Threat Detection and Disclosure
We should have a discussion about dwell time or lag time between finding a threat and reporting a threat as it’s going to become more important in the threat landscape.
What is dwell time or lag time? On an endpoint, it would be the time between a threat making it to the machine and a solution “detecting” the threat. The same happens when it comes to researchers and disclosing new threats appearing on the landscape.
A report was released about AvNeutralizer which also goes by AuKill. It has been released by Carbon Spider (or Fin7 for those only following for the last year or so) with the intent of impairing or rendering disabled endpoint solutions (CrowdStrike, SentinelOne, McAfee/Trellix, Symantec). A screenshot was posted showing this for sale on a dark web forum back in May, yes two months ago! The lag time between seeing it for sale and posting information about it is rather impressive…in a terrible way.
So why is there a lag time between researchers “finding” something and disclosing it? To do their diligence and understand everything about said item? Possibly, but that in general does not take a qualified researcher months to accomplish. No, the reason why it takes so long is so the team that finds the threat has time to ensure they detect the threat upon release of the research. It makes sense as the last thing you would want is to announce a threat and then get nuked by that threat.
The lag time between finding and disclosing puts customers at risk and while one AV solution might be working on preparing defenses against a threat other vendors might not even be aware the threat exists. The good news is there is a way to prevent this lag time completely and keep your environment safe.
Even within the ecosphere of an AV provider, I watched new threats being identified in customer environments (submitted by the customer, or found during IR-type situations) and the response to the customer after providing the submission was “We will provide you a detection for this and if the threat research team will determine if this should go out to everyone as part of daily updates”. So you are protected but other customers with the same software would not be as they didn’t have the custom file pushed to them.
You can leverage the power of prevention based technology with a sub-20ms MTTP (Mean Time To Prevent) to ensure your environment is kept safe and secure. Couple that with #deeplearning which shuts threats like these down before they can even be built in the first place and it’s game over. I know, preventing something before it has been created seems like science fiction but the BLOKWORX threat team spends quite a bit of time both finding unreleased threats and building their own to test against the security stack. The results speak for themselves and if you need more proof you can read the third-party testing done against the solution which found it was over 99.78% effective against unknown and custom threats.
Keeping your environment safe is possible, we can help.