Become a fan of Slashdot on Facebook

 



Forgot your password?
typodupeerror
×
Security

MITRE Security Tests Reveal Built-in Advantage of First-Gen Antivirus Vendors (esecurityplanet.com) 17

Slashdot reader storagedude writes: The MITRE cybersecurity product evaluations use adversarial attack techniques instead of basic malware samples, and as a result are the best tests of enterprise security products — particularly in light of dramatic recent attacks on SolarWinds and Colonial Pipeline.

What's especially interesting is just how well first-generation antivirus vendors like Symantec, McAfee and Trend Micro have fared in the MITRE tests. An eSecurity Planet article analyzes the data and speculates on why the old guard may have a built-in advantage over the hot upstarts:

"They may have been overshadowed in recent years by some of the flashy marketing of the upstarts, but that long history gives the old guard a product depth that's tough to beat," eSecurity Planet wrote. "Just one example: Symantec was prepared for last year's SolarWinds hack because it long ago faced attacks when hackers tried to disable endpoint agents, a primary vector for the Sunburst malware.

"In cybersecurity, experience still counts for something."

This discussion has been archived. No new comments can be posted.

MITRE Security Tests Reveal Built-in Advantage of First-Gen Antivirus Vendors

Comments Filter:
  • by theshowmecanuck ( 703852 ) on Sunday May 16, 2021 @11:50AM (#61390530) Journal

    "In cybersecurity, experience still counts for something."

    The rest of the industry however suffers severely from ageism. Not surprising when the silver bullet means everything. Even when studies show older IT workers are actually the most flexible and cope with change better [cio.com], because they've learned about how to get around issues and don't expect that everything will just work; and other things like you can't release something unless it passes all the dogma tests (ignoring that if it isn't out the door, the company is losing money on it, rather than making it). I think it should be obvious that this is part and parcel with the surprise this article seems to express. Experience always counts.

    • Corporations like it when the *company* has age and experience, not the *worker*. Minor oversight.
    • It does seem that in tech, there's a bias, if you will, towards the new and flashy, the hottest, the latest, the startup claiming AI and unicorn status and an intelligence background, and all that, so when an established company that's best known for its consumer heritage beats the heck out of those newcomers, yeah, that's surprising, and maybe it shouldn't be. And part of that blame goes to the users who hype a newer product based on its awesome GUI rather than what's under the hood. An older product is go
  • Arms Race (Score:4, Interesting)

    by ytene ( 4376651 ) on Sunday May 16, 2021 @12:24PM (#61390604)
    We've long known that the world of White Hat vs. Black Hat has become a sort of cyber arms race.

    I wonder if we're approaching or maybe have even reached the point where malware authors [not nation state, but traditional cyber criminal gangs] are reverse-engineering these common products to look for feature gaps that they can exploit?

    For example, [happy to be corrected] my understanding is that modern AV systems use at least three basic methods of malware detection:

    1. Pattern Matching - where the product has a database of malware signatures and scans files against this "known bad" list looking for matches...
    2. Heuristics - where the product performs the equivalent of "fuzzy matches" against code; less reliable, but it's looking for something that approximates to "known bad"...
    3. Behavioural - the most sophisticated but potentially risky - where the product "watches" executing code in real time and alerts/blocks code that begins to act in suspicious ways...

    We've known for a long time that malware authors have developed work-arounds for the better known AV and anti-malware products. As these software packages get more advanced, the attackers are going to use more and more sophisticated techniques to work around them...

    Years [and years] ago, I came across a piece of software that was protected by a solution so invasive that I couldn't get the software to load or run. Armed with a few basic tools [mainly I was using a real-time debugger] I decided to step through the code to see if I could figure out what it was doing. One step involved loading a 256-byte sector from disk as a data block, then perform a series of byte-level transformations on the data. Because I was running the code in the debugger, I was able to "see" the data from the sector as it was manipulated. During one such byte-wise operation [in the middle of several] the seemingly random characters in this sector were transformed by a simple XOR transformation to the text, "Does your mother know you do this?".

    I remember it well, mainly for the fact that it made me laugh out loud at the time.

    But it's a good example of a counterpoint to the observation made by the OP... That otherwise innocuous message could equally easily have been a short block of malware, dressed up to look like data, loaded in to RAM like data, then converted back to executable code with a trivial loop of code.

    My hunch is that as our OS platforms evolve, the sort of protections we see given to the OS and drivers [i.e. digitally signed code] is going to become the norm, that we're going to see much more emphasis placed on chain-of-trust solutions, of OS code-loading routines for which the default is to check signatures and maybe even to allow us to tailor system level access on the degree to which we can trust code. We're already at the point where micro-virtualization is pretty much an OS feature now, where everything runs in a detonation chamber and/or has to be affirmatively trusted. Or at least, we should be.

    Expect more attacks against the actual software vendors, especially targeting code-signing solutions.
    • A security vendor hired by my workplace loves to pass out scary security training materials that begin with something like "To make a secure computing environment, the first option is get rid of the users." which may be a poor attempt at humor but which also obliquely refers to firing everyone. "The next option is to train them." which they proceed to largely fail to do. No mention whatsoever of candy drops yet I alone have found four thumb drives in our parking lot in a year. Dude. Come on. What good is

  • where experience is not an advantage.

    And I'm not talking about the mythical 20-something or 30-something CEO. I'm talking about the 40 or 50 year old engineers and designers and managers whose names you likely will never hear who make the trains run on time.

    • Ideally you want something that goes back about 10-20 years. Any older and it's a massive clusterfuck of patches on patches on hacks for hardware and OSes that haven't existed for decades. Any newer and it's a dogpile of every programming fad and trend that's turned up recently, barely functioning under the weight of its own hipness.
  • Be nice if the "old-guard" put some of that expertise into a UniFi Dream Machine Pro. That's where it's really needed covering every machine connected. Plus the modern internet very hostile and needs high grade security.

  • I was sharing an office with the computer virus research group in the academia back in 1996. All of them went to work for those first gen vendors.

    They already had code which did behavioural analysis and picked malware by single-stepping through it and picking "typical virus" patterns then. 25 years ago. As this was long before the days when IPR became a thing, they took their work with them to the anti-virus vendors. In fact, they were hired for it (and with it).

    If this was available then, there is no reason for it not to be deployed now.

    • They already had code which did behavioural analysis and picked malware by single-stepping through it and picking "typical virus" patterns then.

      Was TBAV (Thunder Byte Antivirus) the first one commercially deployed with such capabilities? I'm not sure I remember exactly which was the one

      Any way, viruses pretty quickly moved onto finding way to have different behaviour when ran inside such simulator and then on the real OS (beginning with things as simple as checking the time, and then moving onto more complex as the cat-and-mouse game between antivirus developpers and virus writers went on).

"Imitation is the sincerest form of television." -- The New Mighty Mouse

Working...