Greg Leah Symantec Hosted Services (formerly MessageLabs)
download slides (PDF)
The onslaught of mass email attacks has become a daily occurrence in the industry with which many AV companies have struggled to cope. In attempting to combat these threats, signature-based engines have become ineffective when compared to heuristic engines. With attack runs lasting just minutes and the significant time required for signature deployment, any company that does not have advanced heuristic detection for a zero-day threat before it is launched will inevitably have customers affected.
Furthermore, targeted email attacks are slipping through signature-based scanners completely under the radar. Many of these so-called 'spear-phishing' attacks use unique malicious documents that are sent to only a handful of potential victims. Such intrusions were thrown into the media spotlight recently following the highly publicised 'Aurora' attacks, which resulted in the penetration of Google, Adobe and some 32 other companies including defence contractors and financial institutions.
This paper will use recent mass email attacks as well as small, covert targeted attacks to illustrate some current challenges faced by the AV industry. In particular, it will expose some major shortcomings of traditional signature-based AV. These include lack of protecting against zero-day email attacks launched from Botnets and the inability to shield customers from stealthy targeted attacks. Conversely, it will highlight some of the benefits in these areas of moving towards a cloud-based heuristic solution. The argument will be backed up by real-world data gathered from live email attacks against corporations, SMBs, and public sector institutions.