Assessing the Effectiveness of Antivirus Solutions

Assessing the Effectiveness of Antivirus Solutions

© 2013 Imperva, Inc. All rights reserved.

Amichai Shulman, CTO



Modern Malware and Compromised Insider Threat Our Study Comparing Spend to Threat Summary and Conclusions

2

Agenda



Speaker at industry events + RSA, Sybase Techwave, Info Security UK, Black Hat

Lecturer on info security + Technion - Israel Institute of Technology

Former security consultant to banks and financial services firms Leads the Application Defense Center (ADC)

+ Discovered over 20 commercial application vulnerabilities – Credited by Oracle, MS-SQL, IBM and others

Amichai Shulman – CTO Imperva

Amichai Shulman one of InfoWorld’s “Top 25 CTOs”


Modern Malware and Compromised Insiders

4



Saudi Aramco + Malicious Insider + 30,000 computers hacked + Full service disruption

Global Payments + Compromised Insider + 1.5M payment cards

compromised

5

In Recent Events …



6

Case Study

CONFIDENTI



Malware Type Total number of infections

Operating since (estimated)

Discovered Undetected duration [years]

Stuxnet 2009 Sabotage ? June 2009 ~June 2010 1 Stuxnet 2010 Sabotage >300K March-April

2010 June 2010 0.16

Duqu Espionage ~50-60 April 2011 Oct 2011 0.5 Wiper Sabotage Tens April 2012 Flame Espionage ~5000-6000 Aug 2008 May 2012 ~4 Gauss Espionage ~2500 Aug – Sep

2011 June 2012 ~1

Narilam Sabotage ? 2010 Nov 2012 3 GrooveMonitor Sabotage ~10 Dec 2012 Red October Espionage ~200 May 2007 Jan 2013 5.5

7

Some APT Statistics



A 3rd party who gains access and acquires intellectual property and/or data in excess via client infection. The client, often employees in government, military or private industry, are unknowing accomplices and have no malicious motivation.

8

Compromised Insider Defined

Compromised Insider



Malware: Compromised Insiders on the Rise

2012 Verizon Data Breach Report • Malware is on the rise: “69% of all data breaches

incorporated Malware”… a 20% increase over 2011. • Malicious insider incidents declining: “4% of data breaches

were conducted by implicated internal employees”… a 13% decrease compared to 2011.

Director of National Intelligence • “Almost half of all computers in the United States have

been compromised in some manner and ~60,000 new pieces of malware are identified per day”.



Putting Things in Perspective

“Less than 1% of your employees may be

malicious insiders, but 100% of your employees have the potential to be compromised insiders.”

Source: http://edocumentsciences.com/defend-against-compromised-insiders


Anatomy of a Modern Malware Attack

11



Multimillion dollar

datacenter

12

Where Do They Attack?

End-user devices and

the user

Well protected

Not well protected

Both access the same data



Phishing / Spear Phishing Drive-by-download Malvertizement BlackHat SEO

13

Distribution



14

Distribution – The Unbearable Ease of Targeting



15

Distribution – The Unbearable Ease of Targeting



16

Industrialized Approach

Specialized Frameworks and Hacking tools such as BlackHole 2.0 and others, allow easy setup for Host Hijacking and Phishing.

How easy is it ? For $700: 3 month license for BlackHole available online. Includes support!



Modern Malware – Key Differentiators

Modular Design + Almost any function can be replaced at any time

Robust C&C and Collection Infrastructure + Relies on web communications + Server redundancy, fast flux DNS, bulletproof hosting, etc.

Versatile Payloads + Data extrusion, backdoor and remote control, outbound

activities (attack, spam), destruction

Sophisticated Infection Infrastructure + Drive-by-download & spam + Infection kits

17


The Study

18



“The antivirus industry has a dirty little secret: its

products are often not very good at stopping

viruses.”

- The New York Times 12/31/2012

19

The Study

Sources: New York Times: Outmaneuvered at Their Own Game, Antivirus Makers Struggle to Adapt, http://www.nytimes.com/2013/01/01/technology/antivirus-makers-work-on-software-to-catch-malware-more-effectively.html?pagewanted=all&_r=0

http://www.nytimes.com/2013/01/01/technology/antivirus-makers-work-on-software-to-catch-malware-more-effectively.html?pagewanted=all&_r=0




























Assessing Antivirus Solutions

Imperva found that less than 5% of anti-virus solutions in the study were able to initially detect previously non-cataloged viruses.

For certain vendors, it may take up to four weeks to detect a new virus from the time of the initial scan.

20



Collect malware samples from the web + ~80 samples were collected + Samples are left untouched

Test against multiple AV products over time + ~40 products + Test at 1 week intervals

Analyze + Consider only “consensus” malware + Consensus = more than 50% of products at the end of the

testing period

21

Methodology



Anonymous proxy traffic + Attackers upload and share malware + Took me 3 hours of repeating this exercise before hitting the

first ZeroAccess sample not detected by AV

Google searches + Look for executable files with specific names

(Softcore) Hacker forums

22

Methodology - Collection










Program for hacking ICQ Program for hacking e-

mail Program for hacking

Skype Program for hacking

accounts on Russian social networks.

25



Using a public API exposed by VirusTotal.com “VirusTotal, a subsidiary of Google, is a free online

service that analyzes files and URLs enabling the identification of viruses, worms, trojans and other kinds of malicious content detected by antivirus engines and website scanners.”*

Record findings per product

26

Methodology - Testing

*https://www.virustotal.com/about/




27




28




29




30



Detection Rates

24/07/2012 26/06/2012 % # % # Virus Name

41.46341 17 35.71429 15 CCFFacebookSetup-v1.45.exe_ 43.90244 18 35.71429 15 ccn.exe_ 57.89474 22 46.34146 19 CHAT.EXE_ 7.317073 3 7.142857 3 CoralExplorer_200401.exe_ 31.70732 13 28.57143 12 Crack-Neobot.exe_ 87.80488 36 85.71429 36 CRNI.zip_ 12.19512 5 12.19512 5 denied.shtml_ 75.60976 31 76.19048 32 directory.exe_ 60.97561 25 59.52381 25 erluofang.exe_ 43.90244 18 50 21 extracticon.rar_ 29.26829 12 35.71429 15 Facebook filter v0.01.exe_ 87.80488 36 87.80488 36 favicon.ico_ 7.317073 3 7.142857 3 FBWallFlooder_sean013.zip_ 58.53659 24 61.90476 26 flashplayer10.exe_ 53.65854 22 51.21951 21 Fraps v3.2.4 Registered.exe_ 43.90244 18 35.71429 15 G-Force1.5.exe_ 68.29268 28 64.28571 27 GoldenEye.exe_ 48.78049 20 47.61905 20 Google setup.exe_ 26.82927 11 24.39024 10 helpdesk.exe_

85 34 83.33333 35 INFO.RAR_

82.92683 34 76.19048 32 Internet Download Manager v6.05 Full.rar_ 75.60976 31 76.19048 32 javaupdate.exe_ 34.14634 14 29.26829 12 killer_cdj.exe_ 73.17073 30 71.42857 30 machine_sample.exe_ 36.58537 15 38.09524 16 mirc635ru.exe_ 68.42105 26 69.04762 29 mms.jar_ 56.09756 23 57.14286 24 ocx.rar_ 82.92683 34 78.57143 33 OPALA.rar_ 48.78049 20 45.2381 19 OpenTab-install.exe_ 21.95122 9 19.5122 8 ovh-professional-setup.exe_ 75.60976 31 71.42857 30 pdf_trk_invoice.zip.carefull_ 24.39024 10 21.42857 9 Police.exe_ 73.17073 30 64.28571 27 product.exe_ 75.60976 31 73.80952 31 q3j2xh7qtqmq.jpeg_ 58.53659 24 50 21 qip8095.exe_ 85.36585 35 80.95238 34 RECYCLER.RAR_ 41.46341 17 30.95238 13 reg.zip_

70 28 69.04762 29 sample_9275.exe_ 30 12 31.70732 13 sample_ebook_2006.exe_

73.17073 30 52.38095 22 scandsk.exe_ 68.29268 28 69.04762 29 setup.exe_ 73.17073 30 69.04762 29 setup1.exe_



Number of Weeks Required to Identify Infected File not Identified in First Run

0

0.5

1

1.5

2

2.5

3

3.5

4

4.5

Kaspersky Trend-Micro Symantec Avast McAfee



Viruses Detection between First and Last Run, by Anti-Virus Vendor

0

10

20

30

40

50

60

70



Rate of Detection Over Time – Widespread Malware

0

0.1

0.2

0.3

0.4

0.5

0.6

0.7

0.8

0.9

07-Aug 09-Aug 11-Aug 13-Aug 15-Aug 17-Aug 19-Aug 21-Aug 23-Aug



Google_setup.exe

Sample Drill Down



Initial analysis by VirusTotal + February 9th, 2012

Results by the end of testing period (August 2012) + 20/42

Results by November 2012 + 23/42

36

Sample Drill Down (cont.)


Security Spend vs. Threats

37



Security Spending by Market Share

2001 1. Anti-virus 2. Firewall/VPN 3. Content Filtering 4. IDS/IPS

2011 1. Anti-virus 2. Firewall/VPN 3. Secure Email/Web 4. IPS

38

Security Solutions 2002 % of Spending 2012 % of Spending

Anti-virus $ 1.4B 59% $ 7.9B 33%

Firewall $ 389M 16% $ 6.7B 28%

Intrusion Detection System $ 161M 7% $ 1.5B 6%

Content Filtering $ 291M 12% $ 2.4B 10%

SIEM $ 70M 3% $ 1.2B 5%

Other $ 99M 4% $ 4.1B 17%

Total Spending $ 2.4B 100% $ 23.8B 100%



39

Security Spending is Disproportional

0%

20%

40%

60%

80%

100%

In 2011, 83% of data

breached was taken from web apps or

databases.

Over 95% of the $27B spent on security went to

traditional security

products.

Threat Spend

Sources: Verizon Data Breach, 2011 and Gartner, Worldwide Spending on Security by Technology Segment, Country and Region, 2010-2016



The Anti Virus Vendors view

http://www.forbes.com/sites/andygreenberg/2012/10/16/hackers-exploit-software-bugs-for-10-months-on-average-before-theyre-fixed/

Hackers Exploit 'Zero-Day' Bugs For 10 Months On Average Before They're Exposed




Recommendations

41



Typical Attack Timeline

Reconnaissance

Initial intrusion into the network

Establish a Backdoor into the

network

Obtain User Credentials

Install Various Utilities

Privilege Escalation /

Lateral Movement / Data Exfiltration

Maintain Persistence

42



The Problem: Most organizations chase the mice and don’t focus enough on protecting the cheese.

Much of security budgets spent on: + Malware detection + Virus prevention

Front-line/end-user defenses must be 100% accurate, since if only 1 mouse gets past them the cheese is gone.

43

Protect and Monitor the Cheese



Classify Sensitive Information + Identifying the information within the corporate databases and

file servers allows understanding of risk and severity of data access.

Persistent Security Policy + A good security policy will allow you to put compensating

controls in place while not disrupting business needs and maintaining security.

User Rights + Map your user’s rights. Understand who has access to what and

why, are there dormant accounts ?

Analyze, Alert and Audit on Activity + By keeping track over access and access patterns, it becomes

very easy to understand who accessed your data, what was accessed and why.

44

Step 1: Know What Users Do With Data



What: Weirdness probably means trouble.

How + Profile normal, acceptable

usage and access to sensitive items by

– Volume – Access speed – Privilege level

+ Put in place monitoring or “cameras in the vault.”

45

Step #2: Look for Aberrant Behavior



46

Example: Databases

Checks the entry method. Legitimate individuals should, typically, access data through a main door.

Monitor the activity of the individuals. If employees have been granted miscellaneous access permissions, you should monitor what they are doing. Malware from spear phishing typically causes unusual behavior

Monitor the activity of privileged users. Database controls should track the activity of the privileged users and monitor what are these privileged users accessing.



47

Conclusion: Rebalance the Portfolio



Webinar Materials

Post-Webinar Discussions

Answers to Attendee Questions

Webinar Recording Link Join Group

Join Imperva LinkedIn Group, Imperva Data Security Direct, for…

http://www.linkedin.com/groups/Imperva-Data-Security-Direct-3849609

www.imperva.com

- CONFIDENTIAL -