When I go to the RSA conference, I always “sniff” the air for trends, emerging developments and even just new research data points. Here is one such discovery from RSA 2013.
Despite all the anti-malware test methodology debates and controversy among warring security vendors, I sensed what I now call "the quiet AV assumption." Essentially, people who deal with advanced incident response today quietly assume that the malware will not be detected by whatever anti-virus tools installed. The question of "does AV detect it?" never even comes up anymore. In their world, anti-virus effectiveness is basically 0% and this is not a subject of any debate. This is simply a fact of their daily life.
In fact, not only “top shelf” incident responders, but also network forensics implementers, skilled SIEM analysts and even good security architects now operate under an assumption that the malware will get in and will stay awhile and that traditional anti-malware tools will not affect its propagation and survival. Note that this quiet assumption has nothing to do with the questions like “is AV useful?”, “does AV work?” or “what is the AV effectiveness across the entire pool of systems where it is installed?”
The mere concept of IOCs (such as registry keys, file names and checksums, connections, processes) implies that these need to be analyzed before the artifact is decided to be “bad.” The need to do malware reversing also implies that no AV vendor has a nice write-up on it and tossing a sample up to VirusTotal is merely a token gesture. Thus, IOCs and reversing exist in a different world compared to anti-malware updates and debates about “AV effectiveness.” One can say that they exist in a more cruel, primal world where only your technical skills matter, not your purchasing decisions or your security vendor market profile. This is the world of true hand to hand combat between the attackers who create malware (and other tools of their trade) on one side and you and your detection and reversing skills on the other side.
Think about it for a second, does the kill chain paper says "… and then the attacker installs malware … and AV catches it"? Not funny, Anton 🙂
In fact, the line between Security Haves and Have-nots goes cleanly between those who trust AV and those who have seen it fail repeatedly in their own environments to the point that it is assumed to never work for the advanced threats that the organization cares about. Endpoint cleanup with no analysis is still the default in the other world. Reversing the malware to extract the IOCs FAST (or get those IOCs shared with you by trusted friends) and then look for them on other systems is the norm in the other…