Knowledge as a Defense Against Malware

Team Anti-Virus, an independent group of anti-virus researchers, published Ten Rules of Common Sense Computing and Virus Defense ten years ago to help educate network security personnel, end users, and the general public about anti-virus issues. The rules are still very relevant today. Three of the rules focus on knowledge:

• #4: Leverage experts, not generalists
• #7: Listen to others when told you may be infected
• #8: Don't believe all alerts

These knowledge-centric rules are some of the cheapest to implement, but the costliest to overlook.

The need for specialists

Without experience and knowledge, the response team will not know which alerts to respond to

There is an old saying: “That which is cheap becomes expensive.” Staffing malware defense and response positions is often done with recent graduates or people with no direct experience in the counter-malware field. Simply knowing how to deploy and configure software does not mean that the individual will know how to most effectively employ desktop security software, nor does firewall knowledge translate to counter-malware architecture. Counter-malware is as much a specialized career field as is encryption, VPN or firewalls. These skill sets will often overlap, but the mindset does not. A good counter-malware architect will be experienced in hardware, software and network protocols, and will have insight into the human mind. Many times, these specialists will be called upon not only to reverse engineer some suspect code or troubleshoot symptoms, but to figure out the opponent’s intentions and goals.

Following the right leads

Counter-malware experts also know what questions to ask, where to seek additional information, and where to look for answers or indicators. While many corporations have moved to a centralized management and reporting model, there are still times when the counter-malware specialists may be contacted by third parties with information about a potential compromise. This is when questions must be asked and responded to correctly. Ignoring the reports can increase liability, while chasing the wild goose can cost time and assets. While we no longer see the rash of emails and reports claiming that “Someone said there is an undetectable virus that will crash your hard drive,” the reports we get from our own systems and third parties can be equally misleading, can produce false positives, or could be outright wrong. Without experience and knowledge, the response team will not know which alerts to respond to, or even worse, they may respond to the wrong ones while legitimate alerts are neglected due to a lack of resources.

The knowledgeable individual will also apply his expertise to the evaluation of unconventional responses and alerts. By leveraging knowledge of what malware can or cannot do, historical author intent, and host network targets, a risk assessment can be performed and simple defenses can be custom designed. While organizations often like to throw money at a problem, sometimes the answer is to use existing resources in an unconventional manner to achieve a similar goal. An historical example of this was adding “canary” email accounts into the global address book. These accounts (before texting became popular) would trigger the response team’s pagers. Occasionally there would be a false positive (from someone accidentally selecting one of the accounts as an email recipient), but this technique most often found directory traversing email worms. Canary email accounts cost an organization nothing but provided invaluable visibility into their network.

Knowing what’s normal

Using your knowledge, are there any gaps that you can close by unconventional means? Do you or your company experts know what “normal” looks like on your network? By leveraging this knowledge, identifying, preventing and responding to attacks is much easier. For example, Tenable’s SecurityCenter Continuous View™ can monitor all your assets continually, retain logs of all activity and events, and track anomalies. When you have such a baseline on network health, assessing activity outside of “normal” gets a whole lot easier and provides a knowledgeable operator with plenty of supportive information.

By leveraging experienced field specialists, this knowledge translates to corporate cost savings, early identification of gaps in coverage, and increased defense. When you hire a lower salaried generalist to interpret the data, you lose the knowledge and experience that reduces the costs and scope of responses.

I hope that we all realize that generalists are necessary and important to the security landscape, but assigning key specialized duties to them will wind up costing more than prevention would cost. And while not a substitute for a specialist’s wisdom, tools like Tenable’s SecurityCenter Continuous View provide the visibility that knowledgeable people need to identify the gaps.