Inception Beats Antivirus, But Not PARANOID – And We Have Video Proof

    I recently reported on an NSS Labs evaluation of 20 Advanced Endpoint Protection (AEP) solutions that revealed their inability to block unknown threats. I highlighted some statistics around how their efficacy rates drop to as low as 46%. While the rows and columns of numbers from NSS Labs’ controlled testing environment are alarming, it’s even more powerful to see next-gen AV solutions from leading vendors fail on-stage right before your eyes.

    That was the experience security researcher James Williams delivered to attendees at BSides Manchester in England last week during his colorfully titled presentation “Next-gen AV vs my shitty code.”

    Williams showed how he used the Inception framework to easily bypass a number of AV products (whether traditional or next-gen) and gain access to the victim’s computer. Those products included Symantec Endpoint Protection 14, Sophos Intercept X, ESET NOD32 Antivirus, McAfee Adaptive Threat Protection, Cylance and SentinelOne Autonomous Endpoint Protection.

    I encourage you to watch his presentation, which is once again available on YouTube. I say “again” because it was temporarily unavailable after SentinelOne filed a copyright-infringement complaint to make YouTube remove it. Apparently YouTube reconsidered, and you can check it out here: BSidesMCR 2018: Next Gen AV vs My Shitty Code by James Williams. To SentinelOne’s credit, apparently Williams used an older version of the product. The latest version can block this attack vector.

    Paul Ritchie (@cornerpirate) posted a good summary to his Geeks Rejoice blog after seeing Williams deliver the same presentation at SteelCon 2018:

    “He gets past various anti-virus solutions by using .Net. To summarise the technique it:

    • Needs a ‘stager’ which can download code into memory
    • A means of compiling that source (also in memory)
    • Then a way to execute that code

    The key part from James about the process is: ‘(the) Stager has to touch disk, the payload does not.’ There is nothing malicious about the stager so it essentially gets a free pass from all AV solutions that he tested.”

    That last point – that there is nothing malicious about the stager – is critical to understanding why what I call the “enumeration of badness approach” is no longer effective. Enterprises need to strike a balance between the traditional Negative Security approach and Positive Security.

    Instead of only worrying about the badness, also direct your attention to the good – i.e., all legitimate OS behavior. There are just a handful of operating systems out there, and they change infrequently, especially in the way they operate with the file system and networking.

    Nyotron’s PARANOID is threat agnostic, application agnostic and user-behavior agnostic, meaning it doesn’t need to “know” anything about a particular application or a threat. No matter the application, it uses the operating system and the way the OS should operate is always the same.

    As you’ll see in this short video on our YouTube channel , Inception could not fool PARANOID. You’ll see the attacker attempt to launch Inception, PARANOID immediately detects and prevents the malicious activity, and alerts the user. The user then moves into the PARANOID dashboard to view the details of the abnormal activity attempt.

    For more information on how PARANOID enables you to create a multi-layered defense that strikes a balance between Negative and Positive Security, visit our website and connect with us on LinkedIn and Twitter.

    Ad
    Rene Kolga
    Rene Kolga is Senior Director of Product and Marketing at Nyotron, the developer of PARANOID, the industry’s first OS-Centric Positive Security solution to strengthen your AV or NGAV protection. By mapping legitimate operating system behavior, PARANOID understands all the normative ways that may lead to damage and is completely agnostic to threats and attack vectors. When an attack attempts to delete, exfiltrate or encrypt files (among other things), PARANOID blocks them in real-time.

    No posts to display