Installing and updating an antivirus program is understandably drilled into us. Younger Internet users will not remember a time without antivirus programs and the constant background threat of malware and phishing attacks, forcing us to be wise with our digital security. Just as there are many ways to infect your system, so there are numerous antivirus programs who deign to keep your system secure, safe, and sheltered.
Antivirus programs offer largely the same bundle to their users: system scans, real-time protection, quarantining and deletion, process scanning, and so on. Modern antivirus software packages also utilize heuristic analysis of files and system processes, whereby the antivirus can recognize a pattern of behavior common to suspected malicious material, and put a stop to it.
Antivirus can do all of these things. In some cases, it’ll stop the attackers at the door. In others, it’ll assist with the clear-up operation. But what doesn’t your antivirus take care of? Which aspects of your antivirus could leave you or your business exposed, even when you’ve installed and updated?
The significant increase in personal devices such as smartphones, tablets, and laptops has created a vulnerability in network security somewhat outside the traditional control of antivirus software.
Many businesses operate Bring Your Own Device (BYOD) schemes in the workplace, allowing their employees to bring personal devices into the business environment. Any employee device harboring a virus could spread their own infection throughout the local network. Similarly, a guest connecting to your home network in similar circumstances could see your own devices infected.
Businesses can mitigate BYOD vulnerabilities by tightening their network security, upgrading to a dedicated Firewall service, patching security holes and updating vulnerabilities. It may also be prudent to enforce a company-wide antivirus and malware scan for new and existing devices, using a company-approved application.
However, it is in some ways more difficult for home users to stop compromised devices entering their personal network. Short of espousing the importance of network and system security to everyone that enters our homes, we can only hope the people around us are sensible, and alert to potential threats. Unfortunately, this isn’t always the case.
Along with the potential BYOD vulnerability, an insider threat might act from within your walls, exploiting their internal access to your network. If someone on the inside of your organization decides they want to deliver a nasty surprise to you and other colleagues, they very well might succeed. There are different types of insider threat:
- Malicious insiders are somewhat rare, but usually have potential to cause the most damage. Administrators can be especially risky.
- Exploited insiders are usually tricked or coerced into providing data or passwords to a malicious third-party.
- Careless Insiders are those who click without thinking, perhaps opening a cleverly (or not!) designed phishing email, spoofed as a company email address.
Insider threats are particularly difficult to mitigate against as there is no single pattern of behavior to potentially expose an upcoming attack. An attacker may be driven by multiple reasons:
- IP Theft: Stealing intellectual property from an organization or individual.
- Espionage: Uncovering classified or sensitive organizational information, trade secrets, intellectual properties or personal data to gain an advantage or use as a basis for coercion.
- Fraud: Appropriating, modifying, or distributing organizational or personal data for personal gain.
- Sabotage: Using internal access to levy specific system damage.
In a world where data reigns supreme, individuals in and out of the workplace now have greater access to critical information and critical systems, as well as a host of outlets to leak information to. This places trust at the forefront of the security battle, relegating antivirus software to a backup, endpoint role.
“The U.S. economy has changed over the past 20 years. Intellectual capital, rather than physical assets, now represent the bulk of a U.S. corporation’s value. This shift has made corporate assets far more susceptible to espionage.”
Understanding the threat landscape is just one aspect of the battle against insider threats, and is by no means the last!
Advanced Persistent Threats usually pass undetected, waiting for the right moment to strike. The malware or virus could be introduced to a system weeks or months before becoming operational, laying dormant, awaiting instruction from a remote controller. APTs are usually the signature of an advanced team of professional hackers, potentially working as part of a larger organization or with a nation-state backer.
A malicious entity deploying an APT will typically attempt to pilfer intellectual property, classified or sensitive information, trade secrets, financial data, or anything else that could be used to damage or blackmail the victim(s).
A typical example of an APT is a Remote Access Trojan (RAT). The malware package lays dormant, but when activated, offers a remote controller operational privileges to gather as much information as possible before detection. However, it is the detection that becomes difficult. The RAT usually contains advanced network protocols to establish communications with the remote controller. Once a communication channel is established, the information being passed doesn’t contain any actual malware or malicious code, leaving antivirus software and some firewall services completely in the dark.
Here are a few basic APT detection methods:
- An increase in late-night elevated log-ons. If your workforce is active during the day, but you close the office at night, a sudden surge in late-night administrator access could be the sign of an ongoing operation.
- Network wide backdoor Trojans, of similar variety. The APT hackers may have installed a wide range of Trojans throughout the local network, granting access to your system if their primary attack vector is discovered. You shut down and clean one system, but they already have access to the one next to it.
- Large or unexpected data transmissions, coming from unexpected sources, being transferred to an unexpected or undiscoverable end address.
- The discovery of unexpected data collections, of data that shouldn’t be concentrated in a single location. It may also be have been archived with an unused or obscure archive format.
- A higher-than-usual number of reported spear-phishing attempts. If someone has mistakenly clicked, it could be worth checking the other signs.
Core to picking up an attempted or ongoing ATP attack is understanding what your data flow looks like prior to any suspected issues, so it is worthwhile taking a moment to understand some of the finer-points of your network.
Attackers are savvy. Before unleashing a new malware variant any would-be attacker will thoroughly test their application against common and advanced antivirus software to make sure it won’t fall at the first hurdle. As with most forms of development (and indeed, life), why go to the trouble of developing the malware, taking precautions to protect their identities, curating an extensive range of attack vectors, only to be immediately shot down?
— McAfee Labs (@McAfee_Labs) March 25, 2016
PandaLabs, creators of Panda Security, detected and neutralized more than “84 million new malware samples throughout 2015” – nine million more than 2014. The figure means there were more than “230,000 new malware samples produced daily” over the course of the year. Earlier last year Symantec announced similar findings, though their daily figure was significantly higher, coming in at around 480,000 per day, while AV-TEST estimate total malware instances have risen from under 400 million, to over 500 million in the period April 2015 to March 2016.
Spike in online extortion, misuse of smart devices and mobile malware growth are just some of the predictions for 2016 #Trendtechday16
— Trend Micro UK (@TrendMicroUK) March 10, 2016
While the numbers vary, the growth and underlying significance is very real. Malware developers are constantly updating and releasing malicious code, tweaking their packages to exploit vulnerabilities as they are discovered, and long before they are patched.
Do You Need Antivirus?
In a word, yes. Although many security researchers contend antivirus is becoming an endpoint, only useful for removal, your system should still have a base level of protection. Depending on your activities, you’ll likely know whether you need something more advanced, but riding the Internet waves without a wetsuit could leave you feeling cold.
It isn’t enough just to “have” the antivirus either. Update it regularly. Security companies are constantly updating their signature databases and, as with the numbers of new malware appearing increasing, you’ll want at least attempt to remain ahead of the curve. So, keep it running, and you’ll at least catch some of the already known attackers knocking at your door.
Do you obsessively update your antivirus? Or do you brave the Internet without protection? Let us know below!