Time to change strategies – Malware increasingly written to be invisible to traditional antivirus

September 14th, 2018
Time to change strategies – Malware increasingly written to be invisible to traditional antivirus

Recently I read an interesting article on malware development techniques.  SentinelOne, Cisco AMP, and other antivirus products rely on the VirusTotal clearinghouse.  This is a clearinghouse that has approximately 67 antivirus vendors. Various antivirus and advanced endpoint products upload suspicious programs to ask, "is this a virus?".   You get a score back of x/67 for whatever vendors think it is bad.  The higher the score the more certain you are that it is malware.

The article stated that the bad guys are consciously uploading their malicious code in advance to VirusTotal and other online analysis tools to get it scored!  They use this to validate that they have written code that is undetectable by the major antivirus vendors.  A 2015 report said there were approximately 1,500 cases of the malware code being uploaded in advance to test its delectability!
Once they have a decent score, they release their malware.


Two recent attacks in March on Microsoft and Adobe were short-circuited because the pre-release malware code was found when it was submitted for proof of concept testing before the attack.


This clearly illustrates the importance of retrospective functionality where through machine learning you re-analyze software that you have already cleared as safe.   If the understanding of the previous scan has changed, then the Advanced Endpoint Protection product immediately changes its position and blocks, kills, and/or maps where the bad code is in your network.


The fact that the bad guys are in fact using the tool that we use to ask, "is this a thing?" to beat antivirus engines is further proof that traditional antivirus is increasingly flawed.   We must have a layered defense looking for behaviors in addition to traditional methods and re-visiting what we think we knew then based upon what we know now.  That is machine learning.  That is why Advanced Endpoint Protection is replacing traditional antivirus at a rapid rate.


This brings up the next question we hear from our clients.  They don't have time for one more thing to alert them to tell them something is wrong. They are up to their up to their eyeballs trying to deal with their normal workload.   If something bad takes hold, they may not be paying attention 24x7x365 and even if they are, they may not know how to respond in a timely manner.


The cybersecurity industry is evolving into Security Operations Centers (SOC).  These are teams of skilled cybersecurity experts that watch all the data flowing from all the endpoints and the analytical databases used to determine if an outbreak is happening.


When something bad happens, the SOC team notifies of the attack and then actually steps in to remediate the attack.


Depending on the OS version and the Advanced Endpoint Protection software chosen that may include actually rolling back the infection so it never happened.  Detect and Respond is part of the SOC service that also includes the Advanced Endpoint Protection client.


CSI offers Paladin CyberSentinel services to watch over your network at a much higher level than up/down and basic hardware failures.   One of our offerings is CyberSentinel Endpoint Detect & Respond (EDR).   This AEP solution provides not only the endpoint but the SOC team watching over your endpoints and directly intervening to shut down and remediate an actual attack.


We have CyberSentinel Endpoint Detect & Respond deployed in our office.   I have innocently deployed "software updates" only to be contacted by the SOC team wondering about suspicious behavior that isn't normal.   I witnessed the SOC team be alerted to an attack on my workstation, and immediately step in and kill the attacker, and rollback my workstation to pre-infection levels without me doing or calling anyone!   In the Windows environment, this is roll back feature done through a hardened version of volume shadow copies being securely stored to undo whatever damage was just done by the malware infection.


While not the only solution it is another layer of the overall cybersecurity defense.


More an more clients are replacing or supplementing traditional antivirus with Advanced Endpoint Protection to add this next level of security to their networks.


If you'd like to explore how an advanced endpoint product combined with a team of skilled cybersecurity professionals can better watch over your network endpoints, let's talk about how it would fit into your environment.