Most security experts would agree that the best approach to Cybersecurity is a layered approach; Protect your assets against a variety of attack vectors, in a variety of tactics and in different fronts; secure the endpoint, the network, the cloud, guard your data, in-motion, in-rest, in-transit.
One of the key distinctions in a layered security approach is between pre-infection and post-infection security. Think about it as security measures we take to stop an intruder from breaking into your house (and turning on the alarm if an intrusion is detected), and measures we take to stop the intruder from leaving with our valuables once already inside the house.
The use of anti-virus, firewalls and IDS/IPS are very common when it comes to pre-infection. Obviously, if we can prevent the intruder to enter the house in the first place, that's a clear victory. However, as intruders become more sophisticated, our ability to block them at the door (or the window, or the chimney) goes down.
We recently tested this assumption: we created a random sample of 500 domains used by various types of malware, trojans, and worms after they infect a device; for all domains, we have seen recent malicious activity from multiple devices. We then used 17 of the top anti-virus and anti-malware solutions in the market to see what percentage of these post-infection level activity they detect and block. We made sure that the first activity we saw occurred at least 3 days before we tested the anti-malware solutions.
Below are some of our findings. Figure 1: overall post-infection detection
Looking at the overall results, most anti-malware solutions were able to detect about 1% of the total malicious domains. The highest scored solution was able to detect 22%. Again, all these software solutions were originally designed to defend against pre-infection, when post-infection detection was more of an afterthought. It is very likely that all these products would score very high on a pre-detection test.
Figure 2: percentage of domains detected by at least 1 AV, by Threat
Looking into the specific threat types, we measured how many domains are blocked by at least one of the 17 AV solutions. While there are some threats that are more likely to be detected (if you ran simultaneously 17 different AVs on your laptop), a large portion of the threats has a very low post-infection coverage. For 14 out of the 26 distinct threats we tested, more than 50% of the malicious domains were not detected by any AV. Most notably, Necurs, one of the largest botnets in the world, had only 11.7% of its domains detected by any AV.
One other interesting observation is that specific AVs show expertise in detecting specific threats; going back to Necurs, a single solution (AV 3) detected 10% of the malicious domains, while all the rest of the AVs together detected additional 2%.
The good news (and this blog is all about good news!) is that post-infection protection can significantly close the holes that are not covered by AV, IDS or a firewall. DNS based security covers the attempts of the intruder to move the assets from our already-compromised house into the wild. It detects and blocks the malware communication, and does it about x10 better than solutions designed to handle pre-infection. And so, when we use layered security to protect our home we first lock the doors (and windows), put an alarm, and then ensure that even if an intruder is in - it will not be able to get out with our stuff.
* Nominum, now part of Akamai, Data Science will soon publish a whitepaper with complete methodology, dataset, and results of the test.