Officials and security researchers have named antivirus (AV) vendors as the new weak link in enterprise and government networks. They claim that sensitive files of the U.S. National Security Agency, the Republic of Korea Armed Forces and U.S. companies were targeted and exfiltrated thanks to the software that should be protecting the endpoint.
Antivirus solutions have been around since the mid-1980s. We gave them file system permissions to scan every file. Then we allowed access OS processes to scan active code. Then we allowed vendors to take our data to the cloud for “enhanced” security.
Now, as with many other services, our trust is used against us. The same AV tools that were supposed to help us fight malware are used as a backdoor to steal sensitive information and stage cyber attacks. This feels like a long con perpetrated by the antivirus industry.
Which vendors can you trust?
The irony is that for years we’ve been paying vendors to protect our endpoints. All the while, they serve as the perfect indexer for our sensitive data. By giving antivirus vendors privileged access to our systems, they have full access to our data.
In the light of recent events, which vendors can you trust? What technology should you deploy and how should you configure it? Managing your risk with common sense is the only prudent and secure IT solution, and understanding that risk is key.
The U.S. National Security Agency reportedly had an incident where an employee of the Tailored Access Operations (TAO) group brought classified work materials home, and running on that person’s home computer was the Kaspersky antivirus solution. It is alleged that Kaspersky’s scanning process was able to identify the sensitive NSA data through name, file characteristics, metadata, or content.
Then, through some undisclosed channel, that information was accessed by Russian agents. The result was that the TAO personnel's home machine was exploited by Russian intelligence.
There is debate as to whether or not Kaspersky is complicit in providing data or backdoors to the Russian government or are unwittingly compromised as a whole. They have even gone so far as to open up their source code for review as part of their Global Transparency Initiative.
Does that really matter? Whether complicit or not, the permissions granted to the Kaspersky software led to the exploit. Regardless of which vendor you choose, this level of privilege should be a major consideration when choosing your vendors.
Permissions granted, trust broken
Security software is typically the most privileged access software in your network environment. If you work in a sensitive industry or in government, the DNA of the company may be an important factor and an indicator about its motives
It's prudent to consider factors such as: what does any outbound data include, how is that data pushed out, and is the sharing of metadata optional or mandated?
The classified networks of the Republic of Korea Armed Forces were compromised due to Hauri, their antivirus vendor, as well as human error. North Korean hackers used Hauri to piggyback malware onto legitimate Hauri software deployed in the ROK Armed Forces.
A "connector jack" linking the classified network to the open web was left in place long after a scheduled maintenance event, providing North Korea with the opportunity to exfiltrate data via the compromised patch. This resulted in battlespace preparation and military plans being compromised, including a plan to eliminate top North Korean leadership. 80% of the information exfiltrated from the ROK Armed Forces is yet to be identified.
Another real-life, high-stakes reiteration of the need to understand your environment with a holistic perspective. You need to understand, vet, and continually evaluate software with deep system access - as well as the potential for human error that provides an avenue for exploit.
Software requires deep system access? Extreme caution advised.
Case in point: recent findings by security firm Direct Defense regarding Carbon Black's Protect product. Protect allows for files to be uploaded to VirusTotal for the service to catalog and curate malware examples.
On its surface, this is a great feature, where the wisdom of the crowd can help provide better security for all. What wasn’t well understood, however, was the potential for putting customers at risk - by their own hands, as the company was quick to point out (once it was too late).
If a proprietary or attributed file were added to VirusTotal’s corpus, sensitive company information could leak. Other VirusTotal users could extract all submitted files, gaining concentrated access to potentially valuable or compromising information.
Software with deep system access needs to be fully understood - especially when it can be configured to push sensitive data - meta or complete - elsewhere. Humans will always be in the loop, creating the environment for a simple software configuration to betray you.
So you must look at your software vendors and the configuration of their products with a mindset that some human, somewhere is going to screw something up. With this perspective, you might choose a different default configuration for your privileged components.
As President Reagan said, trust but verify. Use network monitoring tools to inspect your outbound traffic with a vendor’s product installed. Understand what it’s sending in its “phone home” connections. You can use your firewall or specific, detailed analysis tools like Wireshark or Little Snitch.
Another approach would be to minimize your attack surface area by keeping malicious content off your network, thus reducing the need for privileged security tools on your network. Isolating the browser in the cloud is one strategy.
Browser isolation: reduce or eliminate the burden on AV tools
This not only improves the composition of your network, but it also reduces your reliance on vendors that require deep system access.
If you follow this approach, you may find that the balance shifts back in your favor. Away from cybersecurity vendors forcing you to abide by their requirements, to you, and your ability to provide access to the web without jeopardizing your data or your organization.