Generally most people believe that if they have some anti-virus scanning tool on their device, it is completely safe against any malwares getting into the device. Enterprise believes that the antivirus scan tool is alone good enough to prevent malwares into the corporate network. Following cases show how far we are from the truth and how malwares have become very sophisticated to escape these signature-matching tools and still go ahead and infect the device and the corporate network.
January this year (January 2013) New York Times reveled that it had been a victim of China-based cyber attack campaign and that was going on undetected for last four months. They first broke into one account using Spear phishing and once they got access into one, using that they got access into 53 employees of Times. As soon as they broke into one, they installed malware – the malicious software – than enabled them gain access to the Times network and more employees and accounts. In almost a similar fashion, Bloomberg news was targeted last year and some employees accounts were compromised.
In both the attacks, the attackers had installed malware on its network to spy on the data and in the Times case, they had installed 45 such malwares and guess what and very interestingly only one of it was detected by Symantec the leading Anti-virus provider. Don’t misinterpret the data, Symantec product is completely fine and any other Antivirus also would have not recognized at all.
Malwares are getting very advanced in the use of technology. Anti-virus uses known signatures to detect malwares where in they scan the device to detect such malwares but Cybercriminals now have too many different methods at their disposal to modify executable. One such technique used is compression, which was mainly intended to aid application developers to reduce the size of their program file to ease distribution. Now, the same technique is used by malware-creators to obfuscate the contents of the executable. This way they could modify their code in order to bypass signature-based antivirus software. There are many such advanced techniques where in they can easily masquerade and get into the corporate environments via these devices even though they have anti-virus software installed on their device.
Another instance is of BYODs managed by MDMs and are not safe either from malwares. Secure MDM containers can be bypassed easily to install malwares. This can be done by publishing a seemingly innocent app in the Android market and once this app is installed, the app refers to the malicious code, which is then downloaded and creates a hidden binary which will start working as the malware or the Trojan which MDM can no way detect its presence. It is little tougher to inject the malware in the iOS scenario but not impossible either. Attacker has to install a signed app on the targeted iOS device using an enterprise-developer certificate and then attacker uses jailbreak exploit, gains root access, injects into container the malicious code and attacker removes all traces of jailbreak
This does not mean that MDM is not useful but again proves mu point that multiple layers of security are required. No wonder, stressing on the importance of additional layers of security more so again showing the importance of “behavior-based” blocking and informing all of us that “antivirus software alone is just not enough”. Symantec was right in saying that Antivirus alone cannot protect a enterprise network from malware, no matter how sophisticated or advanced the signature matching algorithm is and one should look for tools which looks at the network traffic to detect anomaly and catch the malwares there by their behavior.
To summarize, no enterprise should rely solely on antivirus detection especially w.r.t BYOD devices as they keep going out and coming back in to the enterprise and can easily pick up those malwares. Also because cybercriminals now have too many different methods at their disposal to masquerade the malware into the device via any of the apps they install and find a way to get into the enterprise without leaving any clues or footprints for the anti-virus scanning tools to detect them. It is time for CISOs to take push their organization to add additional layers of security on top of anti-virus systems. One could be detection of all devices in the system, other is whitelisting of apps that can be allowed in the enterprise, yet another are tools to watch the network behavior to determine anomaly & unusual network behavior to recognize the malware.
PS Reproduced from i7nw blogs with permission