!"!

#$%& ()*+,
Cybercr|me k||| Cha|n vs. Defense Lffect|veness
SU8VLkSICN CI LALkLD SLCUkI1

Authors - Stefan Ire|, hD, Iranc|sco Artes

Cvervlew
Clobal lnLerneL peneLraLlon and e-commerce have grown exploslvely over Lhe pasL Lwo decades. lL ls currenLly
esLlmaLed, as of 2012, LhaL more Lhan Lwo bllllon users have lnLerneL access.
1
WlLh Lhe ongolng deploymenL of
lnformaLlon Lechnology, comprehendlng Lhe evoluLlon of lnformaLlon securlLy aL large has become much more
Lhan Lhe mere undersLandlng of Lhe underlylng Lechnologles. 1here ls a growlng reallzaLlon LhaL securlLy fallures
are caused as ofLen by bad lncenLlves and awareness as by bad deslgn or neglecLed lmplemenLaLlon of avallable
securlLy Lechnologles - whlle cybercrlmlnals conLlnue Lo surprlse defenders wlLh new aLLack meLhodologles and
lnnovaLlve evaslon Lechnlques Lo bypass deLecLlon.
1hls brlef flrsL examlnes Lhe aLLacker's klll chaln, Lhe maln Lracks from Lhe exLernal aLLacker Lo Lhe LargeL, whlch
lead Lo Lhe compromlse of Lhe vlcLlm's server or deskLop machlne. uefense ln depLh, on Lhe oLher hand,
represenLs Lhe use of mulLlple securlLy Lechnlques Lo help mlLlgaLe Lhe rlsk of one componenL of Lhe defense belng
compromlsed or clrcumvenLed. ln Lhe second parL of Lhls paper, we examlne Lhe four ma[or classes of proLecLlon
Lechnologles (flrewall, lnLruslon prevenLlon sysLems, endpolnL proLecLlon/anLlvlrus, browser proLecLlon) LhaL large
organlzaLlons Lyplcally deploy and rely upon. Lmplrlcal daLa wlll be layered Lo presenL resulLs on Lhe securlLy
effecLlveness of Lhese proLecLlon Lechnologles as measured ln nSS Labs' group LesLs. Lach class of Lechnology
LesLed ls represenLed by Lhe leadlng producLs from LhaL producL group. 1he producLs are sub[ecLed Lo an array of
Lhe lndusLry's mosL rlgorous LesLlng procedures lncludlng load and sLablllLy, llve malware, known and unpubllshed
explolLs, and dlverse evaslon Lechnlques.
Cenerally, nSS flnds a conslderable gap ln proLecLlon levels wlLhln and across dlfferenL securlLy producL groups.


1
lnLerneL Word SLaLs - hLLp://www.lnLerneLworldsLaLs.com/sLaLs.hLm
nSS Labs AnalysL 8rlef - Cybercrlme klll Chaln vs. uefense LffecLlveness

2
nSS Labs llndlngs
vendor clalms on Lhe effecLlveness or performance of Lhelr producLs are frequenLly found Lo be overly
opLlmlsLlc, or based on unreallsLlc assumpLlons LhaL do noL apply Lo real-world deploymenLs.
1he general avallablllLy of malware Lools leads Lo an lncrease ln opporLunlsLlc aLLacks.
AuLomaLed vulnerablllLy scanners and aLLack Lools cannoL deLermlne wheLher or noL your enLerprlse should
conslder lLself a hlgh-rlsk LargeL.
AnLlvlrus does noL prevenL a dedlcaLed aLLacker from compromlslng a LargeL.
1hree of Lhe slx LesLed neLwork flrewall producLs LesLed crashed when sub[ecLed Lo nSS' sLablllLy LesLs.
lS evaslon deLecLlon has lmproved conslderably from 2009 Lo 2012.
lS producLs falled Lo deLecL ln beLween 17 Lo 334 of 1,486 explolLs LesLed.
AnLlvlrus producLs dlffer up Lo 38 percenL ln effecLlveness aL sLopplng explolLs, wlLh proLecLlon levels varylng
beLween 34 percenL and 92 percenL. Several producLs falled deLecLlon of explolLs when swlLchlng from P11
Lo P11S.
nSS Labs 8ecommendaLlons
LnLerprlses should conducL a Lhorough rlsk assessmenL Lo deLermlne wheLher Lhey are hlgh-rlsk LargeLs.
Powever, even low rlsk LargeLs should assume Lhey wlll be sub[ecL Lo opporLunlsLlc aLLacks aL some polnL.
A rlsk-based approach Lo l1 securlLy - ldenLlfylng Lhe sysLems and asseLs LhaL are mosL vulnerable Lo aLLack
and whose compromlse would be mosL damaglng Lo Lhe enLerprlse - ls cruclal Lo defendlng agalnsL and
remedlaLlng LargeLed perslsLenL aLLacks (1As).
Plgh-rlsk enLerprlses should assume LhaL Lhey are already compromlsed - Lhere ls no producL or comblnaLlon
of producLs LhaL provldes 100 percenL proLecLlon.
CrganlzaLlons should complemenL prevenLlon wlLh breach deLecLlon and securlLy lncldenL and evenL
monlLorlng (SlLM) Lo ldenLlfy and acL on successful securlLy breaches ln a Llmely manner.
uLlllze lndependenL lnformaLlon on securlLy producL effecLlveness and performance durlng producL purchase,
refresh, and upgrade cycles Lo make Lhe rlghL deploymenL declslons. ln nSS LesLs, vendors' performance
clalms were frequenLly found Lo be excesslvely opLlmlsLlc.

nSS Labs AnalysL 8rlef - Cybercrlme klll Chaln vs. uefense LffecLlveness

3
Analysls
Understand|ng the Lnemy
undersLandlng Lhe capablllLles and moLlvaLlon of Lhe enemy ls a cruclal sLep ln plannlng and execuLlng any klnd of
defense. lL ls of paramounL lmporLance Lo flrsL look aL Lhe changlng LhreaL envlronmenL, and Lhen examlne Lhe
aLLacker's klll chaln."
1he Chang|ng 1hreat Lnv|ronment
ln cybersecurlLy, Lhe LhreaL landscape has evolved conslderably ln Lhe lasL decade. ln a flrsL order approxlmaLlon,
Lhls evoluLlon can be mapped on Lhe Lwo dlmenslons expettlse of tbe ottocker vs. motlvotloo of tbe ottocket, as
shown ln flgure 1.

I|gure 1 - Attacker's Lxpert|se vs. Attacker's Mot|vat|on
PobbylsL aLLackers worklng ouL of curloslLy or for personal fame are deplcLed ln Lhe lower lefL corner, classlfled as
vandallsm." When proflL-maklng ls Lhe goal, lndependenL of Lhe aLLackers experLlse, Lhe acLlvlLy can be classlfled
as crlmlnal or LhefL, deplcLed on Lhe Lop ln llgure 1. ln recenL years, and moLlvaLed by proflLs, experLs creaLed an
array of advanced commerclal off-Lhe-shelf (CC1S) malware Lools Lo auLomaLe Lhelr [ob. 1hls evoluLlon, palred
wlLh sLlff compeLlLlon wlLhln Lhe cybercrlme scene/lndusLry, has resulLed ln Lhe general avallablllLy of sophlsLlcaLed
malware Lools aL low prlces. Such Lools are readlly avallable Lo anyone lnLeresLed ln sLarLlng a cybercrlme career.
llgure 2 shows a snapshoL of a selecLlon of Lools commonly offered on Lhe underground markeL. ueplcLed are
Lools Lo generaLe 1ro[ans, modlfy exlsLlng malware ln order Lo evade deLecLlon, auLomaLe Lhe malware
developmenL processes, and quallLy-check Lhe malware. uue Lo compeLlLlon ln Lhe fleld, Lhese Lools are usually
offered wlLh comprehenslve servlce and cusLomer care packages. lor example, explolL klLs such as 8lackhole have
essenLlally made Lhe mass explolLaLlon of webslLes a low cosL franchlse operaLlon wlLh a low buy ln and an
lmmedlaLe lucraLlve reLurn.
!"#$"%&'(

*+,-./
.0
1..%'
1-23
!"#$%&'(
*'+&
!"#$%&'(
,'-"
./#+%$+01
23#+405
6+771
8%991+$0
8'3:"#
;<4"#0
=%%($ 3#"'0"7 91
"<4"#0$ &%> /$"7
91 ("$$5$:+(("7
3#+-+&'($?
@%# 4"#$%&'( A'+&
,'$0"$0 A#%>+&A
$"A-"&0
B
%
C
D
'
C
%
&

EF'3:"#$G ;<4"#C$"
nSS Labs AnalysL 8rlef - Cybercrlme klll Chaln vs. uefense LffecLlveness

4

I|gure 2 - A Ser|es of Ma|ware 1oo|s as Common|y Cffered |n the Underground
lrom Lhe defender's polnL of vlew, Lhls evoluLlon of Lhe LhreaL landscape has Lhe followlng lmpllcaLlons:
1he avallablllLy of sophlsLlcaLed malware Lools resulLs ln a hlgh degree of aLLack auLomaLlon. 1hls ranges from
sysLemaLlc ldenLlflcaLlon of vulnerable LargeLs Lo successlve fully auLomaLed explolLaLlon.
1he general avallablllLy of malware Lools leads Lo an lncrease ln opporLunlsLlc aLLacks, as Lhe aLLacker no
longer needs experLlse or speclal skllls.
LxperL know-how ls developed and avallable. LnLerprlses should conslder LhreaL acLors Lo be deLermlned,
hlghly skllled, and experLs ln Lhe fleld.
1he flrsL Lwo of Lhe above argumenLs also demonsLraLe LhaL any enLerprlse can become a vlcLlm of aLLack aL any
Llme, for any reason, and wlLhouL belng speclflcally LargeLed. AuLomaLed vulnerablllLy scanners and aLLack Lools
cannoL dlfferenLlaLe lf an enLerprlse should conslder lLself a hlgh-rlsk LargeL or noL, as Lhey ofLen are used Lo LargeL
a subneL or range of l addresses.
1he ALLacker's klll Chaln
1o successfully compromlse a LargeL, an exLernal aLLacker execuLes a meLhodology as deplcLed ln flgure 3. 1he
defender, on Lhe oLher hand, Lrles flrsL Lo prevenL Lhe aLLack, or deLecL Lhe breach lf prevenLlon falled.

I|gure 3 - Attacker's 8as|c Methodo|ogy - and Defender Cpt|ons
AfLer ldenLlflcaLlon of Lhe LargeL, Lhe aLLacker prepares Lhe LoolseLs and malware Lo be used. Assumlng Lhe
LargeLed organlzaLlon has several layers of defense ln place, Lhe aLLacker modlfles Lhe malware used ln order Lo
evade deLecLlon. Cybercrlmlnals have formldable knowledge abouL Lhe weaknesses of dlverse securlLy producLs -
galned Lhrough lnformaLlon exchange and Lhorough lnLernal LesLlng. lL ls a Lrlvlal exerclse Lo deLermlne Lhe Lype of
Source: www.turkojan.com
!"#$"%& "( " )&%*+,& -!"").
Malware offered for
$249 with a Service
Level Agreement and
replacement
warranty if the
creation is detected
by any anti-virus
within 9 months
off premise
server desktop desktop
!"#$%"# '(%)*
+#,-./01..23
attack detection / prevention
4#,#)5.6
78%39.6
1%":#,
7;$2.9,%5.6
<%2=#
7;,"%)5.6
breach detection
nSS Labs AnalysL 8rlef - Cybercrlme klll Chaln vs. uefense LffecLlveness

3
securlLy producLs deployed ln Lhe LargeLed organlzaLlon. asslve lnformaLlon gaLherlng, lnslders, or ex-employees
are common sources. neLwork scannlng, analyzlng e-mall probes, and mlnlng publlc lnformaLlon such as soclal
medla and supporL forums also provlde a wealLh of lnformaLlon on Lhe securlLy defenses deployed. A deLermlned
aLLacker wlll only use malware LhaL was successfully LesLed Lo bypass Lhe expecLed defense Lechnologles. AfLer Lhe
aLLack bypasses deLecLlon, lL explolLs Lhe LargeL and sLarLs execuLlng Lhe value exLracLlon accordlng Lo Lhe
aLLackers ob[ecLlve (esplonage, fraud, eLc.)
Ant|-Lvas|on Strateg|es
ln order Lo render defense Lechnologles, especlally slgnaLure-based Lechnologles, lneffecLlve a large number of
serlal varlanLs, or permuLaLlons, of Lhe core malware are creaLed. uslng off-Lhe-shelf Lools, hundreds of Lhousands
of new malware samples can be creaLed ln less Lhan an hour. Whlle belng funcLlonally ldenLlcal Lo Lhe orlglnal
malware, all samples look dlfferenL Lo deLecLlon englnes.
lollowlng Lhe creaLlon, all samples wlll be sub[ecLed Lo a quallLy assurance process. 1he malware samples are
LesLed agalnsL all ma[or, up-Lo-daLe anLlvlrus englnes. Cnly samples LhaL successfully pass Lhls LesL (l.e. are noL
deLecLed) are Lhen used for deploymenL. Speclallzed servlces exlsL LhaL allow cybercrlmlnals Lo have all Lhelr
samples conLlnuously LesLed and be alerLed by mall or LexL message lf a sample ls subsequenLly deLecLed by a new
slgnaLure. 8y Lhe Llme of aLLack, Lhe malware used by a dedlcaLed aLLacker ls known Lo be undeLecLable by
common anLlvlrus programs.
lurLher anLl-evaslon Lechnlques can be applled, such as Lunnellng/encrypLlon, use of dlfferenL encodlngs, l/8C
fragmenLaLlon, 1C segmenLaLlon, compresslon, or u8L obfuscaLlon Lo [usL name a few.
lallure Lo handle a parLlcular Lype of evaslon by a securlLy devlce means an aLLacker can use an enLlre class of
explolLs for whlch Lhe devlce ls assumed Lo have proLecLlon, renderlng lL vlrLually useless. 1hls ls only compounded
as Lhe number of evaslon Lechnlques lncreases. lL should be noLed, however, LhaL falllng one evaslon ln all
caLegorles ls consldered worse Lhen falllng all evaslons ln a slngle caLegory. lor example, lL ls beLLer Lo mlss all
Lechnlques ln one evaslon caLegory, such as P11 u8L obfuscaLlon, Lhan one Lechnlque ln each caLegory, whlch
would resulL ln a broader aLLack surface.
lurLhermore, evaslons operaLlng aL Lhe lower layers of Lhe neLwork sLack (l fragmenLaLlon or 1C segmenLaLlon)
resulL ln a blgger lmpacL on securlLy Lhan Lhose operaLlng aL Lhe upper layers (P11, l1) because lower-level
evaslons lmpacL a broader range of explolLs. lor example, a slngle 8C fragmenLaLlon evaslon can be applled Lo
more Lhan 30 dlfferenL remoLe Cracle uaLabase aLLacks LhaL would have been blocked by Lhelr respecLlve
slgnaLures.
1he LesL resulLs presenLed ln Lhe nexL secLlon of Lhls brlef documenL Lhe efflcacy of dlverse anLl-evaslon
Lechnlques.
Attacker vs. 1arget In|t|ated
Slnce Lhe mass adopLlon of flrewalls, neLwork address LranslaLlon (nA1) aL Lhe gaLeway, and perlmeLer defense,
noL all LargeLs can be reached dlrecLly by an exLernal aLLacker. lL ls, Lherefore, lmporLanL Lo dlfferenLlaLe beLween
aLLacker-lnlLlaLed and LargeL-lnlLlaLed aLLacks, as deplcLed ln flgure 4.

nSS Labs AnalysL 8rlef - Cybercrlme klll Chaln vs. uefense LffecLlveness

6
Attacker In|t|ated:
1he aLLacker execuLes Lhe LhreaL remoLely agalnsL a vulnerable appllcaLlon and/or operaLlng sysLem. 1hese aLLacks
LradlLlonally LargeL servers and Lhe aLLack ls execuLed compleLely under Lhe conLrol of Lhe aLLacker. 1yplcally,
servers are slngle-purpose machlnes, opLlmlzed and hardened accordlng Lo funcLlon, and run a few, buL crlLlcal
servlces, LhaL are dlrecLly exposed Lo Lhe lnLerneL.
1arget In|t|ated
1he vulnerable LargeL lnlLlaLes Lhe LhreaL, Lyplcally by an end user openlng a documenL conLalnlng malware or by
cllcklng on a mallclous llnk. 1he aLLacker has llLLle or no conLrol over when Lhe LargeL user or appllcaLlon wlll
execuLe Lhe LhreaL. 1hese aLLacks LradlLlonally LargeL a selecLlon of Lhe numerous cllenL appllcaLlons found on any
deskLop compuLer. revalenL and frequenLly LargeLed appllcaLlons lnclude Adobe llash & 8eader, llrefox, lnLerneL
Lxplorer, Cracle/Sun !ava, Cfflce appllcaLlons, Culck1lme, eLc. uesplLe belng reachable only Lhrough lndlrecL
aLLacks, cllenL deskLops are lncreaslngly Lhe maln focus of aLLack for LhreaL acLors. 1hls ls due Lo Lhe large number
and dlverslLy of lnsLalled appllcaLlons, each poLenLlally vulnerable, palred wlLh unpredlcLable usage paLLerns of
human operaLors. 1yplcal end-polnL sysLems were found Lo have more Lhan 30 programs from more Lhan 22
dlfferenL vendors lnsLalled. 1hls complexlLy resulLs ln a slgnlflcanL aLLack surface, and serves Lo hlghllghL also Lhe
dlfflculLy of keeplng Lyplcal end-polnLs up-Lo-daLe wlLh securlLy paLches.
LffecLlveness of Layered uefense
1o be successful aL peneLraLlng a Lyplcal enLerprlse perlmeLer, an aLLacker musL bypass several layers of defenslve
mechanlsms. CrganlzaLlons deploy an array of Lechnologles ln order Lo prevenL aLLacks, or Lo deLecL Lhe
compromlsed sysLems as early as posslble as shown ln llgure 3. ln Lhls secLlon we examlne Lhe followlng four core
proLecLlon Lechnologles Lyplcally deployed ln organlzaLlons:
neLwork flrewall
lnLruslon prevenLlon sysLems
LndpolnL proLecLlon/anLlvlrus
Web browser block proLecLlon
1he boundary beLween dlfferenL defense Lechnologles and producLs has become lncreaslngly blurred over Lhe
years. lurLher, some of Lhe funcLlonallLy can be deployed elLher on Lhe neLwork as an lnllne devlce, or as a hosL-
based soluLlon (e.g., neLwork vs. hosL based lS of flrewall).
ln flgure 4, we lllusLraLe aLLack paLhs from Lhe lnLruder Lo Lhe LargeL wlLh Lhese prlnclpal proLecLlon layers. We do
noL dlscuss breach deLecLlon here. We furLher dlfferenLlaLe perlmeLer and hosL based proLecLlon.
llrewalls and lnLruslon prevenLlon sysLems (lS) are Lyplcally deployed as cenLrally managed neLwork
appllances.
LndpolnL proLecLlon/anLlvlrus and Lhe browsers u8L block proLecLlon ls Lyplcally deployed on Lhe LargeL hosL
(whlle sLlll belng cenLrally managed).
1he common goal of Lhese Lechnologles ls Lhe prevenLlon of aLLacks - Lo deny access Lo mallclous Lrafflc on Lhe
neLwork level, or deLecL and prevenL execuLlon of malware on Lhe hosL.
nSS Labs AnalysL 8rlef - Cybercrlme klll Chaln vs. uefense LffecLlveness

7

I|gure 4 - Intruders Attack ath Cpt|ons vs. Layers of Defense 1echno|og|es
lmplemenLaLlon of mulLlple layers of dlverse defense Lechnologles can be a complex process wlLh mulLlple facLors
affecLlng Lhe overall securlLy effecLlveness of Lhe soluLlon. 1he key challenge for any klnd of proLecLlon Lechnology
ls achlevlng a hlgh block raLe whlle keeplng Lhe number of false poslLlves low, palred wlLh sLablllLy, rellablllLy, and
accepLable performance. An lnllne securlLy appllance musL noL degrade neLwork performance or lL wlll never be
lnsLalled. A hlgh raLe of false poslLlves creaLes conslderable managemenL workload and frusLraLes users and
operaLors allke - Lhls Lyplcally resulLs ln log enLrles and reporLs belng lgnored, or Lhe devlce lLself belng
deacLlvaLed.

!"#$%&''
)*+
!"#$%&''
)*+
,-. /"#01
2#3%1$#
456 2'378
,-. /"#01
2#3%1$#
456 2'378
on premise off premise
server desktop desktop
direct attack indirect attack indirect attack
P
e
r
i
m
e
t
e
r

H
o
s
t

b
a
s
e
d

nSS Labs AnalysL 8rlef - Cybercrlme klll Chaln vs. uefense LffecLlveness

8
ln order Lo deLermlne Lhe securlLy effecLlveness of devlces on Lhe markeL and faclllLaLe accuraLe comparlsons, Lhe
followlng meLrlcs were used:
1est 1ype ] Metr|c Descr|pt|on
LxplolL 8lock
erformance
1esLs are englneered Lo generaLe Lhe same Lypes of aLLack used by
modern cyber crlmlnals uLlllzlng mulLlple commerclal, open source
and proprleLary Lools as approprlaLe. WlLh more Lhan 1,400 explolLs,
Lhls ls Lhe lndusLry's mosL comprehenslve LesL Lo daLe. rlor Lo
LesLlng, all llve explolLs and payloads have been valldaLed such LhaL
a reverse shell ls reLurned, allowlng Lhe aLLacker Lo execuLe
arblLrary commands
a mallclous payload ls lnsLalled
a sysLem ls rendered unresponslve

AnLl-Lvaslon
erformance
rovldlng explolL proLecLlon wlLhouL facLorlng ln evaslon/obfuscaLlon
ls mlsleadlng. lor all explolLs, addlLlonal LesL cases are generaLed for
each approprlaLe evaslon Lechnlque. 1he compleLe llsL of anLl-evaslon
Lechnlques LesLed can be found ln Lhe appendlx.
erformance/Leakage lrequenLly Lhere ls a Lrade-off beLween securlLy effecLlveness and
performance. 1esLlng ensures LhaL new securlLy proLecLlons do noL
adversely lmpacL performance and LhaL vendors don'L Lake securlLy
shorLcuLs Lo malnLaln or lmprove performance. roducL performance
ls LesLed based upon Lhe average of Lhree Lrafflc Lypes: 21k8 P11
response Lrafflc, a mlx of perlmeLer Lrafflc common ln enLerprlses,
and a mlx of lnLernal core" Lrafflc common ln enLerprlses.
SLablllLy & 8ellablllLy Long-Lerm sLablllLy ls parLlcularly lmporLanL for an ln-llne devlce,
where fallure can produce neLwork ouLages. 1esLs verlfy Lhe sLablllLy
of Lhe devlce under LesL (uu1) along wlLh lLs ablllLy Lo malnLaln
securlLy effecLlveness under normal load and whlle passlng mallclous
Lrafflc. roducLs LhaL are noL able Lo susLaln leglLlmaLe Lrafflc (or
whlch crash) whlle under hosLlle aLLack wlll noL pass.
MulLlple producLs, from markeL leadlng vendors, represenL each class of Lechnology belng LesLed. 1he producLs are
sub[ecLed Lo an array of Lhe lndusLry's mosL rlgorous LesLlng procedures, lncludlng performance, load and sLablllLy
checks, LesLs wlLh llve malware, known and unpubllshed explolLs, and dlverse evaslon Lechnlques.
nSS Labs AnalysL 8rlef - Cybercrlme klll Chaln vs. uefense LffecLlveness

9
SecurlLy 1esL 8esulLs
A. Network I|rewa||
llrewall Lechnology ls one of Lhe largesL and mosL maLure securlLy markeLs. llrewalls have undergone several
sLages of developmenL, from early packeL fllLerlng and clrculL relay flrewalls Lo appllcaLlon layer (proxy based) and
dynamlc packeL fllLerlng flrewalls. 1hroughouL Lhelr hlsLory, however, Lhe goal has been Lo enforce an access
conLrol pollcy beLween Lwo neLworks, and Lhus should be vlewed as an lmplemenLaLlon of pollcy. A flrewall ls a
mechanlsm used Lo proLecL a LrusLed neLwork from an unLrusLed neLwork, whlle allowlng auLhorlzed
communlcaLlons Lo pass from one slde Lo Lhe oLher, Lhus faclllLaLlng secure buslness use of Lhe lnLerneL. As
flrewalls wlll be deployed aL crlLlcal polnLs ln Lhe neLwork, Lhe sLablllLy and rellablllLy of a flrewall ls lmperaLlve. ln
addlLlon, lL musL noL degrade neLwork performance or lL wlll never be lnsLalled.
nSS LesLed slx enLerprlse neLwork flrewall producLs from cbeck lolot, clsco, lottloet, Ioolpet, lolo Alto Netwotks,
and 5oolcwoll ln C1 2011.
2

1he maln flndlngs can be summarlzed as follows:
1hree of Lhe slx producLs LesLed crashed when sub[ecLed Lo our sLablllLy LesLs. 1hese klnds of crashes lndlcaLe
Lhe exlsLence of a vulnerablllLy, whlch an aLLacker may be able Lo explolL ln Lhe fleld glven enough Llme. 1hls
lack of reslllency ls alarmlng, especlally conslderlng LhaL all Lhree were lCSA Labs and/or Common CrlLerla
cerLlfled.
erformance clalms ln vendor daLasheeLs are generally grossly oversLaLed. Measurlng performance based
upon 8lC-2344 (uu) does noL provlde an accuraLe represenLaLlon of how Lhe flrewall wlll perform ln llve real-
world envlronmenLs.
llve of Lhe slx producLs falled Lhe 1C SpllL Pandshake LesL, allowlng an exLernal server Lo reverse Lhe flow of
1C and Lhereby Lrlcklng Lhe flrewall lnLo permlLLlng a connecLlon, provldlng an openlng for a crafLy aLLacker
Lo clrcumvenL flrewall conLrols. WlLhln a monLh, four vendors released paLches LhaL successfully remedlaLed
Lhls lssue.
Irom an Attacker's erspect|ve
llrewalls crashlng under sLablllLy LesLs, palred wlLh oversLaLed performance clalms by vendors, lndlcaLe
opporLunlLles for denlal of servlce aLLacks. LongsLandlng, Lrled, and fleld proven Lechnology, such as flrewalls, can
sLlll fall on baslc neLworklng aLLacks, allowlng bypass of Lhe securlLy devlce. ALLacks never explre - securlLy devlces
musL malnLaln proLecLlon for Lhe compleLe range of aLLacks, lncludlng old aLLacks and aLLack meLhods.
8. Intrus|on revent|on System (IS)
neLwork lnLruslon prevenLlon sysLems (lS) wlll conLlnue Lo play a key role ln layered defenses. An essenLlal parL of
layered securlLy, lS musL be fasL, accuraLe, and easy Lo deploy and malnLaln. ueslgned Lo ldenLlfy and block
aLLacks agalnsL lnLernal compuLlng asseLs, a good lS can provlde Lemporary proLecLlon and rellef from Lhe

2
neLwork llrewall Croup 1esL 2011 - hLLps://www.nsslabs.com/reporLs/neLwork-flrewall-group-LesL-2011
nSS Labs AnalysL 8rlef - Cybercrlme klll Chaln vs. uefense LffecLlveness

10
lmmedlaLe need Lo paLch affecLed sysLems. 1he lS musL caLch sophlsLlcaLed aLLacks whlle produclng nearly zero
false poslLlves. And lL musL noL degrade neLwork performance or lL wlll never be lnsLalled.
ln 2012, nSS LesLed 13 enLerprlse neLwork lnLruslon prevenLlon (lS) producLs from Lhe Len vendors cbeck lolot,
ull 5oolcwoll, lottlCote, nl/1lpploqlolot, l8M, Ioolpet, McAfee, lolo Alto, 5ootceflte, and 5tooesoft.
J

nSS englneers generaLed Lhe same Lypes of aLLacks used by modern cyber crlmlnals, uLlllzlng mulLlple commerclal,
open source and proprleLary Lools as approprlaLe. WlLh 1,486 llve explolLs, Lhls ls Lhe lndusLry's mosL
comprehenslve LesL Lo daLe. WlLh Lhe excepLlon of one producL, whlch had dlfflculLy handllng SM8 evaslons, all of
Lhe producLs LesLed were able Lo properly decode, defragmenL, deobfuscaLe, and normallze aLLack Lrafflc. 1he lefL
pane ln llgure 3 shows Lhe explolL block performance of Lhe enLerprlse neLwork lnLruslon prevenLlon (lS)
producLs LesLed. 1he performance varles conslderably, beLween 17 and 334 undeLecLed explolLs by producL were
found. 1he rlghL pane ln flgure 3 vlsuallzes Lhe facL LhaL Lhe same explolL ls ofLen undeLecLed by more Lhan one
producL. lor example, a cybercrlmlnal wlLh Lhe rlghL selecLlon of 29 explolLs can bypass flve vendors' lnLruslon
prevenLlon sysLems.
1he maln flndlngs can be summarlzed as follows:
8lock proLecLlon varled beLween 77 percenL and 98 percenL, wlLh mosL LesLed devlces operaLlng above 90
percenL.
SecurlLy effecLlveness varled beLween 60 percenL and 99 percenL, wlLh mosL LesLed devlces operaLlng above
91
Lvaslon deLecLlon has lmproved conslderably wlLh all buL one vendor passlng Lhe LesL. Cne vendor had
sLablllLy lssues.
1unlng of Lhe lS pollcy makes a dlfference. vendor defaulL/recommended pollcles are deslgned wlLh
performance, noL securlLy ln mlnd. rlor Lo Lunlng, lS producLs blocked conslderably fewer aLLacks - some
less Lhan 30 percenL.
4


3
lS ComparaLlve Analysls 2012 - hLLps://www.nsslabs.com/reporLs/lps-comparaLlve-analysls-2012
4
hLLps://www.nsslabs.com/reporLs/neLwork-lps-group-LesL-2010
nSS Labs AnalysL 8rlef - Cybercrlme klll Chaln vs. uefense LffecLlveness

11


I|gure S - Number of Undetected Lxp|o|ts by IS roduct (Left ane)
Corre|at|on of Undetected Lxp|o|ts 8etween Vendors' IS roducts (k|ght ane)
Irom an Attacker's erspect|ve
none of Lhe devlces LesLed achleved 100 percenL block proLecLlon. Cf Lhe LoLal number of 1,486 explolLs LesLed,
one producL dld noL deLecL 17, for oLhers as many as 334 explolLs wenL undeLecLed. CorrelaLlon of undeLecLed
explolLs wlLh Lhe LesLed producLs reveals LhaL only a small seL of explolLs ls requlred Lo successfully bypass all lS
producLs ln order Lo successfully aLLack prevalenL programs or servlces. 1he lmproved evaslon deLecLlon over
prevlous years demonsLraLes LhaL lndependenL LesLlng ls an effecLlve means Lo drlve vendors Lo advance Lhelr
producLs and remedlaLe weaknesses.
C. Lndpo|nt rotect|on]Ant|v|rus
1he mlsslon of endpolnL proLecLlon ls Lo defend users agalnsL explolLs and malware when a paLch ls noL avallable
or has noL yeL been applled. users who delay paLchlng, or fall Lo paLch more Lhan Lhelr operaLlng sysLem alone, are
aL elevaLed rlsk of compromlse. When perlmeLer proLecLlon falls or ls noL avallable aL all (for example when Lhe
user works ouLslde Lhe corporaLe perlmeLer), end-polnL proLecLlon ls Lhe lasL llne of defense.
ln 2012, nSS Labs LesLed 13 popular endpolnL securlLy sulLes from Avost, AvC, Avlto, 51, l-5ecote, kospetsky,
McAfee, Mlctosoft, Notmoo, Nottoo, looJo, 1otol uefeose, and 1teoJ Mlcto.
3



3
Consumer Av/L ComparaLlve Analysls - LxplolL roLecLlon - hLLps://www.nsslabs.com/reporLs/consumer-avepp-comparaLlve-analysls-
explolL-proLecLlon
!
#!
$!!
$#!
%!!
%#!
&!!
&#!
'!!
(
)
*

+
,

-
.
!
!

/
0
1
2
3
4
5

6
7
,

&
8
!
!

/
0
1
2
3
4
5

(
9
:

.
%
!
!

;
2
3
3
2
1
<

:
=
2
1
>

8
$
!
!
?

:
@
A
=
B
A
>
=

:
B

#
!
%
!

6
=
1
2
C
D
@
A
A

6
0
3
4
5
E
@
F
F
2
G
4

*
C
B
H
4
4

*
.
!
!
!

*
C
B
H
4
4

*
.
!
!
!
!

I
=
5
J
+
@
>
4

&
%
'
!
K

6
>
=
1
4
F
=
L

$
&
!
%

K
M
4
C
N
:
=
2
1
>

$
%
8
!
!

6
=
0
5
C
4
O
5
4

&
9
.
%
8
!

6
=
0
5
C
4
O
5
4

.
$
%
!

6
=
0
5
C
4
O
5
4

.
%
#
!

6
=
0
5
C
4
O
5
4

P
2
5
>
0
@
A

(
:
6

Q1R4>4C>4R 4S3A=2>F TU 35=R0C>
V=H $W'.8 4S3A=2>F >4F>4RX
*4@1 -' 4S3A=2>F
!"#
%##
&'
(%
%'
""
) * * *
*
"**
%**
)**
#**
(**
+**
!**
&**
" % ) # ( + ! & ' "*
,
-
.
/
0
1

2
3

4
5
6
7
2
8
9
:

,-./01 23 ;<= >0?@21:
A?8B-0 0567289:
-?@090C90@ , >0?@21: ;<=D:
EF0:0 &' 0567289: G10
-?@090C90@ /H )
>0?@21: ;<= 612@-C9:
EF100 0567289: 9FG9
G10 -?@090C90@ /H
! 23 "* >0?@21: ;<=:
nSS Labs AnalysL 8rlef - Cybercrlme klll Chaln vs. uefense LffecLlveness

12
1hese endpolnL securlLy sulLes are LesLed agalnsL 144 explolL aLLack scenarlos Lo measure Lhelr effecLlveness ln
proLecLlng Wlndows compuLers agalnsL explolLs. All of Lhe vulnerablllLles explolLed durlng Lhls LesL have been
publlcly avallable for monLhs (lf noL years) prlor Lo Lhe LesL, and have also been observed ln use on Lhe lnLerneL.
vulnerablllLles used ln Lhls LesL were explolLed when a user vlslLed an lnfecLed web page hosLlng Lhe aLLack code.
1he aLLacks occurred ln Lwo sLages:
1he aLLacker caused a speclally crafLed sLream of daLa and code Lo be dellvered Lo a preclse locaLlon. 1hls
explolLed Lhe vlcLlm's compuLer, galnlng Lhe aLLacker Lhe ablllLy Lo perform arblLrary code execuLlon.
Mallclous code was sllenLly execuLed on Lhe vlcLlm's compuLer.
1he maln flndlngs are shown ln llgure 6 and can be summarlzed as follows:
WlLh a few noLable excepLlons, endpolnL producLs are noL provldlng adequaLe proLecLlon from explolLs.
AnLlvlrus producLs dlffer up Lo 38 percenL ln effecLlveness aL sLopplng explolLs, wlLh proLecLlon levels varylng
beLween 34 percenL and 92 percenL.
Many producLs falled Lo proLecL agalnsL aLLacks over P11S LhaL were blocked over P11, a serlous deflclency
for a deskLop anLlvlrus/hosL lnLruslon prevenLlon sysLem.
MosL vendors lack adequaLe proLecLlon agalnsL explolLs.
keeplng Av sofLware up-Lo-daLe does noL yleld adequaLe proLecLlon agalnsL explolLs, as evldenced by coverage
gaps for vulnerablllLles several years old.

I|gure 6 - Lndpo|nt rotect|on roducts - Undetected Lxp|o|ts
Irom an Attacker's erspect|ve
8ased on markeL share, beLween 63 percenL and 73 percenL of Lhe world ls poorly proLecLed. MosL vendors lack
adequaLe proLecLlon agalnsL explolLs and slmple evaslons llke swlLchlng from P11 Lo P11S are ofLen effecLlve ln
bypasslng aLLack deLecLlon. uslng recenL or old explolLs palred wlLh evaslon Lechnlques provlde an easy road Lo for
aLLackers Lo compromlse a hosL. As users are known Lo only slowly apply securlLy paLches, Lhe chances of hlLLlng a
!" $!" %!" &!" '!" (!" )!" *!" +!" ,!" $!!"
-./01 2343563
70580
9.:;05
<=>3?@:3
AB?:.6.C
DEB:0
A?D433
-:358 AB?:.
F>F-
DGH
9.:/.5
DE06/
I06J3:6KL
73:?35/ @583/3?/38 3MJ1.B/6
N.4 $'' 3MJ1.B/6O
nSS Labs AnalysL 8rlef - Cybercrlme klll Chaln vs. uefense LffecLlveness

13
vulnerable LargeL are slgnlflcanL. lor example, a Lyplcal end-polnL wlLh Lhe 30 mosL prevalenL programs lnsLalled
requlred more LhaL 73 updaLes ln a 12-monLh perlod Lo sLay fully paLched.
6

AnLlvlrus does noL prevenL a dedlcaLed aLLacker from compromlslng a LargeL.
D. 8rowser 8|ock|ng
8rowsers offer Lhe largesL aLLack surface ln mosL enLerprlse neLworks and are Lhe mosL common vecLor for
malware lnsLallaLlons. Web browsers offer a dlrecL and unlque rouLe for lnfecLlon, bypasslng corporaLe proLecLlon
layers and brlnglng malware deep lnLo Lhe corporaLe envlronmenL, ofLen proLecLlng lL from deLecLlon uslng P11S.
8rowsers musL provlde a sLrong layer of defense from malware, raLher Lhan defer Lo operaLlng sysLem
anLlmalware soluLlons. 1hls capablllLy becomes even more lmporLanL glven Lhe lncreaslng moblllLy of devlces,
whlch means corporaLe perlmeLer and neLwork proLecLlon servlces cannoL always be relled upon, as shown ln
flgure 4.
ln an ongolng campalgn uslng a unlque llve LesLlng harness, nSS Labs conLlnuously LesLs Lhe effecLlveness of Lhe
four leadlng browsers MlcrosofL lnLerneL Lxplorer, Coogle Chrome, Mozllla llrefox, and Apple Safarl Lo block
malware slnce 2011.
7


I|gure 7 - Cvera|| Ma|ware 8|ock kate |n 1est Campa|gn from December 2011 to May 2012
1he maln flndlngs can be summarlzed as follows:
1he use of P11S by browsers presenLs addlLlonal problems Lo organlzaLlons slnce lL offers Lhe opporLunlLy Lo
bypass many layers of corporaLe securlLy proLecLlon.
lnLerneL Lxplorer malnLalned a malware block raLe of 93 percenL whlle llrefox and Safarl's block raLe remalned
[usL under 6 percenL. Cver Lhe same Llme perlod, Chrome's block raLe varled from 13 percenL Lo [usL over 74
percenL.
Irom an Attacker's erspect|ve
1he Lolerance of browsers wlLh low malware block raLes may presenL undue rlsk Lo an organlzaLlon.

6
1he SecurlLy Lxposure of SofLware orLfollos
hLLp://secunla.com/?acLlon=feLch&fllename=Secunla_8SA_SofLware_orLfollo_SecurlLy_Lxposure.pdf
7
ls ?our 8rowser uLLlng ?ou AL 8lsk? hLLps://www.nsslabs.com/reporLs/your-browser-puLLlng-you-rlsk-parL-1-general-malware-blocklng
!"#
%&#
'#
'#
(# %(# "(# )(# &(# *((#
+,-./,.- 01234/./
56/47.
89/.:41
;<:</9
=./>.,- ?34>@.A BCDE
nSS Labs AnalysL 8rlef - Cybercrlme klll Chaln vs. uefense LffecLlveness

14
1o puL Lhe numbers ln perspecLlve, for every LwenLy encounLers wlLh soclally englneered malware, llrefox and
Safarl users wlll be proLecLed from approxlmaLely one aLLack. 1haL means nlneLeen ouL of LwenLy soclally
englneered malware aLLacks agalnsL llrefox and Safarl users wlll end up LesLlng Lhe user's anLlvlrus and/or
operaLlng sysLem defenses. Chrome users wlll be proLecLed from abouL slx of Lhe LwenLy aLLacks, leavlng Lhelr
anLlvlrus and operaLlng sysLems responslble for proLecLlng agalnsL fourLeen aLLacks, and lL10 users wlll generally
be proLecLed from almosL all LwenLy aLLacks.
Concluslon
ConLlnued securlLy LesLlng of dlverse proLecLlon producLs performed over Lhe pasL decade demonsLraLes LhaL Lhere
ls no slngle Lechnology capable of provldlng 100 percenL proLecLlon agalnsL modern aLLacks. 1here ls an ongolng
arms race beLween LhreaL acLors and Lhe securlLy lndusLry wlLh conLlnued advances ln aLLack Lechnologles and
meLhodologles. MalnLalnlng pace wlLh cybercrlmlnals ls a consLanL challenge for Lhe lndusLry and, sadly, lL ls a
common occurrence LhaL securlLy producLs fall Lo deLecL older, known, Lrled and LesLed aLLack Lypes, or even fall
on devlce sLablllLy. vendor clalms on Lhe securlLy effecLlveness or performance of Lhelr producLs are frequenLly
found Lo be overly opLlmlsLlc, or based on non-reallsLlc assumpLlons LhaL do noL hold ln Lhe fleld.
ConLlnued lndependenL and real-world LesLlng of securlLy producLs, and Lhe full and LransparenL publlcaLlon of
resulLs and fallure polnLs, has proven valuable ln drlvlng Lhe lndusLry Lo recLlfy shorLcomlngs. 1hls LesL daLa also
serves Lo lnform Lhe users of Lhese producLs abouL Lhe llmlLaLlons ln real-world deploymenLs, allowlng Lhem Lo
creaLe more accuraLe rlsk assessmenLs for Lhelr enLerprlse. lL ls safe Lo assume LhaL cybercrlmlnals also Lhoroughly
LesL exlsLlng securlLy Lechnologles Lo ldenLlfy shorLcomlngs and explolL Lhem accordlngly.
1he complexlLy Lo secure and conLrol an organlzaLlons lnfrasLrucLure furLher lncreases wlLh ongolng adopLlon of
moblle devlces (8?Cu).
1he daLa presenLed here, derlved from exLenslve llve LesLlng, clearly demonsLraLes LhaL 100 percenL aLLack
prevenLlon ls an llluslon - more so lf you are consldered a hlgh value LargeL. CrganlzaLlons should assume LhaL Lhey
are already compromlsed, and Lherefore complemenL prevenLlon wlLh breach deLecLlon Lo ldenLlfy and acL on
successful securlLy breaches ln a Llmely manner.

nSS Labs AnalysL 8rlef - Cybercrlme klll Chaln vs. uefense LffecLlveness

13
8eadlng LlsL
1be 1otqeteJ letslsteot Attock (1lA). 1be MlsooJetstooJ 5ecotlty 1bteot vety otetptlse loces. nSS Labs
hLLps://www.nsslabs.com/reporLs/LargeLed-perslsLenL-aLLack-Lpa-mlsundersLood-securlLy-LhreaL-every-enLerprlse-
faces
1op 20 8est ltoctlces to nelp keJoce tbe 1bteot of tbe 1otqeteJ letslsteot Attock. nSS Labs
hLLps://www.nsslabs.com/reporLs/Lop-20-besL-pracLlces-help-reduce-LhreaL-LargeLed-perslsLenL-aLLack
lottosloo lteveotloo 5ystems compototlve Aoolysls. nSS Labs
hLLps://www.nsslabs.com/reporLs/2012-lps-comparaLlve-analysls
Next Ceoetotloo lltewoll (NClw) compototlve Aoolysls. nSS Labs
hLLps://www.nsslabs.com/reporLs/2012-ngfw-comparaLlve-analysls
Netwotk lltewoll compototlve Aoolysls. nSS Labs
hLLps://www.nsslabs.com/reporLs/2011-neLwork-flrewall-group-LesL
coosomet Av/ll compototlve Aoolysls - xplolt ltotectloo. nSS Labs
hLLps://www.nsslabs.com/reporLs/2012-consumer-avepp-comparaLlve-analysls-explolL-proLecLlon
8towset 5ecotlty compototlve Aoolysls. 5oclolly oqloeeteJ Molwote. nSS Labs
hLLps://www.nsslabs.com/reporLs/browser-securlLy-comparaLlve-analysls-soclally-englneered-malware
8teocb uetectloo. uoo't loll ltey to 1otqeteJ Attocks. nSS Labs
hLLps://www.nsslabs.com/reporLs/breach-deLecLlon-donL-fall-prey-LargeLed-aLLacks

nSS Labs AnalysL 8rlef - Cybercrlme klll Chaln vs. uefense LffecLlveness

16
Appendlx
Ant|-Lvas|on 1echn|ques Inc|uded |n 1ests
l ackeL lragmenLaLlon
1C SLream SegmenLaLlon
8C lragmenLaLlon
SM8 & neL8lCS Lvaslons
l1 Lvaslon
l lragmenLaLlon + 1C SegmenLaLlon
l lragmenLaLlon + MS8C lragmenLaLlon
l lragmenLaLlon + SM8 Lvaslons
1C SegmenLaLlon + SM8 / nL18lCS Lvaslons
u8L CbfuscaLlon
P11 Lncodlng
P11 Compresslon
P1ML CbfuscaLlon
ayload Lncodlng
ayload Compresslon & Lncodlng

nSS Labs AnalysL 8rlef - Cybercrlme klll Chaln vs. uefense LffecLlveness

17
2012 nSS Labs, lnc. All rlghLs reserved. no parL of Lhls publlcaLlon may be reproduced, phoLocopled, sLored on a reLrleval
sysLem, or LransmlLLed wlLhouL Lhe express wrlLLen consenL of Lhe auLhors.
lease noLe LhaL access Lo or use of Lhls reporL ls condlLloned on Lhe followlng:
1. 1he lnformaLlon ln Lhls reporL ls sub[ecL Lo change by nSS Labs wlLhouL noLlce.
2. 1he lnformaLlon ln Lhls reporL ls belleved by nSS Labs Lo be accuraLe and rellable aL Lhe Llme of publlcaLlon, buL ls noL
guaranLeed. All use of and rellance on Lhls reporL are aL Lhe reader's sole rlsk. nSS Labs ls noL llable or responslble for any
damages, losses, or expenses arlslng from any error or omlsslon ln Lhls reporL.
3. nC WA88An1lLS, Lx8LSS C8 lMLlLu A8L ClvLn 8? nSS LA8S. ALL lMLlLu WA88An1lLS, lnCLuulnC lMLlLu
WA88An1lLS Cl ML8CPAn1A8lLl1?, ll1nLSS lC8 A A81lCuLA8 u8CSL, Anu nCn-lnl8lnCLMLn1 A8L ulSCLAlMLu Anu
LxCLuuLu 8? nSS LA8S. ln nC LvLn1 SPALL nSS LA8S 8L LlA8LL lC8 An? CCnSLCuLn1lAL, lnCluLn1AL C8 lnul8LC1
uAMACLS, C8 lC8 An? LCSS Cl 8Cll1, 8LvLnuL, uA1A, CCMu1L8 8CC8AMS, C8 C1PL8 ASSL1S, LvLn ll AuvlSLu Cl 1PL
CSSl8lLl1? 1PL8LCl.
4. 1hls reporL does noL consLlLuLe an endorsemenL, recommendaLlon, or guaranLee of any of Lhe producLs (hardware or
sofLware) LesLed or Lhe hardware and sofLware used ln LesLlng Lhe producLs. 1he LesLlng does noL guaranLee LhaL Lhere are no
errors or defecLs ln Lhe producLs or LhaL Lhe producLs wlll meeL Lhe reader's expecLaLlons, requlremenLs, needs, or
speclflcaLlons, or LhaL Lhey wlll operaLe wlLhouL lnLerrupLlon.
3. 1hls reporL does noL lmply any endorsemenL, sponsorshlp, afflllaLlon, or verlflcaLlon by or wlLh any organlzaLlons menLloned
ln Lhls reporL.
6. All Lrademarks, servlce marks, and Lrade names used ln Lhls reporL are Lhe Lrademarks, servlce marks, and Lrade names of
Lhelr respecLlve owners.
ConLacL lnformaLlon
nSS Labs, lnc.
206 Wlld 8asln 8d
8ulldlng A, SulLe 200
AusLln, 1x 78746 uSA
+1 (312) 961-3300
lnfo[nsslabs.com
www.nsslabs.com

1bls ooolyst btlef wos ptoJoceJ os pott of N55 lobs loJepeoJeot testloq lofotmotloo setvlces. leoJloq ptoJocts
wete testeJ ot oo cost to tbe veoJot, ooJ N55 lobs tecelveJ oo veoJot fooJloq to ptoJoce tbls ooolyst btlef.