With hundreds of new malware strains being released every day, is your antivirus truly prepared for 21st Century threats?
Nowadays, businesses need to keep a lot of plates spinning in order to protect themselves from cybercrime: a good firewall, thorough cyber awareness training, multi-factor authentication, and particularly importantly, antivirus.
The kinds of malware that cybercriminals employ has changed exponentially over the last few years, with hackers turning from “one and done” attacks to long term compromise methods in order to maximise profits.
So with the stakes rising and new and elusive malware being deployed every single day, are the trusty antivirus practices of the past really enough to keep us safe in the 21st Century?
But before we go forward, we need to look back. Time for a short history lesson.
A Brief History of Malware
Back in the ‘90s and early 2000s, a new virus was newsworthy. Just look back to the likes of the ILOVEYOU worm, the Melissa virus, and the Blaster worm. They made the headlines simply because malware was such a novelty at the time. We also started to see the real, tangible costs of cybercrime; for example, ILOVEYOU was estimated to have caused over $5.5 billion in damage worldwide, with global costs of around $15 billion for removal.
But as consumer tech and internet connections have grown ever faster and more accessible, the cybercrime industry has grown to suit. Forget new malware making the news – new strains of malware are discovered every single day in their hundreds.
On the whole, malware has two jobs. The first is to deploy a malicious effect (its “payload”) which can include infecting or encrypting files (possibly for ransom); rendering software and services unusable (to generally be a nuisance or as a cover for other activities); or installing backdoor control or monitoring software.
The second job is usually self-replication. Different types of malware will replicate differently, but will generally include mechanisms that try to infect other network users or infiltrate sensitive off-device resources.
Why do cybercriminals try to infect businesses?
It’s simple: money. Sensitive data and login credentials can be used to compromise further systems within an organisation, or can be bought and sold for a pretty penny on the dark web. Ransomware directly holds important files to ransom in exchange for money. Some particularly pernicious examples of malware can remain on a system and slowly leak sensitive data to criminals under the radar – but more on those later.
How antivirus tools work
Signature-based setection: starting simple
When new viruses were still momentous news, “signature-based” antivirus protection was perfectly adequate. Signature-based virus detection means that the antivirus software detects malware by comparing files to an up-to-date database of known threats. As new threats emerge “in the wild”, the AV software company continually adds to that database and pushes updates to their users, allowing their antivirus installations to detect (and potentially remove) new malware as it arises.
When the pace of cybercrime was a little slower, comparing files to threat databases was a fine approach. Signature-based detection has served us well over the years, but nowadays malware is becoming so prolific that AV providers are struggling to keep their databases updated with all of the new and as-yet-unknown malware (called “zero-day” malware) that is being deployed every single day.
There will inevitably be a gap between the time an exploit is released onto the net and when the security community detects it and catalogues it for signature databases. This presents a lucrative window of opportunity for a hacker – and a less than ideal situation for the rest of us.
So what’s an antivirus provider to do? Think smarter, that’s what.
Heuristic analysis: smarter but also harder
There are so many brand-new threats flying around that a simple blacklist of file signatures just isn’t going to cut it anymore – at least not on its own. This is where heuristic analysis tools come in.
Rather than comparing file signatures against known threats, heuristic tools actively probe unfamiliar files to see if they contain any malicious or unexpected instructions that may be telltale signs of malware.
New heuristic analysis methods are being developed all the time, but here are three notable ways in which heuristic antiviruses operate: sandboxing, decompiling, and behaviour monitoring.
- Sandboxing – The antivirus will open unfamiliar files in a separate, virtual environment to see how they act. If a file behaves in an unexpected or harmful way then it’s branded as a threat and users are barred from accessing it. If it behaves normally, then it is allowed to pass by.
- Decompiling – The antivirus will “unbox” the file’s code and automatically look for harmful commands or unexpected content. If anything malicious is found, then the file will be marked as malware and the user will not be able to access it.
- Behaviour Monitoring – The AV will establish what constitutes “normal behaviour” for each device in terms of programs used, running processes, network use, etc. If it detects anything out of the ordinary, then it will automatically investigate, potentially shutting down anything that it deems potentially harmful.
Compared to signature-based detection, these are much more proactive ways of finding new zero-day threats that may not be on the security community’s radar yet. They look at the way files and systems act and what they’re doing, rather than looking for any particular file signatures or known patterns of behaviour.
A new problem enters: advanced persistent threats
Alas, it’s still not time to breathe a sigh of relief. Heuristic tools are pretty amazing, and even signature-based tools are good for keeping old threats at bay, but cybercriminals are increasingly using more “long-game” tactics to gain ground.
Let’s think like a cybercriminal for a moment. Rather than hacking into a target device afresh every single time you want to access it, surely it would make more sense to install a long-standing vulnerability that gives you a constant backdoor into that device whilst eluding heuristic antivirus measures. Enter: APTs.
What are Advanced Persistent Threats (APTs)?
APTs are long-acting vulnerabilities that sit in the background on a device and can potentially provide long-term backdoor access to cybercriminals. They can sneakily stay under the radar for an extended period of time and can be used to exfiltrate data, spy on a device’s operations, spread malware, or generally cause disruption.
Persistent threats are carefully developed to evade detection, especially once they’ve taken root; usually by masquerading as legitimate processes or by taking small, inconspicuous steps towards their goal. Antivirus software has to make thousands of calculated decisions every minute, and sometimes when an unusual action is deemed insignificant enough, the antivirus will err on the side of user productivity and simply ignore it. But over time, these negative steps add up!
APTs can sometimes even set up shop in a device’s RAM and operate completely filelessly, making detection by antimalware agents even harder.
New Horizons: Managed Detection & Response (MDR)
So if you can’t rely on signature databases and you can’t rely on behavioural analysis, where can you turn? Cybercriminals have more automation tools and boots on the ground than ever before. But thankfully, so do the good guys. This is where services like managed detection and response (MDR) come in.
MDR is a managed-for-you threat hunting service which actively watches out for persistent and elusive threats which may have already crept past your radar and set up shop on your devices. Antivirus tools and firewalls are essential preventative measures, but MDR tools give you a lifeline once a persistent vulnerability has already taken hold.
However, MDR services are much more than a faceless, automated tool. As the MDR software monitors and uncovers new potential threats, it informs a specialist human threat hunting team who personally investigate each new vulnerability in depth and provide the client with custom instructions for removal.
This one-to-one approach, led by human intelligence, is where we feel MDR services really shine.
Huntress Managed Detection & Response (MDR)
Huntress is Just Cyber Security’s MDR platform of choice simply because we feel it’s the best on the market. Huntress was developed by former NSA security technologists who take a personal and proactive approach to hunting down new malware and indicators of compromise.
You might think it’s expensive to get NSA level security intelligence in your corner, but it’s not. Huntress is available for less than 7p a day, per device! Huntress won’t get in your way, either; its light-touch software agent often takes up less than 1% of a device’s processing power.
So Huntress won’t slow you down and it won’t break the bank, but it will give you the upper hand against cybercrime and data breaches.