Stonesoft offers new details on Advanced Evasion Techniques
by Steve Ragan - Oct 19 2010, 15:40Yesterday, we reported on Stonesoft’s discovery of a new type of attack that will bypass traditional network security protections. Dubbed Advanced Evasion Techniques (AET), Stonesoft says that this threat is real, and it deserves serious attention. They offered us additional details into AET, so we felt that it would make a proper update for those following the developments.
To recap, the gist of AET vs. evasion centers on how malicious payloads are delivered, not the payloads themselves. Evasion techniques that are widely known today are not the same as the methodology used in AET-based attacks. This is an important detail when discussing the issue.
So if AETs are not the typical methods of evasion known today, what are they? In short, they are a new method of evasion that works by using several evasion methods at the same time to defeat network-based protections.
For example, IPS/IDS systems will detect and prevent an attack that leverages a vulnerability in Microsoft Windows to deliver Malware. However, these defenses are sometimes bypassed completely using evasion techniques. When this happens, a system is compromised and the Malware successfully delivered.
As an evasion technique becomes known, it can be blocked. On the other hand, AETs will use a hybrid approach, leveraging several evasion techniques at the same time during the attack. When this happens, based on Stonesoft’s research and confirmed by ICSA Labs, the attack is a success. The issue here is that even if an evasion technique is known to the IPS/IDS, it will be missed when dealing with several techniques at once.
If one reads the press release and coverage on AETs, the section ‘AETs in the Wild’ makes one think that criminals are already using them. This isn’t so, says Stonesoft.
“The attacks themselves were not actually discovered in the wild,” Stonesoft’s Director of US Product Development, Matt McKinley, told The Tech Herald.
“While improving the evasion prevention capabilities of the IPS, the researchers created automated testing methodologies that demonstrated that it was possible to combine these evasions in ways that make them undetectable.”
Stonesoft was looking for improvements based on their own interests; they were doing pure security research to detect a wider range of attacks. The research was also done due in part to present third-party IPS testing. Stonesoft was one of the vendors who failed an NSS Labs test on IPS products. They weren’t alone, TippingPoint and Juniper also failed. Stonesoft missed three of the five tests given. A sixth test was listed as TBD (To Be Determined) by NSS Labs.
When it came to the IPS vendors who passed the NSS Labs testing, Cisco, IBM, Sourcefire, and McAfee were the ones who came out on top. However, the NSS Labs testing led to the remark by Rick Moy, NSS Labs’ President, that evasion techniques were not new.
“Evasions are absolutely critical for security products to catch, because if you miss just one, you can let an entire class of attacks through your product. But they're not new, nor are the combinations thereof, these so-called AETs. E.g. one can combine Unicode with JavaScript or segmentation etc,” Moy told us.
Mark Boltz, the senior solutions architect with Stonesoft responded to that and added more insight to the discovery itself.
“In terms of evasions not being new and in terms of the combinations not being new, to that point we’d only like to say that it’s true, certainly, that evasions are not new. We went back to existing evasion research in part, as a result of the last NSS Labs test of our IPS with the other vendors, to look into evasions more, and that’s one of the things that kind of started this process rolling,” he said.
Stonesoft also found shortcomings with existing commercial testing tools. They discovered that there were evasion techniques available that were not in those tools. So they wanted to come up with a wider set of techniques and see what still worked. This testing took them back to previous research on evasion, such as the talks and papers from 2001 to 2008.
What they found was that while evasions are not unique. Even simple well-known evasions that are several years old will work against some of the IPS/IDS products in the market today. What happened next was that Stonesoft extended these evasions to a whole new set of techniques that challenged the assumptions of TCP/IP and RFP’s, what IPS/IDS systems should do.
“We found that a lot of these new techniques actually work even more effectively. When you take that set of well-known evasions, plus all of the additional techniques that we’ve come up with and the combinatory factor, you now get something on the order of 2 to the 180th power of possible combinations that you can use and experiment with to completely evade the detection of just about every system today, including those that did well on the NSS Labs test.”
Previously, we asked how it was that Stonesoft could detect these AET threats, given that they failed the basic evasion tests offered by NSS Labs. As mentioned, the failure the first time around led to the discovery of the AETs, and to be fair, Stonesoft has spent months improving their technology. They have submitted their product for a second round of testing and are awaiting the results.
In the meantime, when it comes to the vendors tested by Stonesoft who failed the AET detection tests internally, not much is known about them. What is known is that they are part of Gartner’s IPS Magic Quadrant.
Stonesoft would not tell us who was tested and failed; however, we have learned that the possible group includes McAfee, Sourcefire, TippingPoint, Checkpoint, Nitro, and Juniper, as well as Stonesoft’s technology itself. In addition, Cisco and IBM are listed as challengers to the IPS quadrant. [Gartner Report]
As we stressed before, IT administrators and managers should not fear the emergence of AETs or panic over their existence. What they should do is be aware of them, and look at their security processes.
Network-based IPS/IDS systems are just one layer of network defense. If an evasion technique or a more advanced AET slips past, then the payload should be flagged by other layers of protection. For example, if patch management policy is enforced, then a system isn’t open to an AET attack that leverages a given system vulnerability.
We spoke to Jack Walsh, the intrusion detection and prevention program manager at ICSA Labs. He said that it’s unlikely that any IPS, firewall, or other similar network protection device on the market that can defend against all, or even most, of the possible evasion combinations that Stonesoft discovered.
“That's because there were a number of evasion techniques discovered, and also because the evasion techniques can be combined. The number of evasion combinations could lead to all sorts of potentially successful evasions,” Walsh explained.
“But because evasions - no matter how complex and no matter how many are combined successfully - only cause real damage when coupled with an attack aimed at some vulnerability, then by themselves they are not going to cause problems. So, if systems being targeted are not vulnerable to attack (because they have been patched or whatever), then those systems would be immune from any such attack - no matter how clever or stealthy.”
Boltz agreed, noting that if an organization has endpoint protections, like a host-based IPS or IDS, in addition to the network-base security solutions, which has long been touted as best practices, “they are in a much better position” to defend against AET attacks.
The AETs target a problem in the fundamental architecture and thinking that network-based IPS’ have, Boltz explained. The receiving system, the endpoint, is the one that ultimately puts all of the packets together in the right order, and handles the reception of all of the different things you can do with evasion techniques.
“Hopefully,” Boltz said, “a host-based system, whether it’s an anti-Virus module or a host-based IPS, would catch [the malicious payload], and we haven’t tested that extensively to be able to say one way or the other whether that’s true one-hundred percent of the time.”
This is where vendor relationships come into play. You need to talk to your vendor, especially if they are one of the vendors highlighted by Gartner, and ask about what they are doing to detect evasion techniques as a whole, and multiple evasions. However, it’s important to talk to someone in research or engineering, speaking to support or sales will not help matters.
Boltz added to our assessment, noting that if you look at some of the top tier vendors, whether it’s TippingPoint, IBM ISS with the X-Force Team, or Sourcefire and their researchers, they all have research teams.
“So talk to those guys, and ask the engineers, ‘Have you heard about this from CERT?’, ‘Are you working on the problem?’, ‘What are you doing about it?’ etc., questioning what’s going on and what you can do about it.”
IT administrators and executives should ask themselves questions about unexplained events on the network, such as servers crashing with no reason why. If this happened, what was the impact? A successful AET attack will leave nothing on the IPS/IDS logs, so other areas of investigation will be critical. This information in turn can be shared with the vendor to help better understand the problem.
Other things to consider include looking at all the layers needed for security on your network, are they in place? Is everything in place with regard to risk analysis, should risk analysis policy be updated?
Stonesoft’s announcement will surely benefit them with regard to marketing, however the larger picture was to have the IPS/IDS community examine their own processes and question the norm. Simply put, think like a criminal and proactively develop better defenses. AET was discovered based on the purest of security research methods. It was never intended to be discovered, it just was. Now that it is known to exist, vendors and customers need to start talking; it’s the only way to address the problem.
At the end of the day, layered protections and threat awareness is the key to preventing things from getting out of hand. Keeping in constant contact with security vendors is another critical asset, one that is often left untapped by enterprise and SMB managers.
More information about AET will be released in the future. For now the gritty details are being handled by CERT Finland. CERT will work with the impacted vendors and release information when they feel it is safe to do so.
We’ll keep tabs on this attack vector and report new information as we get it.
The original AET story is here.
Comment on this Story