Detection is dead! Talking about isolation and hacker deception

January 30, 2018 //By Julien Happich
Detection is dead! Talking about isolation and hacker deception
"Detection is dead!" Exclaimed in one of the FIC master classes Yul Bahat, Co-Founder of novel cybersecurity consulting firm Securitude Cyber Solutions. "Antivirus are no longer an adequate response" Bahat argued, observing that attacks are no longer frontal but diffuse and evasive and that the core protection mechanism offered by antiviruses has consistently failed, tricked by unknown signatures, unknown behaviours, time delays and so on. The last unfamous examples being the WannaCry and Petya worms last year.

According to Bahat, comparative studies of antiviruses showing 100% efficacy are all lies, tests are done in a lab environment, with all the features turned "on". But false positives are too high when all the features are "on", no one use them all he argues.

"I have a problem with the entire idea of detection, looking at a code and deciding if it is good or not. It doesn't matter how good detection is, it is an impossible task. With the evasive techniques they use, hackers have become experts in hide & seek. We just lie to ourselves, pretending that if we can't see the attackers then they are not there".

Bahat took again the WannaCry worm as an example of environment-aware attacks, noting that first the worm had been cautiously isolated in a sandbox by most antiviruses, but then because it featured a time delay and stayed put for some days, it had been released again. As a response to hackers, Bahat proposes innovative defence scenarios, based mostly on re-enforced network isolation and hacker deception.

"We want to keep malicious stuff as contained and far away as possible, we need to assume that everything is bad. You must shut down all direct access to your assets", Bahat said, proposing what he calls "content disarmament & reconstruction" as one solution. "You take out everything that is important, take it apart and reconstruct it entirely with known safe code".

For web browsing isolation, Bahat suggests that all the information be processed via the proxy who only sends an interactive HTML5 video stream in real time instead of the real pages. The users doesn't even know the difference, but that keeps the end-points isolated. Then once the session is over, all the content together with the virtual browser is destroyed.

Deception is the all-time favourite of Bahat. "First we confuse the attacker, we fake the environment with simulation, it all starts with an endpoint. Since evasive malware uses environment awareness to detect what antiviruses are there, if it has been sandboxed or not, what analysis tools are there, why not put debuggers, sandboxes, virtual machines on all endpoints? Why not simulate a thousand guard dogs?


Vous êtes certain ?

Si vous désactivez les cookies, vous ne pouvez plus naviguer sur le site.

Vous allez être rediriger vers Google.