Attackers are constantly trying to download malware onto your endpoints for several purposes. Malware or malicious software is made up of several types that enable an attacker to achieve an objective. This may be to allow remote access to your network, lock down your systems and demand a ransom be paid, watch your keystrokes to capture credentials for your VPN, bank/financial institution, or several others. Top this off with a variety of endpoint protection suites with very different strategies for reducing the risk of malware and the impact on your organization.
Malware prevention solutions have evolved over time to meet the unique challenges faced by consumers, corporations and large enterprises. To start, there is a traditional antivirus solution, this is older technology but is relatively effective. Next, the Endpoint Protection Platform is the next-generation antivirus product with a heuristics engine and several other complementary features to protect the endpoint. Application Whitelisting takes the opposite approach, and allows approved software and blocks everything else. Finally, we’ll explore Endpoint Detection and Response (EDR) and their fit within the enterprise.
What different technologies are available to reduce the risk of malware?
Over time, malware has evolved and so have the prevention solutions in the market place. Each of these has been outlined below together with their unique strengths and weaknesses.
- Antivirus: Traditional Antivirus is a signature-based engine that can detect known malware and is fairly effective at preventing infection. Signature-based Antivirus technologies have been known to have blind-spots and are trivial to bypass. We have seen security researchers like Stephen Sims bypass signature-based protection by inserting a single byte into the middle of a payload.
- Endpoint Protection Platform (EPP): EPP is an endpoint solution that’s purpose is to cover multiple threats including lost or stolen devices, data loss, intrusion detection and conventional antivirus offering based on signature-based coverage. Signature-based protections recognize known malware, but may not detect zero-day or new malware that doesn’t have a signature. Later EPP solutions implement a heuristics-based engine to attempt to address this gap and look for specific actions that may be malicious.
- Application Whitelisting: Antivirus has a list of known malware and leverages signature-based rules to detect potentially malicious code. Application Whitelisting is the opposite. It has a list of approved applications and blocks everything else. This solution is not bulletproof as there may be vulnerabilities in approved applications or unexpected functions that may enable the system to be compromised, but this makes it more difficult. Application Whitelisting works best in environments with task-based processes, like web servers or specific point-of-sale (POS) devices.
- Endpoint Detection and Response (EDR): Endpoint Detection and Response is essentially a security system in an app. EDR solutions often review all information available to them within the operating system and application logs, network traffic, system activity, memory, etc. EDR systems are the most effective and the most difficult to bypass if implemented correctly. They have far more situational-awareness than conventional antivirus (AV), Endpoint Protection Platforms (EPP) and Application Whitelisting.
- Sandboxing (e.g., FireEye): Sandboxing is often a network-based control that monitors e-mail and web-based traffic to identify potentially suspicious documents. When an end-user downloads content, the sandboxing environment will run the attachments with various configurations to identify if any zero-day exploits are being used and then records everything that happens next to help clean up the initial system. Sandboxing is a great solution, but often the most expensive. Patient zero may still be compromised and may have enough time to compromise sensitive information before the solution implements rules to block the activity that was observed.
How can you select the right Malware Prevention Solution?
Selecting the right prevention solution is no easy task. There are several technologies available and navigating your requirements can prove quite difficult. For most consumers, traditional antivirus is sufficient, but Packetlabs recommends exploring solutions with heuristics-based engines to provide coverage of new malware variants that do not have signatures yet. Av-test.org evaluates vendors on a recurring basis to measure the performance of each solution based on known malware. Effective solutions have a high detection rate, and ineffective solutions do not.
Once you move from consumer to corporate, the requirements become quite different. Organizations having more than one hundred employees should review EDR and EPP solutions based on their own internal security requirements. Requirements will translate to features of the offering and it is also worth mentioning that not all products offer the same level of protection even if their marketing says they do. This is why it is important to verify the effectiveness of the solution implemented.
How do you know your endpoint defences are effective?
As you move your way out of the consumer space and into the corporate/enterprise offerings, it is crucial to test your defenses and understand their limitations. It is common for the Packetlabs team to bypass antivirus solutions during the course of our Objective-based Penetration Testing offerings. We’ve bypassed most antivirus solutions and have a lot of experience identifying weaknesses. Regardless of which system your organization makes use of, it is only effective if it is installed. It sounds simple, but it is a regular occurrence for us to find systems that do not have antivirus protection installed.
Even the most sophisticated EDR solutions are ineffective if they’re not installed on all assets. Attackers follow the path of least resistance. If there is a ‘test’ server on your network, a new laptop without EDR, or a domain controller without any protection, we’re going to find it. It is important to test the solution you implement. During each of our engagements, we try to bypass the controls in place, and find a way around the controls that are in place. It is much more cost-effective for us to find these than an attacker.
Malware Prevention solutions contain five main types including conventional Antivirus, Endpoint Protection Platforms (EPP), Application Whitelisting, Endpoint Detection and Response (EDR) and Sandboxing. There is no one-size-fits-all solution, as it largely depends on the size of your scope, the unique requirements you have, and the threats you’re up against but there are some great solutions like AV-test.org to help evaluate the performance against competing offerings. The best way to evaluate the effectiveness of your endpoint defences is to schedule an assessment and include realistic scenarios to verify your security, phishing for security explores what happens after the click, and whether or not a skilled attacker can bypass your endpoint defences. Contact Packetlabs today to learn more about how we can help!