.

Stuxnet, Duqu and Flame VS. AntiVirus

<<

Darktaurus

User avatar

Full Member
Full Member

Posts: 181

Joined: Thu Sep 03, 2009 8:48 am

Post Fri Jun 01, 2012 12:51 pm

Stuxnet, Duqu and Flame VS. AntiVirus

Great article about malware and AV.  Illustrates why we need a change in AV to detect ever changing threats.  It was kind of cool to see they owned up to it. 


http://www.wired.com/threatlevel/2012/0 ... rity-fail/
OSCE, OSCP, OSWP, CISSP, GPEN

www.agoonie.com
<<

sil

User avatar

Hero Member
Hero Member

Posts: 551

Joined: Thu Mar 20, 2008 8:01 am

Location: ::1

Post Fri Jun 01, 2012 1:04 pm

Re: Stuxnet, Duqu and Flame VS. AntiVirus

<<

Darktaurus

User avatar

Full Member
Full Member

Posts: 181

Joined: Thu Sep 03, 2009 8:48 am

Post Fri Jun 01, 2012 1:52 pm

Re: Stuxnet, Duqu and Flame VS. AntiVirus

My boss would agree with you 100%.  He says that they are all "snake oil salesmen" and they created most of the problems to get money.  The thing I am noticing is that they are not catching them but still saying they can protect against it.  But isn't it a necessary evil at this point even without the FUD/gov't FUD?
OSCE, OSCP, OSWP, CISSP, GPEN

www.agoonie.com
<<

sil

User avatar

Hero Member
Hero Member

Posts: 551

Joined: Thu Mar 20, 2008 8:01 am

Location: ::1

Post Fri Jun 01, 2012 2:01 pm

Re: Stuxnet, Duqu and Flame VS. AntiVirus

They don't need to make their own malware, flood the market to sell the products. The approach is wrong. In order to understand this, you would need to go to http://maec.mitre.org and understand a lot of what's going on. In a nutshell this is the issue:

Malware Signature
1 + 1 = 2

Attacker
one + 1 = 2

New Malware Signature
one + 1 = 2

Same attack + attacker
one plus one equals 2

New Malware Signature
one plus one equals 2

Same attack + attacker
b25lIHBsdXMgb25l

No matter how they want to attack the heuristics, its a guessing game based on what they KNOW. They can never see/know/understand an attacker so there is a lot of assumption based on known knowns. So attackers will ALWAYS have an upper hand. The keys isn't to rely on malware/AV companies, the key is to understanding your network, applications and patterns. E.g., any baseline traffic would yield anomalies in sites visited, bandwidth consumed and so forth. You start seeing things leave your network destined for say China at 3am... Its something you should be quick to look at. Same applies for ANY connection LEAVING your network when say, there is no one on a particular machine. HIPS also help here but running say Tripwire or Samhain in an enterprise can be a headache
<<

dynamik

Recruiters
Recruiters

Posts: 1119

Joined: Sun Nov 09, 2008 11:00 am

Location: Mile High City

Post Fri Jun 01, 2012 5:55 pm

Re: Stuxnet, Duqu and Flame VS. AntiVirus

Have either of you read: http://www.amazon.com/The-Myths-Securit ... 679&sr=8-1

It's an easy read that's written for the layman and is expectedly a bit biased in McAfee's favor. However, there were some parts that were extremely candid about both AV in general and McAfee's own offerings.
The day you stop learning is the day you start becoming obsolete.
<<

Triban

User avatar

Hero Member
Hero Member

Posts: 620

Joined: Fri Feb 19, 2010 4:17 pm

Post Sat Jun 02, 2012 10:33 am

Re: Stuxnet, Duqu and Flame VS. AntiVirus

Its all about whitelisting I say.  The less educated folks in IT think it is an impossible feat to use app controls to whitelist your standard baseline system.  I was in a conference call this week where someone stated its "easier to blacklist"  I was like what???  Sure for the one offs you actually know about but what about the 100 other backdoor apps installed on your network that you DON'T know about?? 

If anything enforce whitelists on your servers, I mean if you don't know what is running on at least those then you have lost this battle. 

I believe the basic firewall rule set is an excellent example and POC - your rules that allow traffic in to specific services with the DENY ALL rule at the end.  Even outgoing, allow only these services out from these specific networks, block everything else.  Good your egress point to the network is covered.  Now do the same for everything else!  Sure it may take a while to complete the list of allowed apps on your network but in the long run it will pay off. Keep everything patched and you c-levels can sleep better at night.
Certs: GCWN
(@)Dewser

Return to News from the Outside World

Who is online

Users browsing this forum: No registered users and 0 guests

cron
.
Powered by phpBB® Forum Software © phpBB Group.
Designed by ST Software