This week there have been articles popping up all over the Internet with quotes from a Symantec executive stating that antivirus software is DEAD. The articles state that antivirus solutions are only catching about 45% of cyber attacks. Both the Wall Steret Journal and Brian Krebs (Krebs on Security) posted great articles on the topic and the current state of antivirus solutions.
Given the inability of antivirus to provide sufficient protection against attacks, we must take extra steps to ensure that our networks and systems are safe from cyber intruders. This is where defense in depth comes in. We need multiple methods to detect and prevent a cyber attack.
One of the hot topics currently floating around is Indicators of Compromise. The idea behind this is looking for those tell-tail signs that something is wrong, so you can react and remediate any existing issues. I thought it coincidental that the SANS monthly security awareness newsletter, OUCH!, discussed some indicators of compromise.
The indicators they covered included:
- Alerts from your antivirus application, especially if it couldn't remove or quarantine the infection
- Unexpected change in your web browsers homepage
- Web browser takes you to a page you didn't intend to visit
- Unexplained user accounts are created on your system
- Unexplained programs are installed and running on your computer
- Abnormal behavior in the performance of your computer (crashes and/or runs slow)
- Random requests for authorization when you aren't installing or updating applications
- Alerts from your firewall for applications requesting access to the Internet
Many of these indicators are pretty obvious and should raise flags right away. But the point of the articles about antivirus being dead is that things are going undetected. Attackers are becoming more sophisticated and advanced in their techniques. The goal is to avoid all detection and go completely unnoticed. These are the attacks we need to worry about and figure out how to identify.
The key to detecting those attacks designed to go undetected is to know your network, know your traffic, and know your users. If you can establish a base line of whats expected on your network then you can begin to identify things out of the norm and investigate. When dealing with expert attackers you can't hope to find obvious signs of their presence. You must look for subtle variations in your network and systems.
You must look for the evidence that they can't hide, mainly anomalies in user behavior. An attackers activities will look drastically different than your normal users. You can use this fact to identify potentially compromised systems. When you see things that don't add up, you investigate. This strategy works great when you monitor network traffic statistics. Tops things to look for include:
- Number of outbound connections
- Average length of connection
- Total amount of data transferred
- Percent of encrypted data
By monitoring these simple statistics for each host within your network you can identify who are the top offenders for each one and then see which hosts each list has in common. The more lists a particular host is found on, the more likely that something is wrong and the host has been compromised.
Reaction time is crucial for containing a security incident. The more insight you have into the workings of your network the faster you can identify a problem and address it. The more layers you employ for defense, the more indicators of compromise you will have. Even though the effectiveness of antivirus is falling, it can still be useful. We just need to recognize its limitation and augment our security efforts with other techniques that can cover the blind spots of antivirus solutions.