With the important caveats that the story appears to still be evolving and many details are not publicly known at this point, recent bombshell reports have laid out serious allegations regarding Kaspersky’s antivirus (AV) solution. Kaspersky has long been held under suspicion by some mainly due to (at least up until recently) speculation about Kaspersky’s potential ties (both the company and it’s eponymous cofounder/CEO) to Russian intelligence. In a nutshell, the recent revelations allege that Russian intelligence gained access to classified NSA files on an employee’s home computer in the US via Kaspersky Antivirus (KAV), and that capability presumably extended/extends well beyond that specific example. In recent months, the US government has been advising federal agencies and commercial partners to no longer use Kaspersky products, ostensibly due to concerns that it is a national security threat. The recent revelations appear to be filling in the gaps explaining that draconian decision.
It is not clear at this point to what extent if any Kaspersky is complicit in how Russian intelligence got its hands on the classified NSA files at issue. Many theories have been suggested, ranging from Kaspersky working directly with Russian intelligence, to rogue employees / malicious insiders, to an undetected breach of Kaspersky's network by Russian intelligence.
Unsurprisingly, the Kaspersky controversy has ignited passionate discussion and debate in the infosec and national security communities. For many of our customers and colleagues, the core issue becomes making a risk-based decision about whether Kaspersky AV or other Kaspersky security products should be an acceptable option for managed AV in the enterprise or even in a personal computer context. Many organizations already have Kaspersky AV deployed across their enterprise, or are currently considering it as a potential contender for a managed AV solution, and likewise many infosec practitioners use and/or recommend KAV at home.
Screenshot of tweet from: https://twitter.com/hacks4pancakes/status/917412410008461313
The recent controversy aside, Kaspersky markets a generally well-regarded, well-reviewed antivirus product and related security software solutions. It has a reputation of being above-average in its threat detection and removal abilities, and I have witnessed that firsthand. For example, in the past I have used a Kaspersky anti-malware tool in an incident response engagement to help fully scope and quickly eradicate a fast-moving worm from a client network when other AV scanners could not.
Additionally, the threat research team at Kaspersky Labs is top-notch and regularly publishes threat reports detailing malicious campaigns and malware belonging to cyber crime and cyber espionage actors -- including multiple Russia-linked threat actors. The Kaspersky researchers are known to be among the first to identify and publicly reveal novel attacker tools and techniques, and their associated threat actors, while trying to avoid the messy issue of attribution to specific nation-states. My threat hunting colleagues and I have frequently used Kaspersky’s actionable reports and their indicators to help protect the networks of federal and commercial customers.
If Kaspersky made notably ineffective, really buggy software and/or had a reputation for frequently publishing inaccurate or misleading threat intelligence reports, whether to deploy Kaspersky products would certainly be an easy decision. The reality of contextualizing and informing that risk-based decision, at least pending further revelations, is much more murky however. In the heated debate (much of which has of course played out on Twitter, blogs, and other social media), I’ve found myself agreeing with certain points or lines of reasoning that have been raised by others, and am using this opportunity to elaborate as informed by my own real-world experiences and understanding of the broader security landscape today.
1. If you have sensitive files on your computer(s), do not enable automatic cloud uploads.
This seems obvious, but is actually more nuanced than appears at first glance. It also extends beyond antivirus to include any “next-gen” Endpoint Detection and Response (EDR) product, other security products, and even non-security products like cloud storage clients. Many AV/EDR and other security products can automatically upload unknown files to threat intelligence clouds, whether their own or a 3rd party’s like the omnipresent VirusTotal. Typically, there are settings to enable or disable this feature, though opting out and disabling tends to be discouraged in order to promote the full functionality of the vendor’s threat detection capabilities.
A few months ago, there was a short-lived controversy about a well-known EDR provider allegedly submitting terabytes of sensitive customer files to the VirusTotal cloud without their permission. It turns out (as I predicted since I have firsthand experience with deploying this EDR), that those customers had simply and perhaps mistakenly chosen the opt-in setting. This is a great example of significant yet wholly avoidable sensitive data leakage that can perhaps be traced to a breakdown in securely implementing security software settings and understanding their implications, and then regularly auditing such settings with potentially far-ranging consequences.
Accordingly, add verifying such automatic cloud submission settings to your enterprise security checklists. Do you know what software in your company, whether for security or not, has an automatic cloud upload feature? If so, what control do you have over that setting? Can users override default admin settings? Are cloud storage clients like Dropbox authorized on your network, and if so do you know what files your users are syncing to the cloud? Do you know how the vendor controls technical and physical access to its cloud? If your company’s “crown jewels” were accidentally or intentionally uploaded to someone’s cloud, would you know?
2. Even if you disable your AV’s automatic cloud uploads, verify the results.
Even if you disable the relevant settings in your AV/EDR or other software, do you have processes in place to verify that they behave as expected? Whether due to the vendor really wanting to suck your data into its cloud or due to bad UX design, sometimes the relevant cloud submission settings are buried, exist in multiple places (e.g. in a GUI dialog and in a config file) that can override each other, are layered across multiple granular settings, or in a worst case scenario, are simply buggy and unreliable.
Reportedly, the US government conducted controlled experiments to verify Kaspersky AV’s behavior when it detects classified files, and the outcome of those experiments informed its views on the threat allegedly posed by Kaspersky. Whether or not that part of the story is fully accurate, it is imperative that your security team do its own controlled experiments. This may require tailored network security monitoring -- analysis of packet captures, firewall logs, IDS/IPS signatures, and maybe some reverse-engineering, especially if the traffic is encrypted (which raises a separate issue by the way that I’ll perhaps address in a follow up post). Search the vendor’s and 3rd party’s clouds for your sensitive files, whether by filename, hash, or some other indicator. (Even aside from the issue of AV/EDR vendors leaking data to the cloud, it is a good idea to invest in a VirusTotal intelligence subscription to manually or automatically search VT for sensitive company files that shouldn’t be there.) Trust, but verify your security product’s settings when so much is at stake.
3. Even if you disable (and verify) your AV’s automatic cloud uploads, there is the issue of AV backdoors, “silent signatures”, and mass data collection.
I think this is often taken for granted, but most AV/EDR products essentially install kernel level rootkits to do their thing. This is partly why when something goes wrong with an AV/EDR product, you are immediately greeted with a BSOD on Windows. AV products also essentially create a backdoor for the vendor to access your endpoints -- typically for benign reasons such as pushing out product and signature updates, centralized management (whether on-prem or cloud-based), and troubleshooting and providing remote support. This backdoor capability, especially including the update channel, can and will be abused by threat actors to silently push malware into your network and gain unauthorized access -- although publicly confirmed cases of this are relatively rare. And I’m not even going to get into the many exploitable vulnerabilities in popular AV software that Tavis Ormandy and other researchers constantly find and report, often through fuzzing, or the fact that some AV products poorly implement a man-in-the-middle (MitM) attack to inspect your encrypted web traffic.
Mainly for threat intelligence telemetry at scale, QA testing detection signatures before deployment in production to prevent false positives or other issues, and additional, mostly benign reasons, AV vendors are widely known to use so-called “silent signatures”. Eugene Kaspersky has written about this technique in the past. While they often like to market next-gen threat intel clouds and machine learning capabilities, traditional AV products are still mostly based on signatures and pattern matching. And if you thought your AV always without exception alerted you and/or generate a user-accessible log event when it thinks it detects something that matches a signature or pattern correlating to evil, you are probably wrong.
In the absence of publicly known details regarding how exactly Kaspersky AV (or rather Russian intelligence breaching or abusing Kaspersky) identified those classified files on a customer computer, a silent signature is one possibility. Kaspersky could be deploying some form of a signature to search for classified markings or other indicators of classified files across its customer endpoints, or perhaps targeted to specific customers, and then taking action once hits are identified. I want to emphasize that this is purely speculative, but certainly within the realm of technical capability. Another important point here is that silent signatures, whether used for foreign intelligence gathering or not, is not simply a Kaspersky issue -- any major AV vendor is likely capable of doing this as well.
More broadly, nearly every popular AV/EDR/security software company is amassing a sizeable database of endpoint threat data and related analytics -- the Kaspersky debate is helping, but I don’t think this is widely understood. The collected data provides them with remarkable insight into their customer networks and computers, and helps them improve their products and threat detection and response capabilities. That said, even if you read the privacy policy, it’s not always clear what precise data is being collected and correlated by these vendors, and what they are doing with it. Ultimately, it boils down to trust. Do you trust your AV or EDR vendor?
4. Even if your AV vendor is trustworthy, their customer databases are a huge target for foreign intelligence and cyber criminals.
According to the latest updates to the Kaspersky story, Israeli intelligence allegedly hacked into Kaspersky’s network, discovered evidence that Kaspersky AV was being used for intelligence gathering against the US, and alerted the US. This is remarkable on several levels. One facet is that Kaspersky appears to be very good at detecting threats in their own network, as they have revealed sophisticated intrusions targeting Kaspersky in the past, but apparently missed both Israeli and Russian intelligence seriously compromising their network and customer data.
Another important takeaway here is that I can virtually guarantee Kaspersky is not the only AV vendor targeted by Israeli intelligence, and that intelligence agencies at other countries (likely including the US) are also targeting at least foreign AV vendors. If the reporting is accurate, the Israeli operation against Kaspersky, whatever the initial objective, proves the value of doing so. And aside from hacking into a security company’s networks, there is also the possibility, depending on the laws and courts of the relevant countries, of secretly forcing a security company to provide data or other technical assistance to an intelligence or law enforcement agency in the name of national security. Another real possibility are malicious insiders; e.g., could a rogue AV employee deploy and/or review the output of “silent signatures” involving sensitive customer data? Adding to the murkiness is the fact that many former intelligence employees have gone on to work for AV vendors and other commercial security companies, and some such employees may or may not still have ties of some nature to their former intelligence colleagues -- incidentally, this has long been a means of attacking the credibility of Eugene Kaspersky, who formerly worked for the KGB.
Another recent news story that was largely lost in the shadow of the Kaspersky controversy is that North Korea allegedly breached South Korea’s classified military network partly thanks to compromising the South Korean military’s AV vendor updates -- definitely more targeted yet somewhat akin to the MeDoc and CCleaner update compromises that resulted in numerous infections worldwide. (Going back to the issue of trust, does your AV/EDR vendor encrypt and sign product updates and signatures?)
Let’s say for the sake of argument that Kaspersky as a company voluntarily colluded with, or was legally compelled to assist, or was breached by state-sponsored hackers. The same possibilities exist for any other security software or tech company.
Cyber criminals should also have a keen interest in AV vendors and their customer data, which may include data showing 0day exploits used by other threat actors, but not publicized yet, sensitive customer data useful for targeting and various stages of the attack kill chain, and hints at how to effectively evade the vendor’s detection capabilities.
5. So should I use Kaspersky or not?
The unfolding allegations against Kaspersky are certainly deeply concerning, but ultimately the short-term answer here is “it depends.” Accompanied by your own additional research and risk management processes, I hope the topics and questions raised in this post help to inform that decision. One of my goals here is to demonstrate that the important issues raised by the recent Kaspersky controversy extend well beyond Kaspersky to the AV/EDR industry as a whole, and perhaps beyond that as well. Jake Williams has shared some helpful thoughts in a recent blog post: “Should Antivirus software be part of your threat model?”
I would also like to emphasize, as have others, that the primary threat for most organizations is not foreign intelligence stealing sensitive or classified files off your computers by compromising your AV deployment. (And if your employees are storing classified files on your unclassified network or their home computers, you have separate issues on hand.) In the typical real-world threat model, our customers are facing daily common threats such as ransomware, malvertising, banking trojans, and the like -- threats that Kaspersky products actually tend to be relatively effective against compared to others. When deployed in a defense-in-depth context, AV and EDR still provide value in general -- just be sure to understand their caveats and issues affecting trust. Security software by nature imperfectly addresses some security needs while potentially creating others.
This blog post reflects the views of the author, Ben Hughes of Polito, Inc., and is not an official position of his employer. If you have follow up questions about Kaspersky or AV/EDR in general, feel free to reach out to us.
Polito, Inc. offers a wide range of security consulting services including penetration testing, vulnerability assessments, incident response, digital forensics, and more. If your business or your clients have any cyber security needs, contact our experts and experience what Masterful Cyber Security is all about.
E-mail: info@politoinc.com
Phone: 571-969-7039
Website: politoinc.com
Additional Reading:
https://www.cyberscoop.com/kaspersky-fbi-cia-fsb-demarche-2015/
https://www.renditioninfosec.com/2017/10/should-antivirus-software-be-part-of-your-threat-model/
https://www.nytimes.com/2017/09/13/us/politics/kaspersky-lab-antivirus-federal-government.html
https://www.nytimes.com/2017/10/10/technology/kaspersky-lab-israel-russia-hacking.html
Comments