Endpoint Security - Malware Categories
I am often asked which type of antivirus product is the best, typically by people who, for one reason or another, are unhappy with their existing solution and are looking for something better. Unfortunately, all antivirus is, for the most part, equally ineffective.
Since I am pretty passionate about endpoint security and have spent a lot of time doing incident response over the years, I’m going to post some of my thoughts regarding endpoint security strategies. However, before doing so it makes sense to spend a bit of time discussing my thoughts on the types of malware in existence, as it serves as the basis for how I approach endpoint security.
I should also add that I think endpoint security is difficult to get “right”, which is why so many people focus primarily on network security, but endpoint security can bring significant success in securing an organization. In order to be successful, though, one will have to move beyond antivirus.
So, here we go: For the most part, I place malware into three categories, each handled a bit differently: Commodity, semi-commodity, and APT (advanced, persistent threat). I’ll briefly address each one below.
Malware in this category is well-known and has good coverage by competent antivirus products. I let antivirus products largely take care of this category but I’ll address which vendors I prefer in a subsequent post.
Malware in this category share similar traits to commodity malware, but may have been modified or based on some zero-day exploit/vulnerability. Antivirus product coverage for this type of malware is usually pretty spotty, with very few vendors detecting it.
I have no empirical data to support this view, but I suspect that the majority of malware falls into this category, which is why most people feel that their chosen antivirus vendor has let them down. A look at the submission statistics at VirusTotal bears this out, I think, and if you’ve ever submitted a piece of malware to them, you see how very often it is only a handful, at best, of antivirus products that detect a specific piece of malware.
Advanced, Persistent Threats (APT)
This malware category is the scariest of all, though is probably the least likely to be experienced. Malware in this category tends to be customized and unique, often used in state-sponsored attacks or by organized crime. This type of malware is sophisticated and traditional antivirus is almost completely ineffective at detecting it. The RSA breach is a good example of an APT attack.
In future posts I’ll dive into more detail on some strategies to detect malware in these categories, beginning with some thoughts on antivirus vendors and their effectiveness against commodity malware.