Stuxnet, Duqu and Flame VS. AntiVirus

Viewing 5 reply threads
  • Author
    Posts
    • #7613
      Darktaurus
      Participant

      Great article about malware and AV.  Illustrates why we need a change in AV to detect ever changing threats.  It was kind of cool to see they owned up to it. 

      http://www.wired.com/threatlevel/2012/06/internet-security-fail/

    • #47540
      sil
      Participant
    • #47541
      Darktaurus
      Participant

      My boss would agree with you 100%.  He says that they are all “snake oil salesmen” and they created most of the problems to get money.  The thing I am noticing is that they are not catching them but still saying they can protect against it.  But isn’t it a necessary evil at this point even without the FUD/gov’t FUD?

    • #47542
      sil
      Participant

      They don’t need to make their own malware, flood the market to sell the products. The approach is wrong. In order to understand this, you would need to go to http://maec.mitre.org and understand a lot of what’s going on. In a nutshell this is the issue:

      Malware Signature
      1 + 1 = 2

      Attacker
      one + 1 = 2

      New Malware Signature
      one + 1 = 2

      Same attack + attacker
      one plus one equals 2

      New Malware Signature
      one plus one equals 2

      Same attack + attacker
      b25lIHBsdXMgb25l

      No matter how they want to attack the heuristics, its a guessing game based on what they KNOW. They can never see/know/understand an attacker so there is a lot of assumption based on known knowns. So attackers will ALWAYS have an upper hand. The keys isn’t to rely on malware/AV companies, the key is to understanding your network, applications and patterns. E.g., any baseline traffic would yield anomalies in sites visited, bandwidth consumed and so forth. You start seeing things leave your network destined for say China at 3am… Its something you should be quick to look at. Same applies for ANY connection LEAVING your network when say, there is no one on a particular machine. HIPS also help here but running say Tripwire or Samhain in an enterprise can be a headache

    • #47543
      dynamik
      Participant

      Have either of you read: http://www.amazon.com/The-Myths-Security-Computer-Industry/dp/0596523025/ref=sr_1_1?ie=UTF8&qid=1338590679&sr=8-1

      It’s an easy read that’s written for the layman and is expectedly a bit biased in McAfee’s favor. However, there were some parts that were extremely candid about both AV in general and McAfee’s own offerings.

    • #47544
      Triban
      Participant

      Its all about whitelisting I say.  The less educated folks in IT think it is an impossible feat to use app controls to whitelist your standard baseline system.  I was in a conference call this week where someone stated its “easier to blacklist”  I was like what???  Sure for the one offs you actually know about but what about the 100 other backdoor apps installed on your network that you DON’T know about?? 

      If anything enforce whitelists on your servers, I mean if you don’t know what is running on at least those then you have lost this battle. 

      I believe the basic firewall rule set is an excellent example and POC – your rules that allow traffic in to specific services with the DENY ALL rule at the end.  Even outgoing, allow only these services out from these specific networks, block everything else.  Good your egress point to the network is covered.  Now do the same for everything else!  Sure it may take a while to complete the list of allowed apps on your network but in the long run it will pay off. Keep everything patched and you c-levels can sleep better at night.

Viewing 5 reply threads
  • You must be logged in to reply to this topic.

Copyright ©2021 Caendra, Inc.

Contact Us

Thoughts, suggestions, issues? Send us an email, and we'll get back to you.

Sending

Sign in with Caendra

Forgot password?Sign up

Forgot your details?