What do you depend on for detection?

Protect, detect, respond, recover.   Under assumption of  breach, we assume protections will fail and we must rely on deployed detection technologies to notify network operators of malicious activity.   Today’s primary detection technologies, network intrusion detection systems and host-based antivirus, are effective against the nuisance threats that find value at scale of access, but they are easily circumvented by targeted attackers who find value in precision of their access.  In recent weeks there have been several new posts around the web supporting this hypothesis.

Static analysis ineffective

The cats over at Carbon Black recently ran a 30-day study: 43 antivirus products vs. 75 pieces of malware from malc0de.com.    The punch line can be summarized in one graphic:

43 anti-products vs. 75 pieces of malware.

Even 30 days after recovering the malware “from the wild,” the best-performing products detected only 75% of malware.  The typical enterprise products from Symantec and McAfee detected only 46% and 63%, respectively.

CB Test: Antivirus detection success of 30 day-old malware
Product Pct detected
Dr Web (best performance) 75%
McAfee 63%
Symantec 46%

Dynamic analysis ineffective

The SANS Computer Forensics team recently ran through a targeted attacker simulation scenario to develop datasets for their Advanced Forensics and IR course.   Using Metasploit and slightly obfuscated public malware, they compromised a host running McAfee’s enterprise product using a malicious Java Applet.   After gaining access, they simulated typical targeted attacker actions:  install public malware remote access tools, move laterally to other hosts and exfiltrate documents.   Throughout the compromise, implant installation, lateral movement and exfiltration the McAfee product was quiet.

SANS simulation: Detection of simulated targeted attack
Phase Detected by McAfee?
Java Applet Attack No
Upload and execution of stub meterpreter via Java applet No
Upload C:\windows\system\32\dllhost\svchost.exe (metaterpreter) No
Registry modifications for svchost arguments and execution at boot No

Published analysis

Finally, Mandiant published their 2012 M-Trends report: a summary Mandiant’s Intrusion Response 2011 investigations.   Two key findings in this context:

94% of their cases did not detect the intruders themselves, but were notified by a third party (usually law enforcement).   On average, attackers had been in place an average of 416 days before detection.

The 2012 Verizon Data Breach Report tells a similar story.    For larger organizations, 39% of the incidents measured the time between initial compromise and discovery in months:

The security industry’s marketing  consistently reassures customers our intrusion detection technologies will rapidly detect attacks.   They promise the new cloud solutions provide “real-time malware detection with global collective threat intelligence.” Unfortunately, the (few) datasets we have to measure the effectiveness of these technologies paints a markedly different picture than the marketing copy.   “Real-time detection” is not measured in months.

We must change our mindset.   We place too much emphasis on protection and underinvest in detection, response and recovery.    The “best practice” detection technologies we deploy are necessary but insufficient.  Alternatives are in short supply, but until we recognize the inevitability of compromise, assume breach and begin to grapple with the implications industry we will not recognize the shortfalls, we will not pressure industry for solutions and we will continue to be vulnerable and blind on our own networks.   It cannot continue.

This entry was posted in Uncategorized. Bookmark the permalink.

Comments are closed.