Antivirus isn’t dead, but you need monitoring too

Antivirus is a heck of a thing. On the one hand, security professionals love to hate on Antivirus because it’s misses a lot of malware and increases the attack surface on a machine. We know that antivirus regularly misses Advanced Persistent Threat (APT) malware.

Our stance at Rendition Infosec is that for the vast majority of networks antivirus provides a benefit by quarantining commodity malware, allowing infosec professionals to concentrate on the more advanced threats in the environment.  We understand the increased attack surface that results from using antivirus, but we are masters of risk assessment. We assess that in the vast majority of cases, any risk of increased attack surface is more than offset by the protection it provides from commodity threats.

 

State of antivirus software

That said, it’s important that CIOs and CISOs understand that while antivirus is an important component of defense in depth, it is NOT a panacea.  In 2017, it takes an amazing amount of hubris to place trust in a single solution (or even a solution stack from a single vendor).

As part of a SANS Webcast with Intezer, I repeated an experiment originally popularized by Eric Conrad. Eric did a test he called “mimidogz” where he tested AV detection for:

  1. Mimikatz as a pre-compiled binary download
  2. Mimikatz compiled from source with no changes
  3. Mimikatz with the string “mimikatz” stripped out and replaced with the word “mimdogz”

I decided that I didn’t want to use mimidogz as my replacement string. Eric’s experiment drew a lot of ire from AV companies and in a subsequent test, I think at least one vendor who will remain nameless began alerting on that name.  I instead changed option #3 to “meisjake” to fool this vendor.  It’s worth noting that the number of vendors detecting each file has increased since the original test (as we should expect).

In the first test, VirusTotal shows us that 47/66 AV engines detect the file.  Here’s a link to the VirusTotal report for the original binary.

In the second test, VirusTotal shows us that 22/66 AV engines detect the file.  Here’s a link to the VirusTotal report for the recompiled binary.

In the third test, VirusTotal shows us that 20/66 AV engines detect the file.  Here’s a link to the VirusTotal report for the binary compiled with “meisjake” replacing the word mimikatz.

AV vendors will protest that they are being unfairly targeted and that other detection methods would catch the binary at runtime. Okay, I can live with that. But this does show how fragile signature based detection is and that’s the point.

As an aside, Rendition has a custom version of mimikatz that involved changing more code than just the mimikatz string. It works against most major AV vendors without being caught (signature and at runtime).  No, we won’t be sharing hashes or code for that…

 

Closing thoughts

If AV isn’t the solution, what is? Network and host monitoring is the answer. I cannot overstate how important it is to monitor your network. Forward host based logs to a SIEM and put a network tap in place. Correlate host logs with network logs. Attackers are getting stealthier every day.  Antivirus may have been a sane option for defense some years ago. It is not today.  Unfortunately, too many organizations are stuck in the realm of yesterday thinking AV will save them.

Of course, if you need help monitoring your network or want a full adversary simulation to test your existing monitoring, please contact us and Rendition will be ready to help.