Should you panic? An Advanced Evasion Techniques overviewby Steve Ragan - Oct 18 2010, 15:57
Finnish data security vendor Stonesoft issued an alert on Monday, warning the masses about a new technique of attack that will simply waltz past network security defenses. However, is this something new and frightening, or just a perfect example of security’s cat and mouse game?
The principals of Advanced Evasion Techniques (AET) were discovered in Stonesoft’s research labs in Helsinki. They cannot be simply called evasion techniques, as AETs represent a new generation of evasion itself. To keep things basic, the gist of AET vs. evasion centers on how malicious payloads are delivered.
According to Stonesoft, AETs are, “virtually limitless in quantity and unrecognizable by conventional detection methods. They can work on all levels of the TCP/IP stack and work across many protocols or protocol combinations.”
Traditional network protection, IPS and IDS, reactive firewalls and the like, are the most common forms of network defense seen in an organization. They detect attacks to the network based on the vector used to deliver payloads.
For example, they will detect and prevent an attack that leverages a vulnerability in Microsoft Windows to deliver Malware. For the most part, many of these defense systems are quick on the uptake and offer solid protection.
However, they are sometimes bypassed completely using evasion techniques. When this happens, the same vulnerability in Microsoft Windows that was flagged previously will be exploited and a payload delivered without the defense system noticing a thing.
As an evasion technique is known, it can be blocked, which pushes the criminals back to square one. On the other hand, AETs will use a hybrid approach, leveraging several evasion techniques to attempt the same attack, and when this happens they are usually successful.
For a non-technical explanation, for those who are interested in the topic, but do not want to learn about how IDS and IPS systems work, Stonesoft offered one.
They use a basic example of monitoring for keywords on a telephone system. If you mention the keyword in English, then the monitoring on the phone system will flag you. If you mention the keyword in another language, and the monitoring system knows this language, you can be flagged as well.
If you use a language that is unknown, an evasion technique, then you might be able to hold the conversation undetected. That is, until the monitoring system is updated with a new language pack that includes the language you are speaking.
To avoid being flagged by new language packs, you would need to hold the conversation in several languages all at once. As long as you and the person you are communicating with understand the languages, you have performed a successful AET against the monitoring system.
The only downside to Stonesoft’s basic explanation that we see is that the example phone system was monitoring for the keyword ‘terrorist plot’. To be clear, there is no proof that AETs has been used for terroristic activities.
For those wondering about AETs in connection to APT (Advanced Persistent Threats), they are not the same. In short, AETs could be used to deliver the payloads needed to perform an APT-type of attack. Again, AETs are about how a payload is delivered, not the payload itself.
So should you panic? No. You should remain aware, and keep things in check. Stonesoft says that many of the vendors who produce network detections in Gartner’s IPS Magic Quadrant are failing to detect AET attacks. However, the keyword here is many. They never said all.
“What they seem to be saying is the quantity is new because they’ve now figured out you can combine them. Many vendors have been struggling with the basics as it is.”
It is interesting to note that when NSS Labs tested IPS products, Stonesoft was one of the vendors who failed the test. Why is this interesting? In their advisory on AETs, Stonesoft said that the best defense against them was an offering comparable to their StoneGate network security solution.
Stonesoft wasn’t alone in the NSS Labs test that measured the effectiveness of evasion detection. TippingPoint and Juniper also failed. When it comes to the vendors who passed, Cisco, IBM, Sourcefire, and McAfee were the ones who came out on top. Cisco and McAfee detected the full range of evasion techniques tested.
So if Stonesoft failed a basic evasion test, how are they detecting several evasion techniques at once? In the NSS Labs test, Stonesoft missed thee of the five tests given. A sixth test was listed as TBD by NSS Labs. The report itself is here.
Another thing to remember about AETs is the fact that they could be used to deliver payloads that are easily flagged by other layers of network protection. If they dropped a Trojan for example, then anti-Malware will cover that vector.
Yet, if the AET is used for shell access to a vulnerable server, then you’ll have problems. Still, if this is the case, then other factors will help, such as patch management and risk management. Patch management would prevent a shell exploit, and risk management means that even if the server is compromised, it might not impact the overall business in a fashion that is detailed by the AET coverage so far.
While there is a chance that AETs can be part of a massive security incident, the odds of this happening are unknown, and it isn’t wise to simply head for the hills screaming. This is where vendor relationships are critical. If you are worried about this new type of vector, talk to your vendor about what they are doing to address AET-based attacks.
The information you are looking for is not how your vendor will detect and block evasion methods, but how they deal with several of them used at the same time, and what secondary protections are offered.
We’re following up with several experts and sources to get more information on AET. Once we have more to go on, we’ll follow-up on this report.