Artificial Neural Network Anti-Virus

Don't go all-in on the secret sauce hype

 
 

Anti-Virus: Why ask why, right?

It's 'free' for 90 days after all...

It's 'free' for 90 days after all...

A lot of potentially interesting things can be right beneath the surface of any "normal" environment.  

When Red Teaming, paying attention to things that everyone assumes will "just work" can pay dividends, so we often find ourselves going against the grain in search of whatever unknown thing may exist where few people bother to really check.

So we get to Anti-Virus in general, which has a deep dark history with malware and the infosec community.  Many people don't know or care about old rumors and stories, and basically everyone just accepts that you "need Anti-Virus".  (Well, at least on your Windows machines.  [Well, at least on the user endpoints])

But as a security geek, AV has eaten more files I wanted for research than it has protected me from

As a pen tester, I've bypassed AV enough times to have little faith in any particular vendor

And as a red teamer, I've found more vulns in up-to-date AV products than threats AV has protected me against   

Enter SkyNet^h^h^h^h^h^hArtificial Intelligence

So AI makes everything better, right?

Not sure, but it has definitely been moving into t3h cyb3rz, and AV is one of the most public faces of automated cyber security

So will AI make AV better?  Well most enterprise level endpoint AV solutions already offer "heuristic" protections (which were oft-heralded as 'the solution' to traditional AV [and which many paying customers immediately disable]), so what do the next generation of AI AV products have going for them?  

Artificial Neural Network technology, apparently...?  

While I am hyped to see some ANN applications in the infosec space, the tech does rely on sufficient modeling and training in order to function as expected/advertised.

And unfortunately, Operating Systems are places where many many many conditions are possible, so modeling and training a system to have few false positives and few false negatives is likely extremely difficult to accomplish.

cylance_google_preview.png
cylance_wiki.png

Case Study: Cylance

Lucky for them, their marketing people rebranded before I screenshot the old site (basically said "we might sell it to you if we want to"), but nowadays you can request a demo:

cylance_demo.png

 

And overall the marketing fluff makes you feel all warm and fuzzy, because the ANN magic will protect you.

Very funny to note they go so far as to say you should replace your traditional endpoint security instead of layering.  That definitely makes sense when you're trying to sell licenses, but one hopes the technology will back up that bold marketing...

breaking_01.png

 

 

 

Oh, that was the toned-down and gentle marketing pitch?

 

 

 

1.21 gigawatts of temporal predictive advantage, to be precise

1.21 gigawatts of temporal predictive advantage, to be precise

 

PETYA is somewhat associated with Advanced Threat Actors, and apparently Cylance has that stuff under control with their "temporal predictive advantage".

payloads.jpg

 

Cylance is confident, but knowing a little bit about ANN tech, it does seem like there are some potential weak spots that one could try to take advantage of...

 

So let's generate a bunch of unobfuscated payloads with MSFVenom in a variety of formats (and then the same payloads with the --smallest option as some *basic* obfuscation, just in case we need it)

 

I like to test with MSF simply because it is open and public (and fun!), which makes it a thoughtful marker when evaluating the likelihood of success from unknown vectors.

Plus, now Cylance has an easy out, we were testing out-of-date code :)

Plus, now Cylance has an easy out, we were testing out-of-date code :)

 

Since we're feeding up a softball for Cylance, there is no remorse for attacking a client version that is out of date.

The whole benefit of AI AV should be that it doesn't really need updates all that often, and they push that line in their PETYA marketing.  

 

Results: Cylance:=zero / Shells:=lots

Without getting into too much detail, I really expected many payloads to be eaten upon file transfer.  But none of them were...

Which made me think they'd get caught on execution, but nothing was caught by AI (although +1 in my book for free big name tools that do some good detecting memory events, again sadly short on details)...

So other than a few id-10-t errors on my end, the shells flew:

Always migrate into the AV product memory space, just for giggles :D

Always migrate into the AV product memory space, just for giggles :D

Conclusions: No Story Here

First off, no one is going to market their stuff as something like "it has a reasonable chance of detecting stuff the other guys won't, but it won't catch everything"...

Also, ANNs are relatively new to the scene, and Cylance has bitten off a pretty big mouthful by trying to revolutionize endpoint and replace traditional controls.  It is no surprise at all that in these early days of endpoint AI, SkyNet is not too tough to fool.

It is also worth noting, that this test should in no way be seen as:

  1. comprehensive, or
  2. an indictment of Cylance as potentially good future tech

 

Just like the bad guys, the good guys are always striving to improve, and I anticipate that over time this product / tech will likely improve substantially.

I have some specific ideas on how ANNs might be better implemented as infosec controls, but since I kinda want to be able to sell ANN based infosec products, maybe I should shut up and get back to work ;)