The first documented computer virus was Creeper, developed in 1971. Created in an academic setting, the virus was built to demonstrate a file’s ability to transfer across a network. It took six months before computer programmers wrote a successful antivirus program called Reaper. This was the first documented lag between threat and defense. Ever since, security professionals and computer programmers have been playing catch up.

As an industry, we detect threats, update our defenses, then repeat as necessary. Many traditional antivirus (AV) programs operate on signatures. As malicious software is discovered, a signature describing the file is generated, added to a database, then the database gets pushed out to the customer base. If the antivirus discovers a file on your machine that matches a signature, that file gets quarantined and/or removed. However, this approach has its limitations.

Limitations of Traditional Antivirus

By December 2018, malware was being discovered at an alarming rate of 350,000 new threats per day. With that number continuing to rise, signature-based AV solutions can have a hard time keeping up with this volume, often leaving devices vulnerable. Furthermore, many modern cyber threats are designed to evade traditional antivirus solutions. Here are eight types of cyber threats that can evade traditional antivirus, along with examples of each:

1. Advanced persistent threats (APTs)

APTs are sophisticated and targeted attacks that can bypass traditional antivirus programs. They are often launched by nation-states, cybercriminals, or other advanced actors with the goal of stealing sensitive information or disrupting operations. APTs can remain undetected for months or even years, making them particularly dangerous. An example of an APT is the 2017 NotPetya attack, which caused widespread damage to businesses and infrastructure around the world.

2. Zero-day attacks

Zero-day attacks exploit unknown vulnerabilities in software, and can occur before a patch or update is available to fix the vulnerability. Because traditional antivirus relies on known signatures to detect malware, zero-day attacks can easily slip past these defenses. An example of a zero-day attack is the WannaCry ransomware attack that affected hundreds of thousands of computers worldwide in 2017.

3. Polymorphic malware

Polymorphic malware is designed to change its code or signature with each infection, making it difficult for traditional antivirus to keep up. By constantly changing its appearance, this type of malware can evade detection and continue to infect systems. An example of polymorphic malware is the Emotet Trojan, which has been active since 2014 and continues to evolve and evade traditional antivirus programs.

4. Weaponized documents

Attackers often use weaponized documents to exploit flaws in different document formats, which can compromise a system. These documents typically use embedded scripts that are obfuscated to make them appear harmless to traditional antivirus. Once launched, the attack runs in the background without the user's knowledge. An example of weaponized documents is the TrickBot malware, which spreads through phishing emails that contain malicious Microsoft Word documents.

5. Browser drive-by downloads

Drive-by downloads are files downloaded to the endpoint using vulnerabilities in the browser or a browser add-in. The download could come from a legitimate website with a compromised script or ad service, or it could be a malicious website specifically set up to initiate the download. These attacks start with email or social phishing, email attachments, or well-disguised pop-up links to lure users to a website. An example of a browser drive-by download is the Magniber ransomware, which infects victims through malicious advertisements on legitimate websites.

6. Fileless attacks

Fileless attacks occur without installing an actual payload on a system, making them extremely difficult for traditional antivirus to detect. They’re typically executed in the endpoint’s memory, and use built-in system resources to infect machines. An example of a fileless attack is the PowerShell Empire toolkit, which is used by attackers to run malicious code in the memory of a targeted machine.

7. Obfuscated malware

Obfuscated malware is designed to evade detection by disguising its malicious code. It uses techniques like packing and encryption to conceal itself from traditional antivirus programs. By the time it reaches the endpoint, the malware has been "unpacked" and decrypted, ready to do its damage. An example of obfuscated malware is the Locky ransomware, which uses a complex encryption technique to hide its malicious code from traditional antivirus programs.

8. Ransomware

Ransomware is a type of malware that encrypts data on a victim's system, then demands a ransom payment in exchange for the decryption key. Traditional antivirus may be able to detect some types of ransomware, but sophisticated variants can easily evade these defenses. An example of ransomware is the Ryuk ransomware, which has been used in numerous attacks against organizations worldwide and can evade traditional antivirus by using obfuscation techniques to hide its presence and behavior.

The Role of Endpoint Detection and Response

To address the limitations of traditional antivirus, Endpoint Detection and Response (EDR) solutions have emerged. EDR solutions use machine learning algorithms and behavior-based analysis to detect threats in real-time. They monitor all activity on endpoints, identifying and responding to threats as they occur, rather than relying on a database of known signatures.

EDR solutions are particularly effective at detecting the five cyber threats mentioned above, which can evade traditional AV solutions. By detecting threats in real-time, EDR solutions can help prevent infections before they cause damage.

Conclusion

The rise of new and advanced cyber threats highlights the need for organizations to adopt a layered security approach to protect their endpoints. Traditional antivirus solutions can no longer provide the level of protection required to safeguard against modern threats. Organizations need to look beyond signature-based detection and consider Endpoint Detection and Response (EDR) solutions to better protect their endpoints.

To protect against modern threats, organizations should take a layered security approach. By overlapping multiple security controls, you can mitigate the risk of falling victim. Enterprotect 360 is a layered cybersecurity platform that brings together 11 layers of protection including industry-leading Endpoint Detection and Response (EDR) capabilities powered by SentinelOne.

With the right security measures in place, organizations can defend against modern cyber threats and keep their data and systems safe from harm.

Here are some links to help you learn more about the Enterprotect 360 platform:

• Enterprotect 360 Cybersecurity Platform

• Enterprotect 360 Endpoint Detection and Response

• Enterprotect 360 Ransomware Protection
  

Sign-up for a Free Trial of Enterprotect 360

References

• AV-TEST. "Malware." https://www.av-test.org/en/statistics/malware/

• Security Magazine. "Increasing Cybersecurity Gaps and Vulnerabilities due to Remote Work During COVID-19." https://www.securitymagazine.com/articles/92571-increasing-cybersecurity-gaps-and-vulnerabilities-due-to-remote-work-during-covid-19

• RiskIQ. "Evil Internet Minute 2020." https://www.riskiq.com/resources/infographic/evil-internet-minute-2020/

• SentinelOne. "The 2020 State of Endpoint Security: An Overview of Enterprise Security Needs and Practices." https://www.sentinelone.com/resources/whitepapers/2020-state-of-endpoint-security/

• Carbon Black. "2019 Global Threat Report." https://www.carbonblack.com/resources/threat-research/2019-global-threat-report/

• Morphisec. "Endpoint Security & Ransomware Prevention During COVID-19: A Survey of IT Pros."
  https://lp.morphisec.com/2020-endpoint-security-survey-covid-19

Frequently Asked Questions