the endpoint anti-virus to download.

In theory this process works, but has three major issues:

  • Time. The process of capturing, analysing and then distributing the signatures takes time. The time period can be anywhere from 1-48 hours.
  • AV updates. An anti-virus product cannot protect against the latest malware until it has downloaded a new set of definitions from its update server(s). In the case of travelling staff in today’s mobile workforce laptops may be disconnected from the internet for periods of time during which countless new malware will be introduced to the wild.

    What's the first thing most staff do when they get back online after travelling without internet? They check their emails, which quite possibly include a new form of malware which our weary traveller clicks on – all before their anti-virus product has had a chance to download and install the latest signatures.
  • “Sacrificial lamb”. The reality of signature based anti-virus is that someone, or something (honeypot), generally needs to be infected by malware before it can be detected and protections put in place. This means that if you are unlucky and get targeted first you are left defenceless by your anti-virus product.

Today we are seeing almost 400,000 new malicious programs every single day. You can start to see the above approach is a numbers game, where eventually your business is going to fall through the cracks and get infected.

 

Targeted attack

Let’s take this a step further and instead look at the situation if a motivated attacker wanted to infect your organisation. For most businesses this can be achieved simply with the following steps:

 

Step one. Obtain malware sample that has not be used in the wild.

This sounds like it should be difficult, but believe me – this is the easy part. I’ll go further in depth on this point in a future post, but for now trust me that any reasonably clever attacker can achieve this. Remember that over four hundred thousand new malware variants are detected each day.

 

Step two. Get a user to run the malware.

This is generally done by using a bit of social engineering, IE: sending an email containing relevant information tricking the user into performing an action or running a file. Company websites and news articles provide a wealth of information regarding company staff names, travel plans and events they are taking part in.

It doesn’t take much imagination to see a scenario where an attacker learns that CompanyX is taking part in EventY via a recent news article, so they decide to send a malicious email to a sales manager with something like:

“Hi Judy,

In preparation for the upcoming EventY, John has asked me to send you the event timeline.

I’ve attached it to this email, and I look forward to seeing you and Sam there on the day!

Thanks,

Tom
EventY organiser”

Judy – Sales manager for CompanyX (name taken from company website)

John – Business owner of CompanyX (name taken from company website)

Sam – Salesman for CompanyX (name taken from company website)

It seems simple, but by personalising the scam email with accurate names, and centering it around a real event it would take an exceptionally switched on staff member to not click on the attachment. In most cases this form of targeted attack would result in successful execution of the malware.

 

Step three.

Your data now belongs to the attacker. The attacker may do a “hit and run” by encrypting your files and demand a ransom for the keys, or they make take a much more insidious road and lay in wait reading all of your company data (financials, tender documents, proposals etc) causing your business untold damage.

 

Where was your anti-virus during all of this?

It was happily sitting there telling you that everything was up to date and you were protected. Because the malware hasn’t been seen in the wild, there was no signature for it, so the product had no way of detecting the infection.

 

The solution

Now for the good news. There is a solution!

Imagine a product that instead of using static signatures, it used artificial intelligence to look at each and every program that was run on a computer. This AI can draw on its experience and prior learning to know exactly what a bad program looks like, despite never seeing it before. This intelligence wouldn’t require daily (or hourly) updates and could perform perfectly on air-gapped (no internet) networks.

This product exists, and Advantage is deploying it now.

Give us a call and we can show you a live demonstration of this technology. It has to be seen to be believed!

 

Brad Pearpoint

CoalaWeb Contact

Request more information

Please prove you are human!