Anyone would think zero-day attacks are unpreventable following a recent claim from one leading cyber-security vendor. FireEye this year claimed to have discovered “29 of the last 53 zero-day attacks”. 24 exploits remained undetected, yet this was still presented as some kind of monumental achievement. Such a statement leaves little comfort for the businesses who found themselves victims, so is it time to just give up completely and let the cyber criminals take over?
It certainly feels that way, even while threats intensify and Locky ransomware rears its ugly head in new forms with renewed malevolence.
Although businesses are finally waking up to the realisation that the big players in anti-virus technology can no longer protect us, many organisations seem to regard extortion via cyber-attack as an inevitable cost of business. There is no need for this defeatism, given the level of protection nowavailable from more innovative vendors using file-regeneration technology.
Zero-day exploits, lest we forget, are unrecognised attacks that come in a form not previously detected, and more often than not are hidden in email attachments until some unfortunate member of staff unwittingly clicks one open, triggering the download of ransomware or a massive theft of data. It is a type of crime that brings criminals serious rewards. One version of the CryptoWall ransomware is reckoned to have generated $325 million in 2015.
Unfortunately evidence is growing that conventional anti-virus defences are simply redundant as hackers and cyber-criminals become more sophisticated. Analysis by threat intelligence experts Virus Bulletin, for instance, shows that between 2015 and 2016, detection of previously unknown threats by many of the big names in anti-virus technology decreased from a midpoint around 80 per cent to between 67-70 per cent. Even detection of known threats fell from between 90 and 95 per cent to about 90 per cent.
But what really shoots the wheels off the anti-virus industry, is the survey’s revelation that some vendors achieved better testing results with their free products than they did with their premium. What do these vendors imagine is the point of paying for a premium service that is less effective than the free?
The Virus Bulletin analysis is no more reassuring about the security solutions specific to email offered by the likes of Kaspersky or Sophos. What appear to be high scores in eradicating spam still leave organisations wide open to zero-day threats, given the huge volumes of emails transmitted by every business on a daily basis. Hackers only need to get lucky once.
Despite this, remarkable claims are made by cyber security companies. Trend Micro has certification for 99.48 per cent protection against zero-days, “compared with a vendor average of 97.77 per cent”.
Mimecast and Symantec both lay claim to 100 per cent effectiveness, while MAfee, asserting that most zero-day threats come from the web, says it can achieve 99.5 per cent effectiveness by adding in-line file and code emulation technology to its web gateway solution.
Whatever the claims, it only takes one attack to devastate an organisation. All these technologies have, for instance, failed to prevent the recurrence of Locky, which is now in a “double-zip” form and often accompanied by the Kovter Trojan which is left behind to run click-fraud and malvertising even after organisations have paid up.
Surely everyone understands that statements about “100 per cent” effectiveness cannot be substantiated and are not borne out by the analysis? Perhaps, but we don’t have to lapse into fatalism about zero-day attacks.
Innovation and new approaches to security are available that will lock out all malware whether zero- day or an adaptation of what has been previously detected. The fact is that email attachments are now the main vector for attacks on businesses for the simple reason that there are billions in circulation every day and they are essential to everyday operations.
Research (from respected cloud services and threat intelligence company Webroot) has for example, demonstrated that 97 per cent of malware is now unique to a specific endpoint. This renders signature-based security virtually useless because such heavily customised malware is extremely difficult to detect.
Instead, file regeneration technology keeps every form of malware at the door. It checks that the common file-types used by criminals to hide their zero-day exploits conform to the manufacturer’s standard, conducting deep inspection of every email attachment down to byte-level. Within fractions of a second a clean, sanitised version of the file is rebuilt, which the organisation can use without any disruption to business operations.
Instead of throwing up their hands in the air or relying on claims of “100 per cent effectiveness” that they know cannot be fulfilled, organisations can use this kind of technology to regain control, setting their own policies and levels of risk in relation the requirements of departments or employees. It is a question of only allowing the known good to enter an organisation and being fully confident that the main source of zero-day threats has been completely blocked. Far more effective than relying on old perimeter anti-virus security or sitting there waiting to pay up and then deal with the appalling consequences after the attack has succeeded.
The opinions expressed in this post belong to the individual contributors and do not necessarily reflect the views of Information Security Buzz.