For the last 30 years the computer security industry has been dominated by antivirus. Companies like Symantec are worth billions of dollars, and their products are deployed across millions of enterprise machines. For the average home user products like your typical antivirus may be enough, though I wouldn’t count on it alone. When it comes to an enterprise environment AV technology is critically flawed, and incapable of handling the threats presented to it.
An antivirus is based on the idea that if you can analyze malware from the past you can detect malware in the future. It’s a simple idea, and it can be effective for massive campaigns that are meant to be spread out across as many users as possible, because attackers only have time to create one payload, and then ‘crypt’ it, and try to avoid detection through automated means.
Basing security on research having to do with ‘in the wild’ malware is something I’ve talked briefly about on Twitter. I’d like to expand on that. When you build a security product around the threat landscape, and when you focus your research on the current threat landscape, it will probably be outdated by the time you publish it. For one thing, malware campaigns change drastically from country to country – trying to average it out or boil it all down is going to be way too broad to be useful. On top of that, malware is constantly changing. We see new threats, drastically new threats even, every year. In the last few years some of the most advanced atypical malware has been discovered, and there are many people who believe this will continue. So for research to talk about ‘the now’ in a field that is so fast paced, to me, is a waste of time.
In the case of what has been dubbed ‘Advanced Persistent Threats’ (APT), an oft overused term, the threats are targeted to the intended victims. Instead of attacking the world you go after a company. The effort involved in a targeted attack is greater, and it may take more time, but the payout can be estimated as ’10x’ what a mass campaign would be. Beyond pure monetary gain there’s also other motivators, such as belief in a cause – hacking as a form of activism is referred to as ‘hacktivism‘, and it has become far more prominent over the last few years.
If we take what we know about an AV, that it must rely on detection, and that the detection it uses relies on analyzing past malware, it isn’t difficult to see how a highly targeted attack would bypass it. Simply by virtue of being targeted, and new, an attacker will have a massive advantage against any antivirus. This has been shown many times, but most recently we can see this demonstrated through the New York Times. As some of you may know the New York Times was recently hacked, and they reported on the findings surrounding the incident. One highlight from the piece:
Over the course of three months, attackers installed 45 pieces of custom malware. The Times — which uses antivirus products made by Symantec — found only one instance in which Symantec identified an attacker’s software as malicious and quarantined it, according to Mandiant.
To put it bluntly, Symantec failed somewhat miserably. But you can’t really blame a product like theirs for being ill equipped at dealing with something so outside of what it’s meant to deal with. And I don’t think any other antivirus would have done all that much better – they’re simply not able to deal with these situations.
This is one in quite a few cases. Zero-Day exploits are being sold to governments, and those governments are in turn hacking each others citizens. There has been evidence in the past that exploits shown by Vupen, and purchased by their customers, have been used in the wild. Stuxnet, Duqu, Flame, all advanced pieces of malware delivered through advanced exploits, and they infected numerous users. And it took a very long time for antivirus vendors to catch on to them and create definitions for them.
So this really begs the question – is this ‘era of antivirus’ finally over? The antivirus industry has been dominated by a very specific type of program, is that really going to change?
The answer is complicated, it’s one of those annoying ‘yes and no’ situations. Obviously antivirus is a terrible addition to your security, and in my own opinion it’s far more of a burden than a benefit, but that doesn’t mean it’s going anywhere. There are no decent replacements. If we dump the antivirus we’re left with, god forbid, Firewalls – another massive waste of money that companies like to pour resources into.
Some replacements have cropped up. Nothing impressive… at all. Various products take different approaches, a few even implement sandboxes, but they’re pretty pathetic and feel very ‘thrown together’. Comodo Internet Security is a very ‘different’ product – it’s a HIPS and AV built around their Firewall. While it can in theory be used to prevent against APT there is absolutely no way it will in practice, anyone who has tried using it will be able to attest to that. And most other products suffer from the same issues, OK in theory, horrible in practice.
Beyond all of that, companies aren’t run by security experts. Hell, even IT teams aren’t run by security experts. I happen to go to a school that has a focus on computer security, and even it focuses on the wrong topics (though it’s far better than most). Reflecting this is the culture surrounding security incidents. You generally have two responses:
1) Blame some user somewhere for clicking something
2) Invest in more expensive Firewalls and other useless security software that has failed time and time again (I don’t hate Firewalls, I hate Firewall businesses)
So I wouldn’t expect the response to actually be, you know, productive in some way. So even if there were products to fill the gap that AV would leave it would make no difference, IT is broken.
I hope to personally kill the AV one day, and I’ll be happy when it’s dead. Detection isn’t a bad thing, testing against current threats isn’t a bad thing, but god damn do not make it the core of your product. I’ve seen so many pathetically insecure products touting how great they are just because, oh my god, they can block some generic malware – not too impressive.
Security is, as always, about principals. Some things are universal – entropy, uncertainty, least privilege. You know what makes APT hard? When an attacker doesn’t know what they’re up against, when a remote attack might fail. There is nothing scarier to a hacker than a potentially failed attack – if a system gets accidentally DOS’d, as opposed to hacked, the IT team is going to be on alert. Security research should focus on further implementation of these principals, not on how to stop yesterdays malware using techniques from the late 80’s.