Crashing the AntiVirus Party

Another week, another headline involving a significant data breach.  This week’s leading headline is another fine example of the power of malware as a tool to burrow in to individual and corporate systems to harvest  information.  The case outlined here show a broad-based stealth attack that went on for 18 months and impacted hundreds of companies by capturing data, transaction records, passwords and more!  This continues to build on the trend of cybercrime:  Gone are the days of smash-and-grab one-time break-ins.  Today’s cybercrooks like to break in quietly and find a nice, comfortable way to “stick around” in the infrastructure looking for opportunities to gather data or perhaps subvert control of the system for other uses (such as spam generation or denial of service).  Obviously, this can be a massive problem.  And it is proving lucrative.

While the intentions and modus operandi of cybercriminals are evolving, the problem of malware is not new.  The industry has been fighting viruses and the like for nearly as long as there have been computers.  In recent years, the problem has grown to epidemic proportions as access to technology and worldwide connectivity (thank you Internet) has grown.  Sure the growing abundance of malware is feeding the problem.  Recent estimates by companies such as Symantec are now estimating that there is more malicious software developed than “good” software. This is driven partly by profit, as I noted, cybercrime can be lucrative thanks to a robust underground market. It is also significantly driven by the ease of finding unwitting victims to both the simple scams (“Hi there Mr. Minister from some remote country offering me a share of millions of dollars”) to the elegant and sophisticated social engineering using hacked or spoofed email accounts or undetectable “drive-by downloads” .  There is no question that people are a huge part of the problem, but only part of the problem.

The other part of the problem is the way we try to implement the solution today.  Most companies count on antivirus as their primary tool to stop the malware threat. It works on a principle of blacklisting. Once a virus (or many other types of malware) is found by the many researchers of the antivirus community, it is analyzed and a “signature” for that virus is developed.  The virus signatures are added to a database that is the underpinnings of the antivirus software packages.  When you are “updating your antivirus software” you are usually getting updates to the signature database so that your local engine can recognize the latest. The AV software monitors code on your system and will quarantine or block any of these signatures that try to execute on the system—hence the term blacklist. This has been relatively effective for a long time, but the barbarians at the gate are gaining an edge.  There are two big factors working against the future success of this approach

The first is the delay between the release of the malware and the detection, analysis, signature development and distribution/update of the signature.  This delay can be quite long, depending on how often one updates their antivirus.

Second, and perhaps more challenging is that malware developers know this process, and have made themselves a much more formidable foe through the use of some new techniques.  The first one is encryption: malware can have portions of its code encrypted making it impossible or difficult for the antivirus community to analyze. Another challenge is that some new malware has the ability to “self-morph” or randomly alter its code structure so that even once it is analyzed it can change such that it will no longer match the signature developed for it.

As you would expect, this creates a major challenge for a model predicated on stopping “known bad” code.  All too often, we can’t know that the code is bad until it is too late.  This model is akin to the terror watch list used in the air transportation system.  Here they are looking out for proven or suspected persons that are a threat to the system.  This generally works and is probably the only sustainable method for working in such a public facility.  But when the threat can be most grave and the circumstances are altered, then different types of security evaluations are done. Consider the case of presidential or congressional events. Some recent high profile snafus aside, here the government uses a different method of control.  For such events, they take the opposite approach. Instead of only stopping “known bad” elements from access, the approach is to only allow “known good” persons to access the event, through the use of background checks, interviews and invitations.

This different model can generally be referred to as whitelisting. This concept is gaining some measure of favor in IT today as they struggle to keep up with the growing threats highlighted above. Whitelisting has its challenges too: after all, few companies could accurately list every piece of software or firmware that is allowable or in use in their enterprise.  The question is: how can one use this and still get value?  That is where Intel® Trusted Execution Technology (Intel® TXT) can help.

Intel® TXT provides the ability to create and enforce the evaluation of the launch environment of a platform.  It provides limited scope (launch time evaluation, not full run time and evaluates the environment only up to the launch of an enabled OS or Hypervisor) so that IT does not have to maintain a catalogue of all possible software. While this scope might sound limiting at first blush, the reality is that it provides valuable additional protection in two basic aspects. First, the protection focus here is indeed on the very foundational components of the system software stack—where damage could be greatest. Additionally, remember that runtime malware like AV only catches a certain percent of malware—even on the most up-to-date systems. Intel® TXT can help limit its damage by providing an opportunity to catch it upon re-launch of the environment. This is particularly helpful given the long-term nature of modern attackers.

With malware that is trying to gain root-level access and control of a system (such as a rootkit), a function like Intel® TXT is added value in that it is evaluating the launch environment and is able to detect when such software tries to launch before the OS or hypervisor.  Since this malware code will be in the flow, it will no longer match the “known good” configuration and it can be blocked form executing. Control of the system can be preserved. In our presidential event example, Intel® TXT would be the equivalent of Secret Service checking the approved invitee list and would prohibit uninvited and unscreened guests from crashing the event.

AntiVirus does work, and it is advisable to use it and to keep it current. But it is not enough.  It is becoming less effective over time, so it should be complemented by other techniques and tools to address the gaps in protection that are inevitable as technologies and use models evolve.  In the end: new use models allow new threats which require new defenses.  TXT helps meet that need for new defensive capabilities, providing a whitelisting-based model of platform evaluation and control at launch time that is a complementary layer to the blacklisting-oriented models already deployed.