Wednesday, February 7, 2018

Changing the Meta: The Evolution of Anti-Virus

Extremely accurate graphical timeline of AV changes...there has been a LOT of innovation here yet everyone's mental picture is still signature based systems!

So when we talk about the changing Meta of cyber war, I believe that many people have somehow ignored the massive disruptions happening in the defensive "Anti-Virus" market.

Looking at AV from the offensive side, there are many things you have to now take into account, including VirusTotal, Cloud Reputation Systems burning your executables, Cloud Reputation Systems burning your C2/dropper web sites, malware heuristics catching you, VM-detonation systems catching you, anti-rootkit systems messing with you, other implants running their own private analysis against you, etc.

In other words, it's a rough world out there for implants ever since about 2010, and only getting rougher.

But the biggest change, the one that altered the Meta forever, in my opinion, was the switch to reputation-based systems from signatures and heuristics. Being able to see and predict this and engineer around it drove attacker innovation for some time. This affected policy as well, because now targets that normally would be of no value became of huge value because of their reputational quality. What are the policy implications of stealing certificates from random Hong-Kong based software providers to hack random other people?

In fact, there were many attacker responses, all of which were predictable, to this meta-shift:

  • Attacking of cloud AV providers (for example, the Israeli team on Kaspersky's network)
  • Coopting of cloud-AV providers (which is what DHS claims it is worried about re: Kaspersky)
  • Full-scripting language implants (aka, powershell implants, chinese webshells)
  • Implants which run only as DLL's inside other programs (and hence, don't need reputation against earlier systems which did not check DLLs)
  • Watering hole attacks (for both exploitation and C2)
  • Large scale automated web attacks (for gathering C2 Listening Posts)
  • Probably more that I'll think of as soon as I post this. :)

The next meta-change is going to be about automated response (aka, Apoptosis - see MS Video here), as the Super-Next-Gen systems are about to demonstrate. So my question is: Have we predicted the obvious attacker responses?

No comments:

Post a Comment