There are a lot of insidious players on the loose, burrowing their way into corporate networks. Some bang on the front door and demand a ransom for the data they kidnap. Others, however, use advanced evasion techniques (AETs) to bypass traditional common network security solutions. They can transport any attack or exploit through network security devices and firewalls, intrusion detection systems (IDS) and intrusion prevention systems (IPS), and even routers doing deep packet inspection.
There are four key items to remember while implementing a testing tool for AETs:
- Evasions exist in every protocol
- Evasions can be combined together to create new evasions
- The order of combined evasions is important
- The number of different evasion combinations is massive
The scope for different AETs is vast. The situation is similar to that of the anti-virus industry 15 years ago, where everyone knew that a massive virus problem existed, but no one in the industry could tell how big the problem was. Today, the anti-virus industry has all but stopped counting the number of viruses and virus variations because the number is too large. Similarly, the number of unique AET possibilities now is so massive that it is difficult to comprehend.
From a security perspective, the challenge is to find those combinations that are deadly and create a defense for them. The need for automated advanced evasion testing tools is mandatory for this work.
You can identify AETs according to certain underlying principles. AETs:
- Are deliverable in a high liberal way, much like viruses
- Target traditional security devices
- Use rarely used protocol properties
- Use unusual combinations of evasions
- Craft network traffic that disregards strict protocol specifications
- Exploit the technical and inspection limitations of security devices: memory capacity, performance optimization, design flaws, and so on.
AETs are a means to disguise cyber attacks in order to avoid detection and blocking by network security systems. AETs enable cybercriminals to deliver malicious content to a vulnerable system without detection, which world normally stop the threat. Traditional network security is ineffective against AETs in the same way that traditional radar is ineffective against a stealth fighter attack.
AETs are real and they are serious. So how does one protect against AETs? When it comes to AETs, no network security device on the market today can guarantee 100 percent protection. AETs are not signature-based so a device update does not fix the problem.
Test your network and know the holes in your network. Forcepoint provides a portable version of an advanced evasion testing tool called Evader. It provides objective, real-life data on the anti-evasion capabilities of your current and planned network security devices. It also produces a risk assessment in the form of a test report with the accompanying test data.
Here are some additional tips on how to identify and overcome AETs:
- Use traffic inspection methods, such as traffic normalization
- Deploy a centralized approach, such as monitoring all network devices and update or reconfigure network devices as needed to minimize the threat
- Re-evaluate your existing patch management policy as AETs cannot attack a patched system
- Check your existing IPS to determine how quickly they react to attacks and newly discovered threats
By Klaus Majewski, Forcepoint