Traditional antivirus software is struggling to keep up with the evolving threats inherent in modern malware infection. Cybercriminals keep ahead of traditional AV software by using innovative tactics and continually creating new types of malware. This problem has been an issue for many years with the head of antivirus vendor Norton, back in 2014, stating that “antivirus is dead”.
Fortunately, security vendors, like the cybercriminals that come under their watch, are also highly innovative. To keep up with the threat of evolving malware threats, antivirus software is now being increasingly replaced by Endpoint Detection and Response (EDR) solutions.
The malware problem
Malware takes on many forms and provides cybercriminals with the means to steal data and credentials, infect networks with ransomware, cause Denial of Service (DDoS) damage, and so on. The losses attributed to malware are extraordinary. Ransomware, for example, is believed to have cost US businesses, around $9.3 billion in 2020 with an average of 16-days of downtime for each infection.
One thing that is certain about malware is that the cybercriminal minds behind the malicious program development, ensure that malware can evolve to evade detection. A recent example of this was the updates to TrickBot malware. This malware strain is designed to target individuals and businesses, to either steal credentials to access online bank accounts, or to obtain personal information for use in identity theft. Also, sometimes, TrickBot is used as a ‘loader’ to distribute ransomware. Several organizations worked to remove the entry points of Trickbot with the result that the makers of the malware reinvented it. Researchers at Bitdefender found that Trickbot had been redesigned to use new tactics to help it evade detection, including using vulnerabilities in Mikrotik routers.
AV Test keeps track of the number of infections and variant strains of malware over the years. In 2020, there were over 1 billion malware infections recorded. The CrowdStrike 2021 Global Threat Report says that in terms of malware, 2020 was “perhaps the most active year in memory.”
One of the reasons for this increased activity has been the Covid-19 pandemic and the work from home phenomena that this caused. In Q3 of last year, ransomware attacks were up 40% with ransom demands as high as $20 million entering the landscape for the first time. The complex security requirements of remote workers, the use of personal devices for corporate app access, and lack of security hygiene have allowed fraudsters to take advantage of new routes to get malware onto devices. This includes tricks such as ‘malvertising’ where ads presented on a legitimate website are infected; in 2019, a report found that 1 in 100 ads was infected with malware.
This mosaic of tricks to ensure malware evades detection has led to a failure by traditional antivirus software to prevent malware infection.
Reasons why traditional antivirus fails
Traditional antivirus solutions (AV software) are up against an onslaught of malware that changes tactics and evolves mechanisms that make it hard to detect. The main issues are:
Malware that morphs
Polymorphic malware continually changes to avoid detection. Usually, the program will change the parameters of the malicious file, such as a hash, to avoid detection. As many antivirus programs use such parameters to spot the signature of known malware, this allows the malware to avoid detection.
Malware communication/data exchanges can be encrypted to evade detection. If so, traditional antivirus software will be unable to see the encrypted traffic. For example, malicious actors can create an encrypted tunnel between the user’s device and the command-and-control (C2) webserver to encrypt all communications between the infected device and the fraudster.
Fileless malware operates in memory and does not install a file to the hard drive. According to the Ponemon Institute, fileless attacks are 10 times more likely to be successful than more traditional malware. Traditional antivirus software depends on detecting known file signatures. If these signatures do not exist, as in fileless malware, the antivirus software cannot detect a threat. Often a fileless attack makes use of Microsoft Windows PowerShell, a tool used by administrators for task automation and configuration management. In the first three months of 2020, McAfee recorded an increase of 689% in PowerShell malware.
Malware in a document
Malicious documents can be used to exploit vulnerabilities in device applications to execute malware. Traditional antivirus software can miss the malware hidden in the document by using a variety of obfuscation techniques to cloak the malware and avoid detection.
Evolving malware and EDR
Cybercriminals may have evolved malware to evade detection; however, the security industry has responded by creating an innovative solution to detect and respond to new malware types and tactics. Endpoint Detection Response (EDR) works on all endpoints across an extended network, including smart devices and laptops. EDR is an integrated endpoint security solution that collects data using real-time continuous monitoring on each endpoint. This data is then used with a rules-based automated response and analysis capability to spot anomalies and potential threats. The automation feature of EDR allows the solution to detect and analyze suspicious activity on endpoints, allowing security teams to respond quickly to potential threats.
Typical EDR functions include:
- Monitor and collect event data from endpoints
- Analyze these data to identify threats
- Automatically respond to identified threats – this results in removal or containment
- Forensics and analysis tools are usually part of an EDR software solution, allowing security teams to analyze threats and put mitigations in place
EDR is proving popular and the success of EDR is affirmed by Gartner who expects that by 2023 over 50% of enterprises will be using advanced anti-virus capabilities, that include endpoint detection and response (EDR) solutions.
Wendego I.T. Solutions has been offering EDR products since 2018. We have adopted a state-of-the-art EDR product based on SentinelOne’s Singularity platform. SentinelOne delivers autonomous endpoint protection through a single agent that prevents, detects and responds to attacks across all major vectors. Since implementing SentinelOne on our customer’s servers and endpoints. We have seen a tremendous improvement in detection and most importantly response to cybersecurity attacks. For additional information, please contact us at 858.346.1567 x101 or email us at [email protected]