Monday, February 6, 2017

InfoSec Fundamentals, Spoiler: AV is not dead

I've been thinking about this a lot, and I asked about it and got an answer I didn't expect on twitter, here:
This tweet which took mere to this article.

So here is a blog post about it.

First, I think a lot of what InfoSec teams do as "fundamentals" is a lot of time with little value in security the organization. And this is obvious to many people outside of InfoSec and make them not believe the threats, which are real and we know it, but still they don't believe them because they see us spin our wheels. Here is an example:


Dear god we spend a lot of time patching and telling people to patch. A lot of it. And lord knows our scanners mark all kinds of stuff as Critical and High. But you know what, most successful attacks don't take advantage of missing patches. Most take advantage of configuration issues (system and application) and human error. There is a very small number of issues that are actively exploited. Ask a pentester. They know them, they will say things like MS08-067 (yes you still find it all the time, often on physical security boxes, I love that), jboss auth bypass, MySQL auth bypass, maybe they will say Heart Bleed, maybe a few others. Done. Yet you patch 1000's of things. And spend a ton of time doing it. Then after everything is all patched up an attacker or pentester gets in on a jboss server with no authentication, or finds default creds, or phishes one user and snags your local admin and that hash works EVERYWHERE, or you reuse your domain admin password on IPMI and it was easily crackable, or you have unencrypted and reused passwords in a DB exposed in a nice SQLi attack, etc. But by all means, our scanner said this local priv escalation issue on a server is critical, lets patch it.

Prioritize patching issues people can use, and focus on configuration and application issues and be brave enough to re-classify issues even if a scanner said it was critical.

Back to the point:

Anyway, that article did talk about that, which is what I was expecting. Instead it did the AV is dead thing. Which annoys me so I'm writing a blog post.

Here is the deal, AV isn't dead. But many big AV names sell garbage. And InfoSec people don't test it and buy it anyway. InfoSec people don't test most thing. I can tell this because I've testing security software that simply is fake, and they still are selling it. Seriously, our industry has serious issues right now and all things any vendor claims needs to be tested in detail. Tons of them simply fake their product. Some big names rely on market share and have been phoning it in for years now. This brings me back to AV.

Yes, bypass techniques work. But they work far better and easier on some AV products than others. Again as a pentester. Some AV companies (with really big market shares) make pentesters very happy. Some smaller ones drive them nuts. Other smaller ones are 100% fake, so don't just pick a small one. You have to literally test them, for real. Collect viruses. Learn AV bypassing, use the Veil Framework for one but learn others too and role as many evil payloads as you can and bypass your current AV as much as you can in as many different ways as you can. Then test other products. If you do you will quickly come to one or two that kicks your ass and you will know the one you are using is garbage (assuming you are using a bad one like most companies are). If you then are brave enough to switch to one your own testing proves is better than what you have, you will start seeing a ton of generic backdoor alerts popping that you never saw before, as the legit AV program is popping targeted phishing emails that made it past everything else. When this starts happening you will wonder why anyone is saying AV is dead and wondering why they aren't testing the crap out of AV vendors and realizing some are far, far better than others catching real attacks and not going after signature counts.

Does that make your endpoints hack proof? Hell no. It makes them a lot more secure than they were, for a small amount of money and little effort. You need to do more of course. But all things alone have issues. App white listing is great until you get owned by powershell. Frankly, detection has become as important as prevention if not more so in my opinion. So all the effort you put in preventing attacks from working, if you aren't putting that much effort in detecting attacks that get through, you are in trouble imho. Centralized logging for example has become as important as AV or app whitelisting. Network Forensics is as important as firewalls. Etc.

Priorities issues with patches and just because your scanner said it is critical doesn't mean it is
Test everything, many products are poor or ourright fake
Detection is as important as prevention

But that is enough for now, it was just one tweet after all.