Should you panic? An Advanced Evasion Techniques overview

Finnish data security vendor Stonesoft issued an alert on Monday, warning the masses about a new technique of attack that will simply waltz past network security defenses. However, is this something new and frightening, or just a perfect example of security’s cat and mouse game?

The principals of Advanced Evasion Techniques (AET) were discovered in Stonesoft’s research labs in Helsinki. They cannot be simply called evasion techniques, as AETs represent a new generation of evasion itself. To keep things basic, the gist of AET vs. evasion centers on how malicious payloads are delivered.

According to Stonesoft, AETs are, “virtually limitless in quantity and unrecognizable by conventional detection methods. They can work on all levels of the TCP/IP stack and work across many protocols or protocol combinations.”

Traditional network protection, IPS and IDS, reactive firewalls and the like, are the most common forms of network defense seen in an organization. They detect attacks to the network based on the vector used to deliver payloads.

For example, they will detect and prevent an attack that leverages a vulnerability in Microsoft Windows to deliver Malware. For the most part, many of these defense systems are quick on the uptake and offer solid protection.

However, they are sometimes bypassed completely using evasion techniques. When this happens, the same vulnerability in Microsoft Windows that was flagged previously will be exploited and a payload delivered without the defense system noticing a thing.

As an evasion technique is known, it can be blocked, which pushes the criminals back to square one. On the other hand, AETs will use a hybrid approach, leveraging several evasion techniques to attempt the same attack, and when this happens they are usually successful.

For a non-technical explanation, for those who are interested in the topic, but do not want to learn about how IDS and IPS systems work, Stonesoft offered one.

They use a basic example of monitoring for keywords on a telephone system. If you mention the keyword in English, then the monitoring on the phone system will flag you. If you mention the keyword in another language, and the monitoring system knows this language, you can be flagged as well.

If you use a language that is unknown, an evasion technique, then you might be able to hold the conversation undetected. That is, until the monitoring system is updated with a new language pack that includes the language you are speaking.

To avoid being flagged by new language packs, you would need to hold the conversation in several languages all at once. As long as you and the person you are communicating with understand the languages, you have performed a successful AET against the monitoring system.

The only downside to Stonesoft’s basic explanation that we see is that the example phone system was monitoring for the keyword ‘terrorist plot’. To be clear, there is no proof that AETs has been used for terroristic activities.

For those wondering about AETs in connection to APT (Advanced Persistent Threats), they are not the same. In short, AETs could be used to deliver the payloads needed to perform an APT-type of attack. Again, AETs are about how a payload is delivered, not the payload itself.

So should you panic? No. You should remain aware, and keep things in check. Stonesoft says that many of the vendors who produce network detections in Gartner’s IPS Magic Quadrant are failing to detect AET attacks. However, the keyword here is many. They never said all.

“Evasions are absolutely critical for security products to catch, because if you miss just one, you can let an entire class of attacks through your product. But they're not new. Nor are the combinations thereof, these so-called AETs, E.g. one can combine Unicode with JavaScript or segmentation etc.,” explained NSS Labs’ Rick Moy.

“What they seem to be saying is the quantity is new because they’ve now figured out you can combine them. Many vendors have been struggling with the basics as it is.”

It is interesting to note that when NSS Labs tested IPS products, Stonesoft was one of the vendors who failed the test. Why is this interesting? In their advisory on AETs, Stonesoft said that the best defense against them was an offering comparable to their StoneGate network security solution.

Stonesoft wasn’t alone in the NSS Labs test that measured the effectiveness of evasion detection. TippingPoint and Juniper also failed. When it comes to the vendors who passed, Cisco, IBM, Sourcefire, and McAfee were the ones who came out on top. Cisco and McAfee detected the full range of evasion techniques tested.

So if Stonesoft failed a basic evasion test, how are they detecting several evasion techniques at once? In the NSS Labs test, Stonesoft missed thee of the five tests given. A sixth test was listed as TBD by NSS Labs. The report itself is here.

Another thing to remember about AETs is the fact that they could be used to deliver payloads that are easily flagged by other layers of network protection. If they dropped a Trojan for example, then anti-Malware will cover that vector.

Yet, if the AET is used for shell access to a vulnerable server, then you’ll have problems. Still, if this is the case, then other factors will help, such as patch management and risk management. Patch management would prevent a shell exploit, and risk management means that even if the server is compromised, it might not impact the overall business in a fashion that is detailed by the AET coverage so far.

While there is a chance that AETs can be part of a massive security incident, the odds of this happening are unknown, and it isn’t wise to simply head for the hills screaming. This is where vendor relationships are critical. If you are worried about this new type of vector, talk to your vendor about what they are doing to address AET-based attacks.

The information you are looking for is not how your vendor will detect and block evasion methods, but how they deal with several of them used at the same time, and what secondary protections are offered.

We’re following up with several experts and sources to get more information on AET. Once we have more to go on, we’ll follow-up on this report.

Like this article? Please share on Facebook and give The Tech Herald a Like too!

From our Other Sites

Man Makes Tiny Edible Pancakes with Tiny Kitchen Tools (Video)

This Japanese guy cooks up some pancakes…nothing special there right? Well he uses tiny implements to do it and makes perfect little pancakes. Kinda cool and they look tasty!

What Color is this Dress?

White and Gold or Blue and Black?
Well this one has been trending all over the web, just what color is this dress? It all started in Scotland when the mother of a bride-to-be sent a picture to her daughter asking what she thought of the dress. The bride and groom each saw the image differently, this then got posted online and picked up by some viral sites. The lighting in photo is probably  causing different people to see it as either white and gold or blue and black. Prof Stephen Westland, chair of color science and technology at a University in the UK told the BBC that it was impossible to see what other people see but that it was most […]

McLaren 675LT Pictures

Some great shots of the forthcoming McLaren 675LT. This coupe will get you to 60mph in less than 2.9 second and go all the way to 205mph.

McLaren 675LT Details

McLaren’s 675LT will debut at this year’s Geneva show and promises some eye-popping performance. The coupe only 675LT has a 3.8 liter V8 that will get you from 0-60mph in less than 2.9 seconds and to 124mph in less than 7.9 secondsMore than a third of the parts have been changed compared with its stable mate […]

McLaren 675LT Wallpaper

Some cool McLaren 675LT Wallpaper. The McLaren 675LT is the latest coupe to come from the supercar maker and has a top speed of 205mph.Click on an image to open a page with multiple sizes that you can download to use as wallpaper for your mobile or desktop.More McLaren Wallpaper.

Octopus hunts on land, grabs crab (Video)

This crab is minding its own business searching the rock pools for food when suddenly an octopus leaps out of the water and grabs it. The amazing thing is that the octopus does not just jump on the crab it actually pulls it all the way back to the rock pool it came from. If you check the second video you will see it is not unknown for octopus to come out of the water and the one in the second video has a crab with it, though is not hunting one! Octopus Walks on Land at Fitzgerald Marine Reserve The video was taken by Porsche Indrisie in Yallingup, Western […]

Stunning Mars Rover Selfie

This image by the Curiosity Mars rover is not exactly your typical selfie. It is made up of a bunch of images taken by the rover during January 2015 by the Mars Hand Lens Imager. This (MAHLI) camera is at the end of the robot’s arm. For a sense of scale the rover’s wheels are about 20 inches diameter and 16 inches wide. Check the annotated image below for more information on the surroundings. Also if you really want to see some detail click this very large image, 36mb, at NASA.  

How the Sahara Helps Feed the Amazon (Video)

Sahara to Amazon
This cool video from NASA shows how dust is transferred across the Atlantic to the Amazon rainforest and helps nourish the plants growing there. For the first time scientists have measured the amount of dust and the amount of phosphorus in the dust. The later acts like a fertiliser and helps replenish the phosphorus the rainforest loses each year, around 22,000 tons. Amazing how something we perceive as being desolate like a desert actually has an important role in sustaining somewhere we see as teeming with life. Image and video from NASA’s Goddard Space Flight Center.

Bouncing Laser Guided Bomb (Video)

This amazing video shows a laser guided bomb bouncing back up after hitting its target. We actually think this is a non-explosive bomb designed to test guidance systems but it is still pretty remarkable and somewhat scary.

South Koreans Swallowed by Sinkhole (Video)

Thankfully the couple survived their adventure.
This amazing footage taken from the CCTV on a passing bus shows the moment two pedestrians in South Korea fall down a sinkhole in the street! Rescue workers managed to save the pair, who were treated in a nearby hospital for minor injuries. According to reports the city authorities and the Korean Geotechnical Society are looking into the cause.