Cybersecurity products have been proven time and again to be a highly effective means to compromise a network. The very nature of the products makes them excellent RATs, usually with the highest access privileges. Antivirus products, in particular, make a fantastic double agent because they:
- Run on every machine in your environment
- Usually have root level access
- Are updated daily if not more periodically
- Have the ability to run scans and search for information without notifying the user
- And, in most cases, have the ability to retrieve files for further inspection and analysis
Each of these attributes is a product feature. When everything is functioning as it should, they help make antivirus programs more robust and the protections they provide timelier. However, as we have seen with the recent spate of intrusions, nation-states, in particular, are viewing this functionality as the perfect way to compromise hosts and steal information.
In September, news spread that a Chinese-related group compromised the tool CCleaner using an advanced persistent threat (APT) attack. That group was using the security tool as a distribution method and was hunting for very specific networks to lay down a second stage implant to go interactive on.
Then in the same week in October, separate media reports emerged claiming that nation-state attackers exploited antivirus software from two vendors. Kaspersky was allegedly hacked by the Russian intelligence services looking for information on U.S. intelligence programs, according to an Oct. 10 New York Times article. Israeli intelligence officers made this discovery after they had hacked into Kaspersky’s network. If this allegation is true, this will be the third known time Kaspersky was hacked by a nation-state. The other incident was publicly disclosed by Kaspersky in June 2015 when the company said that it discovered the Equation Group in its networks and linked the group to U.S.
Then on Oct. 11, a Wall Street Journal article claimed that the North Koreans compromised South Korean software company Hauri and used its distribution to the South Korean military to gain access to classified networks. It appears that the only major nation-state player in cyber that has not conducted this type of operation is Iran and that might just be because they haven’t attempted to leverage the access yet.
These intrusions have already led to additional calls to balkanize the cybersecurity industry. The rip and replace of Kaspersky across the U.S. is just the latest instance of politics warping the marketplace. The regionalization of these products is something that incentivizes this type of behavior and the more that the market gives into these national security demands, the more everyone will be left vulnerable.
Currently, every country/region has an AV champion. Russia has Kaspersky. The U.S. has Symantec with McAfee claiming a close second while Eastern Europe predominantly uses ESET. China has Qihoo360, and Japan Trend Micro. Each country/region supports a champion because of fears of the other. This, while potentially limiting the ability of an adversary of coercing compliance of a company, sets up a single dominate target. If you want to have access to the majority of computers in China, compromise Qihoo. Need access to the U.S. private sector? Go after Symantec. Want access to government computers? Then you target is McAfee. The localized domination of these companies not only makes them more enticing targets, it also ensures an inferior and less robust offering.
Software, regardless of its intended function, always become more robust and well tested based on the ubiquity of use. The more people using and looking at the code and functionality, the more likely you are to find and patch holes. By limiting market share based on political considerations, governments are actually ensuring that the products they rely on are less secure than they would otherwise be.
So how, as companies and citizens, do we mitigate this risk? If governments are gaming the system to create better targets to then unleash their cybercapabilities against what chance do we have? Given the compliance standards, at least in the U.S., ripping antivirus out of my network isn’t even possible, nor for that matter recommended. So, what do we do? The first step is actually understanding the risk you face. While it is possible for AV to deliver a second stage implant without anyone or anything knowing, what it cannot do is provide covert lateral movement. This is where defense in depth and understanding the attack life cycle allows you to catch the bad behavior before it has the chance to traverse the network.
Additionally, while an increased cost to the overhead, it is possible, especially with AV, to use multiple providers in your network based on segmentation. This creates a resiliency; should one provider be the victim of an intrusion, only part of your network will be compromised.
Finally, there is a level of risk acceptance. This style of attack isn’t likely to go away and users of AV are going to continue to be victimized. Knowing this, and implementing layered defenses and deception techniques to slow down and catch the intrusion as it proliferates away from the AV software is where this particular battle will be won and lost. Accepting the need for the initial intrusion vector and planning around how to mitigate its damage potential is the only way to effectively mitigate this growing breed of threats.
