The Led Zeppelin song “When the Levee Breaks” can serve as the cybersecurity industry’s anthem. Yes, the lines, “If it keeps on rainin’, levee’s goin’ to break… Cryin’ won’t help you prayin’ won’t do you no good” warn about imminent flooding. But they also describe the downpour of malware rainin’ down on organizations. And as some of the Nyotron Research Team’s recent discoveries show, the levees have broken. Many of our customers have encountered attacks that avoided their security perimeters. They represent several industries including healthcare, the public sector, energy and education. But all cases share two things in common. First, all organizations use antivirus or AV software solutions from leading vendors. Second, those solutions failed to detect and thwart the attacks.
The reasons for their failures vary. In some cases, the malware was so new that the AV software could not recognize it as a threat. That’s a worrying sign of the times. The attackers are evolving to become more sophisticated. But the security industry remains stuck in the 20th century.
AV and other endpoint security solutions still rely on the Negative Security model. For decades, vendors have been building so-called “blacklists” of known malware files. It’s a constant game of cat-and-mouse. Attackers create and launch new malware, or new variants of known malware. When/if the security industry detects the new threat, it’s added to the blacklist. But more often than not, a new attack isn’t discovered until after it turns unsuspecting companies into “Patient Zero”. This model keeps security professionals on their heels.
AV software and trojan threats
That was almost the case with the appearance of a new variant of the Agent Tesla trojan.
Agent Tesla is active “spyware”. It collects and steals sensitive data, logs keystrokes, and can even access webcams. This new variant was not on any blacklist. That enabled it to slip past even “next-gen AV” solutions. The victim would have no idea the attack was underway.
The bad guys are always eager to try new malware. A few hours after the new variant first appeared in the wild, an attacker used it to target one of our customers. The trojan did evade the endpoint security solution installed on employees’ machines. But Nyotron’s PARANOID detected and blocked it. You can read our analysis of the attacker’s objectives and delivery method here.
This case can serve as a model for how to thwart known and unknown threats. This isn’t a call for uninstalling the Negative Security solutions guarding the perimeter. It’s always a good idea to block known viruses “at the gate”. In fact, many regulatory, governance and compliance regulations still mandate its use. Rather, build a multi-layered defense system that incorporates the Positive Security approach. Instead of only watching out for what’s bad, track the “good” as well.
Consider that there is a finite number of legitimate operating system behaviors. No matter how sophisticated new malware may be, it must deviate from that baseline when attempting to fulfill on its malicious intent. A defense system that can detect and block that action serves as the “last line of defense” in the event AV software fails to detect the threat.
Windows hacking dangers
The Agent Tesla variant is one of many new, unknown threats that appear every day.
For example, last month we issued an alert over our discovery of a new Windows evasion technique. We named it “RIPlace”. Attackers could use it to encrypt files while evading most anti-ransomware methods. We have notified Microsoft, security vendors and law enforcement agencies. You can read our report and download a free testing tool here.
And in October, we detected an attack against one of our critical infrastructure clients in the Middle East. The attackers spent days scanning the organization’s network. They discovered and exploited a vulnerability in a SharePoint server. That lone weak point opened the virtual doors for the attacker to try to gain control of more systems. But while it evaded AV software, its deviation from “known good” behavior sounded the alarm.
The hard truth is that it’s impossible to detect and block all cyber attacks. If you thwart 99 out of 100 attacks from penetrating your network, you still lose. Remember that past performance doesn’t guarantee future results. Focusing on known bad threats is only half the battle.
Endpoint protection solutions remain an important layer in an organization’s defense-in-depth strategy. Pair those “levees” with Positive Security technologies and policies to harden your security posture.
About the Author
Rene Kolga is a VP of Product Strategy at Nyotron.