Protect, detect, respond, recover. Under assumption of breach, we assume protections will fail and we must rely on deployed detection technologies to notify network operators of malicious activity. Today’s primary detection technologies, network intrusion detection systems and host-based antivirus, are effective against the nuisance threats that find value at scale of access, but they are easily circumvented by targeted attackers who find value in precision of their access. In recent weeks there have been several new posts around the web supporting this hypothesis.
Static analysis ineffective
Even 30 days after recovering the malware “from the wild,” the best-performing products detected only 75% of malware. The typical enterprise products from Symantec and McAfee detected only 46% and 63%, respectively.
|CB Test: Antivirus detection success of 30 day-old malware|
|Dr Web (best performance)||75%|
Dynamic analysis ineffective
The SANS Computer Forensics team recently ran through a targeted attacker simulation scenario to develop datasets for their Advanced Forensics and IR course. Using Metasploit and slightly obfuscated public malware, they compromised a host running McAfee’s enterprise product using a malicious Java Applet. After gaining access, they simulated typical targeted attacker actions: install public malware remote access tools, move laterally to other hosts and exfiltrate documents. Throughout the compromise, implant installation, lateral movement and exfiltration the McAfee product was quiet.
|SANS simulation: Detection of simulated targeted attack|
|Phase||Detected by McAfee?|
|Java Applet Attack||No|
|Upload and execution of stub meterpreter via Java applet||No|
|Upload C:\windows\system\32\dllhost\svchost.exe (metaterpreter)||No|
|Registry modifications for svchost arguments and execution at boot||No|
94% of their cases did not detect the intruders themselves, but were notified by a third party (usually law enforcement). On average, attackers had been in place an average of 416 days before detection.
The 2012 Verizon Data Breach Report tells a similar story. For larger organizations, 39% of the incidents measured the time between initial compromise and discovery in months:
The security industry’s marketing consistently reassures customers our intrusion detection technologies will rapidly detect attacks. They promise the new cloud solutions provide “real-time malware detection with global collective threat intelligence.” Unfortunately, the (few) datasets we have to measure the effectiveness of these technologies paints a markedly different picture than the marketing copy. “Real-time detection” is not measured in months.
We must change our mindset. We place too much emphasis on protection and underinvest in detection, response and recovery. The “best practice” detection technologies we deploy are necessary but insufficient. Alternatives are in short supply, but until we recognize the inevitability of compromise, assume breach and begin to grapple with the implications industry we will not recognize the shortfalls, we will not pressure industry for solutions and we will continue to be vulnerable and blind on our own networks. It cannot continue.