In this edition of Hack Naked TV we discuss AV an how we fail to implement it correctly in our environments.
Links for this episode:
A couple of weeks ago Tim Tomes and I worked with Rob Lee to set up a realistic APT exercise for the new and improved forensics track. As part of this lab we had to choose an AV vendor to implement a more realistic sense of a defended network. Rob chose McAfee because the vast majority of people polled used McAfee in their organization. But I want to submit that it would not have mattered much which traditional out-of-the-box blacklist AV product was used.
I want to spend a couple of moments and explain why. You see, Tim and I regularly perform penetration tests for organizations. One of the key activities we undertake as part of any penetration test is bypassing the AV of the target organization. We do this because this is what the bad guys do. There are a whole range of different tools and techniques that can be used to bypass traditional blacklist AV products. Many are built into exploitation frameworks like the Social Engineering Toolkit or into Metasploit. And many are very, very easy to use. It is not elite-hacker-wizard magic. We do not spend hours on it. We do not lose sleep over it. In many situations it can take us less than an hour.
Many of my former students of SANS 504 and 560 have seen the article posted by Rob and have asked me if there is something wrong with McAfee and if they should they replace it. The answer is "no" on both counts. I also know there are vendors who would like to capitalize on Rob's previous article to show how their product is superior in every way and will use it to steal customers from McAfee. I hope there is a place in info-sec hell for any vendor who does this.
McAfee has been awesome through this process. It takes tremendous guts to put their product on the line like they did. They have been supportive through the whole process. The even made a number of recommendations on how to tweak their products to help slow the type of attack we launched. Check it out at Robs blog.
You see, the issue here is not that one AV vendor is better than the rest. It does not work that way. Rather, there is a problem with the way we are implementing our defensive architectures. I think many organizations look at AVs place in their environment incorrectly. Many believe that if AV is installed then their systems will be protected against all forms of malware. This belief and worse, the actions taken based on this flawed belief, is one of the core reasons why so many organizations are getting compromised so easily today.
Let’s use an analogy. Traditional blacklist AV is very much like an immunization. You get shots as a child and boosters as an adult to protect you from things like Small Pox, Polio, Measles, Tetanus and a whole host of other evil pathogens that would seriously curb your life span and ruin your day. Because you are immunized against a whole list of evil germs, it does not mean you can undergo risky behavior. You cannot swim in a cesspool. You should not, I repeat NOT eat the bologna sausage in the fridge that is 3 months past its prime. Trust me, I know. Being healthy means being immunized and undergoing other health behaviors like washing your hands and not attending raves with lepers.
Think of your defensive layers in your organization for a moment. How many layers of defense do you have from the outside in? Let’s see, a firewall, IDS/IPS, DMZ and NAT just to name a few. Now, if a user surfs the Internet (think rave with lepers) how may layers of defense do you have? For the vast majority of organizations there is only one layer of defense, AV. And this is one of the things that Rob wanted to demonstrate with this lab. If an attacker has to bypass just one layer of defense, they will.
So when we think of our defensive architectures, we need to make an assumption that every single component can (and will) fail at some point. We need to start looking for mitigating technologies that will step in if something like AV fails. There are a whole lot of things we could have done to make the target lab more secure.
Below are just a few:
We could have implemented protocol inspection.
We could have implemented Internet whitelisting.
We could have upgraded all of the systems to Windows 7.
We could have implemented segmentation between systems.
We could have implemented application whitelisting.
We could have implemented the full SANS 20 critical controls.
We could have monitored the users for multiple logons from multiple systems.
We could have enabled SSL inspection.
We could have monitored, alerted and reacted when a new domain administrator account was created.
We could have restricted user access to public email sites.
But we didn't, because the vast majority of organizations today don't.
Links to cool stuff our awesome sponsors are providing:
Check out Log Logic:
Manage your Big Data with the most scalable log & security intelligence platform for the Enterprise & Cloud.Don’t take our word. Try it for yourself! For a limited time, download here
Check out Halo from Cloud Passage:
CloudPassage offers a free Basic version of Halo that includes extensive cloud security features, such as host-based firewalls, vulnerability management, security event alerting, server account management and intrusion detection. Halo works with any cloud provider and makes server security portable across environments. The convenient Halo portal allows you to manage all your security from one screen, whether it's in public, private or hybrid clouds – even traditional data centers.
Check it out here