Today everyone has a favorite application for antivirus and everyone you ask will have a story about how their AV “saved them from an attack”. As a lover of analogy, I immediately draw a comparison to cars and collision avoidance technology. Today almost every new car comes with some sort of automatic emergency braking technology. What separates one from the other lies in the details. Similarly with Anti-Virus software, the devil is in the details.
Let’s start with some background. What is an antivirus application? First off the name is incorrect. We should be calling it an Anti-Malware software. This is because the broader category of bad software is called malware. This includes Viruses, Trojans, Keyloggers, Adware, and several other less common categories. The goal of anti-malware software is to detect, block, and remove (if already infected). Unfortunately, most traditional Anti-Malware software will only detect and alert. This is because today’s threats ingrain themselves deep into the operating system.
Traditional Anti-Malware software would rely on detecting known bad software. This was highly effective at the time as the internet was in its infancy and the time from initial infection, to the time the attacker could exploit the machine was much longer. This is mainly attributable to two key reasons. The first is that most people and businesses had slow internet connections or even a dial-up modem which meant they were not always connected. Therefore the platform for an attack was only available while the user was online. The second reason was that users only required their computers on occasion and in between they would keep them mostly powered off. A PC that was off was inaccessible because, at the time, out-of-band management software didn’t exist.
All of these reasons made it safer for end-users and more difficult for the attacker. However, as the internet became more popular and more accessible, the growing internet speeds increased the number of always-on devices, which decreased the amount of time and effort required to launch a successful attack. That made the traditional Anti-Malware approach obsolete. This was also coupled with the end-users’ endless search of more speed. As traditional Anti-Malware would need to perform “a scan” of the files on the PC to detect threats this meant that while it was scanning, the PC was virtually unusable. This was largely because of the slow hard drives of the time but also because of the scanning mechanism.
The fatal blow to traditional Anti-Malware came when threats began to use a technique called polymorphism. Because the traditional approach relied on a file signature called a hash, which is unique to every file, akin to a digital fingerprint. These threats would simply append their code with a random digit at the end of the source code to create a different hash. Therefore if a file was marked as malicious by the Anti-Malware solution the added code would result in a new hash, which has not yet been detected as malicious. To evade detection and to stay one step of the defenders this malware would constantly change its hash. Thus the term polymorphic malware. Today, almost all malware includes a polymorphic component.
So, if you can’t stop threats based on their signature, what is the solution? The next phase of the battle against malware came in the form of NG-AV (Next-Generation Anti-Virus). Again a misnomer, due to the common misconception that virus is the broader category of classification. NG-AV was a huge advancement, by adding heuristics, or behavioral analysis and machine learning to the traditional approach, we now had a multi-step approach to fight threats.
The fight became about identifying suspicious behavior rather than focusing on identifying the file that caused it. If a file acted suspiciously, it was quarantined. Along with this approach came several usability improvements, chief among them was the way in which whitelisting was performed. Rather than only being able to whitelist a file by name, folder path, or hash, we could now whitelist the developer of the application. This would allow all future updates by the developer to continue working.
Malware authors were quick to adapt to this security measure and focused their attack efforts on developers directly. The goal was to inject malicious code into a whitelisted application, which that they can maintain persistence.
In order to keep pace with the threat landscape, the Anti-Malware solutions developed a tool called EDR. EDR stands for Endpoint Detection and Response. The key function of this tool was to provide detailed analysis of behavior, allowing security analysts to increase their visibility into endpoints and to allow a technique known as threat hunting, or looking for threats proactively.
This brings us to where we are today. Today, there are many capable Anti-Malware applications on the market. Many of them integrate next-gen capabilities and many of those integrate EDR. When EDR is managed by a security team that product is referred to as MDR, Managed Detection, and Response. The question, just as with a car, becomes what technology is best and who is behind the wheel. The better the technology, the better your chances of keeping safe. The better the team reviewing the alerts and hunting threats, the safer your environment. So your goal should be to combine both.
Don’t wait until the threats find you!!! All of our Data Protection Plans include MDR, so head over to our Data Protection Services page for more info.
Have more questions? Contact us to see how Managed Detection and Response can help keep your employees and your data safe.
© 2020 Iospa Tech LLC. All Rights Reserved. Various trademarks held by their respective owners.