The Tech Herald

Should you panic? An Advanced Evasion Techniques overview

by Steve Ragan - Oct 18 2010, 11:57

Finnish data security vendor Stonesoft issued an alert on Monday, warning the masses about a new technique of attack that will simply waltz past network security defenses. However, is this something new and frightening, or just a perfect example of security’s cat and mouse game?

The principals of Advanced Evasion Techniques (AET) were discovered in Stonesoft’s research labs in Helsinki. They cannot be simply called evasion techniques, as AETs represent a new generation of evasion itself. To keep things basic, the gist of AET vs. evasion centers on how malicious payloads are delivered.

According to Stonesoft, AETs are, “virtually limitless in quantity and unrecognizable by conventional detection methods. They can work on all levels of the TCP/IP stack and work across many protocols or protocol combinations.”

Traditional network protection, IPS and IDS, reactive firewalls and the like, are the most common forms of network defense seen in an organization. They detect attacks to the network based on the vector used to deliver payloads.

For example, they will detect and prevent an attack that leverages a vulnerability in Microsoft Windows to deliver Malware. For the most part, many of these defense systems are quick on the uptake and offer solid protection.

However, they are sometimes bypassed completely using evasion techniques. When this happens, the same vulnerability in Microsoft Windows that was flagged previously will be exploited and a payload delivered without the defense system noticing a thing.

As an evasion technique is known, it can be blocked, which pushes the criminals back to square one. On the other hand, AETs will use a hybrid approach, leveraging several evasion techniques to attempt the same attack, and when this happens they are usually successful.

For a non-technical explanation, for those who are interested in the topic, but do not want to learn about how IDS and IPS systems work, Stonesoft offered one.

They use a basic example of monitoring for keywords on a telephone system. If you mention the keyword in English, then the monitoring on the phone system will flag you. If you mention the keyword in another language, and the monitoring system knows this language, you can be flagged as well.

If you use a language that is unknown, an evasion technique, then you might be able to hold the conversation undetected. That is, until the monitoring system is updated with a new language pack that includes the language you are speaking.

To avoid being flagged by new language packs, you would need to hold the conversation in several languages all at once. As long as you and the person you are communicating with understand the languages, you have performed a successful AET against the monitoring system.

The only downside to Stonesoft’s basic explanation that we see is that the example phone system was monitoring for the keyword ‘terrorist plot’. To be clear, there is no proof that AETs has been used for terroristic activities.

For those wondering about AETs in connection to APT (Advanced Persistent Threats), they are not the same. In short, AETs could be used to deliver the payloads needed to perform an APT-type of attack. Again, AETs are about how a payload is delivered, not the payload itself.

So should you panic? No. You should remain aware, and keep things in check. Stonesoft says that many of the vendors who produce network detections in Gartner’s IPS Magic Quadrant are failing to detect AET attacks. However, the keyword here is many. They never said all.

“Evasions are absolutely critical for security products to catch, because if you miss just one, you can let an entire class of attacks through your product. But they're not new. Nor are the combinations thereof, these so-called AETs, E.g. one can combine Unicode with JavaScript or segmentation etc.,” explained NSS Labs’ Rick Moy.

“What they seem to be saying is the quantity is new because they’ve now figured out you can combine them. Many vendors have been struggling with the basics as it is.”

It is interesting to note that when NSS Labs tested IPS products, Stonesoft was one of the vendors who failed the test. Why is this interesting? In their advisory on AETs, Stonesoft said that the best defense against them was an offering comparable to their StoneGate network security solution.

Stonesoft wasn’t alone in the NSS Labs test that measured the effectiveness of evasion detection. TippingPoint and Juniper also failed. When it comes to the vendors who passed, Cisco, IBM, Sourcefire, and McAfee were the ones who came out on top. Cisco and McAfee detected the full range of evasion techniques tested.

So if Stonesoft failed a basic evasion test, how are they detecting several evasion techniques at once? In the NSS Labs test, Stonesoft missed thee of the five tests given. A sixth test was listed as TBD by NSS Labs. The report itself is here.

Another thing to remember about AETs is the fact that they could be used to deliver payloads that are easily flagged by other layers of network protection. If they dropped a Trojan for example, then anti-Malware will cover that vector.

Yet, if the AET is used for shell access to a vulnerable server, then you’ll have problems. Still, if this is the case, then other factors will help, such as patch management and risk management. Patch management would prevent a shell exploit, and risk management means that even if the server is compromised, it might not impact the overall business in a fashion that is detailed by the AET coverage so far.

While there is a chance that AETs can be part of a massive security incident, the odds of this happening are unknown, and it isn’t wise to simply head for the hills screaming. This is where vendor relationships are critical. If you are worried about this new type of vector, talk to your vendor about what they are doing to address AET-based attacks.

The information you are looking for is not how your vendor will detect and block evasion methods, but how they deal with several of them used at the same time, and what secondary protections are offered.

We’re following up with several experts and sources to get more information on AET. Once we have more to go on, we’ll follow-up on this report.

Around the Web

Comment on this Story

comments powered by Disqus
Security
Index
News
 
Features
Reviews

From Autosaur.com

World’s first flat-pack truck the OX could help Africa

A flat-pack truck which can be put together by anyone in just half a day has been invented to help people living in remote places in Africa and other parts of the developing world. The OX is shipped in pieces but can be assembled with just three people in 11.5hours — and they need no [...]

The post World’s first flat-pack truck the OX could help Africa appeared first on Autosaur.

Nissan 370Z Nismo to rock the Gumball 3000 rally

The Nissan 370Z Nismo will be one of the cars in the 2013 Gumball 3000 rally where  â€” as the guys from TV show Jackass put it — “filthy stinking rich” people drive super-expensive cars 3,000 miles through 13 countries across Europe. The car, above, will be driven by a team from publishing and production [...]

The post Nissan 370Z Nismo to rock the Gumball 3000 rally appeared first on Autosaur.

#MyTurnToJag and Playboy: How Jaguar targets men

Jaguar has launched a new Twitter campaign called #MyTurnToJag to advertise its new F-Type â€” as well as teaming up with men’s magazine PLAYBOY. The #MyTurnToJag competition gives members of the public the chance to drive one of their new sports cars. And it comes after the firm helped announce Raquel Pomplun, left, as Playboy’s Playmate of [...]

The post #MyTurnToJag and Playboy: How Jaguar targets men appeared first on Autosaur.