“The Windows Authentication mode is less vulnerable to brute force attacks, as the attacker is likely to run into a login lockout after a finite number of attack attempts.”
.
STATE 1: MACHINE IS FULLY PATCHED, ANTIVIRUS IS INSTALLED AND UP TO DATE
The only vulnerabilities that exist here are either “human” (end users tricked into installing malware) or zero-day attacks/exploits that would go undetected by the antivirus.
Clearly, user awareness training is the only effective defense against “trickery” or social engineering based attacks. Only if warnings are dismissed can the exploit successfully deliver its payload.
This is the case with Visual Basic Macro exploits found in phishing emails. Robust antivirus featuring definitions of malware signatures, heuristic detection of exploit activity, and behavior-based analysis of exploit activity may protect the endpoint, but this is frequently not the case.
STATE 2 : MACHINE IS NOT PATCHED, ANTIVIRUS IS INSTALLED AND UP TO DATE
The vulnerabilities here are related to exploits that have been developed for the lack of a specific patch. Although antivirus may be up to date, it’s questionable whether the exploit will actually be detected. In this scenario, the machine could be easily infected by an exploit designed to bypass antivirus. Research from Recorded Future indicates that Adobe Flash, Java, and Internet Explorer are the most frequent targets of exploit kits. Not having the exploitable software installed in the first place is the only effective defense.
STATE 3: MACHINE IS NOT PATCHED, ANTIVIRUS IS INSTALLED, BUT NOT UP TO DATE
The vulnerabilities here are greatly enhanced over the first two states, as the machine is open to a wide range of exploits, not just the latest versions of exploits kits. Similar to state 2, a machine in this state can be easily infected, however it is also likely to be infected over and over again. IT providers and MSPs find themselves in this scenario in all too frequently. The emphasis has to be placed on patching due to the exploit package’s ability to execute and deliver a Trojan, which in turn delivers a payload against an unpatched machine. Antivirus definitions do include the actual malware signatures, but more sophisticated behavioral and heuristic engine updates provide antivirus software with “indications to look for” (such as network traffic to a certain set of IPs) or “suspicious events” such as invoking JavaScript from a document in email. These are all telltale signs of an endpoint about to receive a Trojan.
STATE 4 : MACHINE I S PATCHED, ANTIVIRUS IS INSTALLED, BUT NOT UP TO DATE
This state is similar to state 1, but cybercriminals have better success as the majority of the cyberdefense is provided by patch installations. The attack surface is the same as State 1, however the machine is more susceptible to a “human” vulnerability, as an entire range of Trojans (installed via phishing email) can infect the machine. This is probably the second most common scenario shortly after patches have been delivered to endpoints. With the patches in place, the IT provider or MSP has reduced the likelihood of exploitation considerably, however the danger remains from Trojans delivered in the form of email. The combination of phishing emails and social engineering attacks can be conducted using families of older Trojans if the target’s antivirus is not up to date.
In states 3 and 4 where the antivirus is out of date, the best course of action is to update to the latest definitions and run a complete scan on the endpoints. There is a good chance malware may have been installed while the machine’s antivirus defenses were “down.” Many users will not admit they may have accidentally clicked on something they shouldn’t have,
so a Trojan may be lurking on the endpoint waiting to download a payload, held at bay by your other network defenses.
For special purpose systems, such as payroll, accounting, and point of sale, removal of the frequently exploited software, weekly patching, and updating of exploit-friendly software like the aforementioned Adobe Flash is essential. If the software cannot be removed, then robust antivirus with frequent malware signature updates, behavioral, and heuristic based
analysis offers the best route to protecting these systems.
Assuming there is user awareness training in place, the above scenarios should entail the priority of work for MSPs and IT service providers. This work should be focused on testing and deploying patches quickly and efficiently into the network—obsessing on the definitions or capabilities of antivirus of choice is certainly not a priority activity.
After robust data backups, patching and updating should be the priority to keep systems out of the hands of cybercriminals.