From patches in the fight against malware to a holistic strategy
It is not a paradox, but I still regularly hear recommendations on the use of modern antivirus and its regular updating as a advice on combating malware. It seems that the latest stories with WannaCry and Petya / Nyetya occurred in some kind of world different from the one in which they live, who still believe that the antivirus is all that is needed to combat malware. Even a good antivirus. Even with heuristic mechanisms. Even if they are turned on and at the same time does not slow down the PC. Even if these mechanisms also work, and not just are a marketing lure. It’s time for me to formulate a simple conclusion - the fight against modern malware requires a holistic strategy and a balanced application of various technologies aimed at detecting and preventing the use of malicious code of various methods of penetration and infection. And in order not to be limited to banal phrases, let's try to formulate what a holistic anti-malware strategy should include.
But before I start building a protective wall from separate technological bricks, let's remember what modern malware is. This is very important, since it allows not to be taken to the manufacturers' marketing statements about the 100% detection of unknown viruses, but to realize what they can and cannot do with modern malware and, accordingly, how to resist them.
Yes, there are old viruses that are well detected by standard and widely used antivirus products on the market. They are probably about 80% of the total number of bad programs. They can often be seen in various commercials on corporate YouTube channels, or it is their hashes that often appear in various presentations and materials. Then, having entered such hashes on VirusTotal, you can make sure that the product catches this infection and that means that it is worth it to pay for it. Or not worth it?
')
And let's try to look at it from the point of view of the creator ... the creator of the malicious code. He, or rather the whole group of qualified programmers and architects who stand behind all the modern “Non-Singers”, have the following picture as initial data:
What conclusions can be drawn from these three obvious theses, which any security officer knows, for some reason who does not use them to stand on the side of Evil and not think “as a hacker” who will try to bypass all traditional protection systems? I would immediately draw the following conclusions:
That is why the industry of creating malware is developed, having good budgets, copying the best practices of software development (yes, there are agile developers of viruses too). But most importantly, malware developers have a high interest so that their creations have high infection rates and low detection rates. Here is just one, rather old, beginning of 2016, an example showing that antiviruses are not capable of detecting even the simplest malicious programs for the most part.
A typical approach to protecting against malware, which is often the old-fashioned name for viruses, which creates a sense of frivolity of the problem, is the use of a pair of antivirus and firewall. However, as we saw above, modern malicious code is much more complicated. There are several channels of infection: e-mail, Web, Wi-Fi, flash drives, software updates, contractors laptops, personal mobile devices, manuals, etc. At the same time, the created malware can use both already known old vulnerabilities and still unknown holes (0 -Day At the same time, malicious code can be based on fragments of already used viruses, or from scratch, written code, including using various techniques for circumventing protection at different levels.
You may even have two or three different antiviruses (as recommended, for example, or required in the regulatory documents of the Bank of Russia), but this does not help much. Even if they use different anti-virus engines (or they may not :-), they are still based on the method that had failed many years ago - comparing with attack signatures, that is, finding something known. Although according to the statistics of many IB players, previously unknown malware predominantly occurs today, unique to most customers. This means that most anti-virus products are unable to fight what they do not see and do not know.
A colleague recently sent me a file with a request to check it in our Cisco Threat Grid sandbox. He had a suspicion about this file, and his antivirus did not respond to the file. A few minutes after the start of the analysis, Cisco Threat Grid issued a verdict - the ZBot Trojan. But this is a fairly well-known and old malware. Why didn't the antivirus catch it? The key word is “old”. It turns out that in order to reduce the size of the signature database, which was “poured” on each personal computer, the anti-virus vendor decided to disable old signatures. And it can be understood. The number of signatures is constantly growing and is already measured by hundreds of millions and even billions - no hard disk is enough to store all this information. We have to make a choice and it can lead to disastrous consequences.
Yes, you yourself probably remember the story with WannaCry, when many anti-virus vendors, who boast a victory in the tests “100% detection of unknown viruses,” on the following days (and not everyone that same Friday night) after the start of the epidemic began to send recommendations about , what to do to overcome this infection. Remember? A strange situation is obtained. Information about the vulnerability used by WannaCry has been known for a month already, but the malicious code has not yet used it, and therefore there are simply no signatures in the anti-virus databases. Therefore, most traditional means of dealing with malicious code work post-factum, struggling with something known. When it came to mass epidemics, the YETT approach worked, but under conditions of mostly unique malware, it began to fail.
Well, doesn't ITU help us cut off connections to C & C servers? In theory, yes. In practice, we face two difficulties. Firstly, according to Cisco statistics, about 92% of malicious programs use the DNS protocol, which very few ordinary firewalls can filter (NGFW with DNS inspection is needed here, for example, Cisco Firepower NGFW ). And secondly, in order to block interaction with C & C nodes, it is necessary to know the addresses of these nodes, and they change constantly and, accordingly, the ITU also has to promptly update its rules, which in practice does not occur.
What should be done to improve the security of the company from malicious programs? In addition to regularly installing patches, backing up and limiting the use of local administrators' rights by users, let's recall the possible infection vectors. According to statistics, the lion's share of all infections is carried out through two main channels - Web and e-mail. This means that appropriate protection solutions should be set up to protect these channels, which will filter traffic for malicious attachments. Cisco has an E-mail Security Appliance and a Web Security Appliance .
But the overlap of the two main channels of getting malicious code into an organization does not remove the problems of antiviruses that catch only the known. Is there a technology that allows you to analyze files, regardless of the presence or absence of digital fingerprints (signatures)? Yes, it is called a sandbox (sandbox) and allows it to perform static and dynamic analysis of a file to perform any unauthorized actions — accessing the registry, copying files, interacting with C & C servers, encapsulating into allowed traffic, etc. The same Cisco Threat Grid sandbox can analyze over 700 different parameters and behavior factors of files in order to determine their harmfulness. It is with the sandbox that protection tools are associated that have built-in anti-virus engines, but cannot detect unknown viruses. Sandbox integration gives you this opportunity. In the case of the Cisco security architecture, the Threat Grid sandbox includes all security solutions - Cisco E-mail Security Appliance, Web Security Appliance, Cisco Firepower NGFW / NGIPS, Cisco ASA with FirePOWER Services, Cisco AMP for Endpoints, Cisco Umbrella, etc.
Suppose we protect the perimeter of the network, but what to do with mobile users? Around them we cannot build protective walls from ITU, IPS, content gateways and sandboxes. MDM solutions do not help us much to deal with malicious code, as they have a different purpose. Mobile antivirus? He has the same problem as previously described. And not all mobile platforms have anti-malware tools (for example, for the iPhone). How then to fight? Again, you need to stand on the side of the attacker and see how he creates his creations. As a rule, they do not work autonomously, but use a client-server architecture that implies communication with the management server and most often uses the DNS protocol for this. If we can inspect it, we will solve most of the problems with malicious code on mobile platforms. In this case, we simply replace the addresses of the DNS servers from Google or Yandex with the addresses of a specialized service (for example, Cisco Umbrella ) and in addition to the DNS service we also get full protection against interaction with C & C servers. In fact, Cisco Umbrella also allows us to cut phishing resources, DGA domains used for malware distribution, track clone sites, kill switch domains, etc.
Let's go back to the story with WannaCry. On Friday evening, the CEO of one of the large industrial companies picked up WannaCry to his home computer. Without hesitation, on Saturday morning he brought the infected laptop to work, connected it to the corporate network, simultaneously calling his IT specialists to “figure it out”. As they drove to work, WannaCry began to spread across the internal network, regardless of the fairly good perimeter protection. But there are still thrown with an unknown virus flash drive, hacking Wi-Fi, notebooks contractors, etc. What to do in this situation? The only answer is to monitor the internal infrastructure using NTA and EDR technologies. These are abbreviations meaning two classes of protection tools - network traffic analysis (Network Traffic Analysis) and detection and response to end devices (Endpoint Detection and Response).
Analysis of network traffic (for example, using Cisco Stealthwatch ) allows us to identify manifestations of malicious code even when end devices do not have any means of protection, even outdated antiviruses. Moreover, due to ETA technology, it is possible to detect signs of malicious activity even in encrypted traffic. In turn, it is time for antiviruses to change for EDR class solutions (for example, Cisco AMP for Endpoint ), which are not built according to the principle of preventing all 100% of threats, but be prepared for the fact that a node compromise can still happen and must be able to be timely discover this fact and react to it.
The firewall on the perimeter has its analogy in the internal network - it is a network access control system (for example, Cisco ISE ), which provides segmentation of the internal network and localization, distribution of malicious code if it enters the internal network in one way or another. Ideally, a network traffic analysis solution detecting the first attempts at spreading malicious code can command the network access control system to block an infected computer by disabling the switch port or adding a node to the quarantine subnet by changing the ACL on the router.
Of course, all the technologies described above should not work separately or offline, but in close cooperation with each other, exchanging alarms, security policies, commands, and indicators of compromise. By the way, about the indicators (IoC). They should also be regularly received from external sources (the Cisco Talos division performs the role of such a source) and should be equipped with knowledge of the constantly changing threats with all means of protection - perimeter, cloud, personal or internal.
The above strategy is optimal for protecting against 98% of malicious code. Can we increase this value by approaching the cherished hundred? In fact, it is possible, but you just need to understand that in this case we will be forced to significantly degrade the performance of our network and reduce the user experience for users. This is achieved by abandoning the paradigm of blacklists and the transition to the rule “only what is known is allowed”. Allowed applications, IP addresses, users, etc. As we understand, this approach has significant limitations in real life, but on the other hand, it allows you to significantly limit the operation of malicious code. An additional level of protection is achieved through isolation technologies, virtualization, remote browsers, TPM, OS integrity monitoring, remote verification, e-mail signature.
I described several strategies to protect against malicious code - from minimalist to maximum. Does this mean that we can completely prevent infection of our internal network and mobile users? Alas. 100% protection cannot be guaranteed by anyone and nothing. But the task of this note was different - to show that there is still an existing point of view that antivirus alone can save from modern malware, has long been “rotten” and the problem can be solved only by an integrated approach and you need to push it away from use case about which we have already written .
Describe how to use Cisco Stealthwatch on a Cisco network
Description of the technology of detecting malicious code in encrypted traffic
Description of the approach to the detection of cryptominers in the network
Building a security system based on Use Case
Description of the strategy for dealing with encryption software
Description of the strategy to combat WannaCry
Cisco ISE application description in the Cisco network
Industry Development VPO
But before I start building a protective wall from separate technological bricks, let's remember what modern malware is. This is very important, since it allows not to be taken to the manufacturers' marketing statements about the 100% detection of unknown viruses, but to realize what they can and cannot do with modern malware and, accordingly, how to resist them.
Yes, there are old viruses that are well detected by standard and widely used antivirus products on the market. They are probably about 80% of the total number of bad programs. They can often be seen in various commercials on corporate YouTube channels, or it is their hashes that often appear in various presentations and materials. Then, having entered such hashes on VirusTotal, you can make sure that the product catches this infection and that means that it is worth it to pay for it. Or not worth it?
')
And let's try to look at it from the point of view of the creator ... the creator of the malicious code. He, or rather the whole group of qualified programmers and architects who stand behind all the modern “Non-Singers”, have the following picture as initial data:
- they know that malware will be searched for using various information security tools.
- they know that a sandbox can be used to analyze an unknown malicious code.
- they know that 99% of victim companies use widely used protection software.
What conclusions can be drawn from these three obvious theses, which any security officer knows, for some reason who does not use them to stand on the side of Evil and not think “as a hacker” who will try to bypass all traditional protection systems? I would immediately draw the following conclusions:
- Malicious code should be unique and should not be repeated.
- Malicious code should use multiple propagation vectors.
- Malicious code should be modular
- Malicious code should bypass its detection and analysis methods.
That is why the industry of creating malware is developed, having good budgets, copying the best practices of software development (yes, there are agile developers of viruses too). But most importantly, malware developers have a high interest so that their creations have high infection rates and low detection rates. Here is just one, rather old, beginning of 2016, an example showing that antiviruses are not capable of detecting even the simplest malicious programs for the most part.
A typical approach to protecting against malware, which is often the old-fashioned name for viruses, which creates a sense of frivolity of the problem, is the use of a pair of antivirus and firewall. However, as we saw above, modern malicious code is much more complicated. There are several channels of infection: e-mail, Web, Wi-Fi, flash drives, software updates, contractors laptops, personal mobile devices, manuals, etc. At the same time, the created malware can use both already known old vulnerabilities and still unknown holes (0 -Day At the same time, malicious code can be based on fragments of already used viruses, or from scratch, written code, including using various techniques for circumventing protection at different levels.
What is bad antivirus with ITU?
You may even have two or three different antiviruses (as recommended, for example, or required in the regulatory documents of the Bank of Russia), but this does not help much. Even if they use different anti-virus engines (or they may not :-), they are still based on the method that had failed many years ago - comparing with attack signatures, that is, finding something known. Although according to the statistics of many IB players, previously unknown malware predominantly occurs today, unique to most customers. This means that most anti-virus products are unable to fight what they do not see and do not know.
A colleague recently sent me a file with a request to check it in our Cisco Threat Grid sandbox. He had a suspicion about this file, and his antivirus did not respond to the file. A few minutes after the start of the analysis, Cisco Threat Grid issued a verdict - the ZBot Trojan. But this is a fairly well-known and old malware. Why didn't the antivirus catch it? The key word is “old”. It turns out that in order to reduce the size of the signature database, which was “poured” on each personal computer, the anti-virus vendor decided to disable old signatures. And it can be understood. The number of signatures is constantly growing and is already measured by hundreds of millions and even billions - no hard disk is enough to store all this information. We have to make a choice and it can lead to disastrous consequences.
Yes, you yourself probably remember the story with WannaCry, when many anti-virus vendors, who boast a victory in the tests “100% detection of unknown viruses,” on the following days (and not everyone that same Friday night) after the start of the epidemic began to send recommendations about , what to do to overcome this infection. Remember? A strange situation is obtained. Information about the vulnerability used by WannaCry has been known for a month already, but the malicious code has not yet used it, and therefore there are simply no signatures in the anti-virus databases. Therefore, most traditional means of dealing with malicious code work post-factum, struggling with something known. When it came to mass epidemics, the YETT approach worked, but under conditions of mostly unique malware, it began to fail.
Well, doesn't ITU help us cut off connections to C & C servers? In theory, yes. In practice, we face two difficulties. Firstly, according to Cisco statistics, about 92% of malicious programs use the DNS protocol, which very few ordinary firewalls can filter (NGFW with DNS inspection is needed here, for example, Cisco Firepower NGFW ). And secondly, in order to block interaction with C & C nodes, it is necessary to know the addresses of these nodes, and they change constantly and, accordingly, the ITU also has to promptly update its rules, which in practice does not occur.
And if you add secure Web and E-mail gateways?
What should be done to improve the security of the company from malicious programs? In addition to regularly installing patches, backing up and limiting the use of local administrators' rights by users, let's recall the possible infection vectors. According to statistics, the lion's share of all infections is carried out through two main channels - Web and e-mail. This means that appropriate protection solutions should be set up to protect these channels, which will filter traffic for malicious attachments. Cisco has an E-mail Security Appliance and a Web Security Appliance .
But the overlap of the two main channels of getting malicious code into an organization does not remove the problems of antiviruses that catch only the known. Is there a technology that allows you to analyze files, regardless of the presence or absence of digital fingerprints (signatures)? Yes, it is called a sandbox (sandbox) and allows it to perform static and dynamic analysis of a file to perform any unauthorized actions — accessing the registry, copying files, interacting with C & C servers, encapsulating into allowed traffic, etc. The same Cisco Threat Grid sandbox can analyze over 700 different parameters and behavior factors of files in order to determine their harmfulness. It is with the sandbox that protection tools are associated that have built-in anti-virus engines, but cannot detect unknown viruses. Sandbox integration gives you this opportunity. In the case of the Cisco security architecture, the Threat Grid sandbox includes all security solutions - Cisco E-mail Security Appliance, Web Security Appliance, Cisco Firepower NGFW / NGIPS, Cisco ASA with FirePOWER Services, Cisco AMP for Endpoints, Cisco Umbrella, etc.
How to protect mobile users?
Suppose we protect the perimeter of the network, but what to do with mobile users? Around them we cannot build protective walls from ITU, IPS, content gateways and sandboxes. MDM solutions do not help us much to deal with malicious code, as they have a different purpose. Mobile antivirus? He has the same problem as previously described. And not all mobile platforms have anti-malware tools (for example, for the iPhone). How then to fight? Again, you need to stand on the side of the attacker and see how he creates his creations. As a rule, they do not work autonomously, but use a client-server architecture that implies communication with the management server and most often uses the DNS protocol for this. If we can inspect it, we will solve most of the problems with malicious code on mobile platforms. In this case, we simply replace the addresses of the DNS servers from Google or Yandex with the addresses of a specialized service (for example, Cisco Umbrella ) and in addition to the DNS service we also get full protection against interaction with C & C servers. In fact, Cisco Umbrella also allows us to cut phishing resources, DGA domains used for malware distribution, track clone sites, kill switch domains, etc.
Let's look towards NTA and EDR
Let's go back to the story with WannaCry. On Friday evening, the CEO of one of the large industrial companies picked up WannaCry to his home computer. Without hesitation, on Saturday morning he brought the infected laptop to work, connected it to the corporate network, simultaneously calling his IT specialists to “figure it out”. As they drove to work, WannaCry began to spread across the internal network, regardless of the fairly good perimeter protection. But there are still thrown with an unknown virus flash drive, hacking Wi-Fi, notebooks contractors, etc. What to do in this situation? The only answer is to monitor the internal infrastructure using NTA and EDR technologies. These are abbreviations meaning two classes of protection tools - network traffic analysis (Network Traffic Analysis) and detection and response to end devices (Endpoint Detection and Response).
Analysis of network traffic (for example, using Cisco Stealthwatch ) allows us to identify manifestations of malicious code even when end devices do not have any means of protection, even outdated antiviruses. Moreover, due to ETA technology, it is possible to detect signs of malicious activity even in encrypted traffic. In turn, it is time for antiviruses to change for EDR class solutions (for example, Cisco AMP for Endpoint ), which are not built according to the principle of preventing all 100% of threats, but be prepared for the fact that a node compromise can still happen and must be able to be timely discover this fact and react to it.
The firewall on the perimeter has its analogy in the internal network - it is a network access control system (for example, Cisco ISE ), which provides segmentation of the internal network and localization, distribution of malicious code if it enters the internal network in one way or another. Ideally, a network traffic analysis solution detecting the first attempts at spreading malicious code can command the network access control system to block an infected computer by disabling the switch port or adding a node to the quarantine subnet by changing the ACL on the router.
Of course, all the technologies described above should not work separately or offline, but in close cooperation with each other, exchanging alarms, security policies, commands, and indicators of compromise. By the way, about the indicators (IoC). They should also be regularly received from external sources (the Cisco Talos division performs the role of such a source) and should be equipped with knowledge of the constantly changing threats with all means of protection - perimeter, cloud, personal or internal.
We return to a closed software environment and isolation from the outside world.
The above strategy is optimal for protecting against 98% of malicious code. Can we increase this value by approaching the cherished hundred? In fact, it is possible, but you just need to understand that in this case we will be forced to significantly degrade the performance of our network and reduce the user experience for users. This is achieved by abandoning the paradigm of blacklists and the transition to the rule “only what is known is allowed”. Allowed applications, IP addresses, users, etc. As we understand, this approach has significant limitations in real life, but on the other hand, it allows you to significantly limit the operation of malicious code. An additional level of protection is achieved through isolation technologies, virtualization, remote browsers, TPM, OS integrity monitoring, remote verification, e-mail signature.
As a summary
I described several strategies to protect against malicious code - from minimalist to maximum. Does this mean that we can completely prevent infection of our internal network and mobile users? Alas. 100% protection cannot be guaranteed by anyone and nothing. But the task of this note was different - to show that there is still an existing point of view that antivirus alone can save from modern malware, has long been “rotten” and the problem can be solved only by an integrated approach and you need to push it away from use case about which we have already written .
Additional Information:
Describe how to use Cisco Stealthwatch on a Cisco network
Description of the technology of detecting malicious code in encrypted traffic
Description of the approach to the detection of cryptominers in the network
Building a security system based on Use Case
Description of the strategy for dealing with encryption software
Description of the strategy to combat WannaCry
Cisco ISE application description in the Cisco network
Source: https://habr.com/ru/post/351562/
All Articles