Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

Malware Mythbusting

609 views

Published on

"Cutting through the FUD of the Anti-Malware industry to expose some home truths about the real world of independent testing, the state of the threat and the solutions that actually work."
BSides London 2016 Presentation #BSidesLDN2016

Published in: Internet
  • Be the first to comment

Malware Mythbusting

  1. 1. MalwareMyths.com @carlgottlieb Malware Mythbusting Lies, Damn Lies and Linguistics 08/06/2016 - Copyright Cognition Secure Ltd 2016 - PUBLIC
  2. 2. MalwareMyths.com @carlgottlieb Carl Gottlieb • Technical Director, Cognition (InfoSec VAR) • Podcast Host • 15 years as InfoSec tech consultant • The Malware Riddle • Vendors claim to be great • Testers confirm it • Most orgs use multi layers of best-of-breed tech • But Malware infections are growing in impact • What’s going on? 08/06/2016 - Copyright Cognition Secure Ltd 2016 - PUBLIC
  3. 3. MalwareMyths.com @carlgottlieb Myth #1 – You Don’t Need AV Myth – You Don’t Need AV • AV is pointless – too easy to bypass • You’re an OPSEC god • You’ve got a Mac • AV increases the threat surface (You’re a smart arse) Reality – You Do Need AV • The Real World: • Next-gen AV is seriously good • We all make mistakes • Macs have joined the malware party too • The pros outweigh the cons. End of. 08/06/2016 - Copyright Cognition Secure Ltd 2016 - PUBLIC
  4. 4. MalwareMyths.com @carlgottlieb Myth #2 – AV is Dead Myth – AV is Dead 1. “AV Is Dead”, “Prevention is Dead” 2. You can’t rely on static analysis 3. 0-Days require dynamic analysis 4. You Need Pretence Defence in Depth 5. You Need to Buy More Stuff Reality – AV is alive, but very sick 1. We all still need AV and we all still buy it 2. Vendors are doing a bad job 3. AV is cheap for a reason 08/06/2016 - Copyright Cognition Secure Ltd 2016 - PUBLIC
  5. 5. MalwareMyths.com @carlgottlieb Myth #3 – “Next-Gen” AV is Snake Oil Myth - “Next-Gen” AV is Snake Oil • New tech isn’t perfect – so stick with what you know • It can’t possibly work • It’s just VirusTotal in an engine • Next gen is BS • Detection relies on internet access. • Complexity = effectiveness. Reality - “Next-Gen” is AV that works • You can do a lot better • Next-Gen vendors don’t use VT • Offline detection is a thing • The best products are simple • Behavioural analysis is risky and flawed • You can have cheap or you can have good 08/06/2016 - Copyright Cognition Secure Ltd 2016 - PUBLIC
  6. 6. MalwareMyths.com @carlgottlieb Myth #4 - Trust the Experts Myth – Trust the Experts • We’re better because… • We scored 100% in test XYZ • Never Pay the Ransom • False +ve worse than false –ve • APT APT APT Reality – Trust No One • Vendors know very little about their competitors • Many SE’s can’t touch malware • Everyone is biased • Gang rivalry is fierce • 0-Day != APT • Focus on your threats and risks 08/06/2016 - Copyright Cognition Secure Ltd 2016 - PUBLIC
  7. 7. MalwareMyths.com @carlgottlieb Myth #5 – Trust the Testers Myth – Trust the Testers • Intendent Testing is the answer • Real World Testing • Random samples Reality – Trust No One • Be Sceptical • Follow the money • Real World is anything but • Don’t trust anyone • Test products yourself for your org 08/06/2016 - Copyright Cognition Secure Ltd 2016 - PUBLIC
  8. 8. MalwareMyths.com @carlgottlieb Testing - Signs of Dodginess • Motivation and Finance -> Bias • Personal Opinions – e.g. “It looks like they try to avoid getting tested in order to continue to attract users simple by unproven marketing claims.” (AV Comparatives) • Perfect Scores • Irrelevant Methodologies and Scoring • Using VirusTotal for Malware Samples 08/06/2016 - Copyright Cognition Secure Ltd 2016 - PUBLIC
  9. 9. MalwareMyths.com @carlgottlieb 2016 Examples of Bad Testing Methodology • Samples • Tiny sample sizes • Excluding ransomware • Excluding custom packed/made malware • Non-corporate greyware • Configuration – Using the wrong version of the AV product • Usability – # false positives as sole measure • Perf Testing – Dropping 15,000 exe’s into a directory • Detection • Testing Mac malware on Windows • Known malicious URL’s only (what about USB, email, waterholed websites, network shares…?) • Excluding malicious admin tools, e.g. PSEXEC 08/06/2016 - Copyright Cognition Secure Ltd 2016 - PUBLIC
  10. 10. MalwareMyths.com @carlgottlieb Myth #6 - Virus Total Dropped a Bomb on Next Gen Vendors Myth – VT Dropped a Bomb • VT “cut off” the leechers • This change broke the “fake” Next- Gen vendors Reality – No One Big was Affected • VT uses the CLI engine only • Pay $$$ for samples • Integrate your engine for results • Vendors have all VT data • Changes at VT had no impact on main next-gen vendors • Nothing has changed. No one big was affected 08/06/2016 - Copyright Cognition Secure Ltd 2016 - PUBLIC
  11. 11. MalwareMyths.com @carlgottlieb What You Can Do 1. Be sceptical 2. Be optimistic 3. Pause any anti-malware projects/renewals 4. Get a good VAR 5. Get Your Hands Dirty 08/06/2016 - Copyright Cognition Secure Ltd 2016 - PUBLIC

×