One of the most worrisome and potentially crippling threats to next-generation infrastructures is Advanced Evasion Techniques (AETs), which are being used more and more by cyber criminals because AETs leave no trace to current management and monitoring systems, logs or reports – leaving the devices blind and creating an illusion of continued security. Since their discovery, many companies have not taken the proper security measures to effectively thwart AETs. Still, the threat posed by AETs is real and there are steps that must be taken to protect your environment. This slideshow features nine tips, provided by Stonesoft, to help you secure against AETs.
Click through for tips on how you can protect your systems from the serious threat posed by advanced evasion techniques (AETs), as identified by Stonesoft.
AETs consist of any evasive hacking technique that allows an intruder to bypass security detection during a network-based attack. While AETs themselves are not malicious, they are the vehicle through which any number of malicious attacks can be successfully delivered to vulnerable network targets. They are typically successful in their infiltration due to their ability to ensure that traffic looks normal to security devices, which then allows traffic to pass freely. These stealth cyber attack methods bypass network security, are stackable through simultaneous execution on multiple protocol layers and are capable of changing dynamically, even during the attack’s execution.
Advanced Persistent Threats (APTs) generally refer to a group, such as a foreign government or hactivist party, that applies a number of techniques and attacks over a long period of time.
AETs foil security measures for two main reasons. One is the astronomical amount of combinations that AETs can employ. The other is the type of inspections many security devices employ. Those that perform packet or pseudo packet-based inspection across a limited number of protocols and network layers, using signature pattern matching, are not capable of stopping AETs. Additionally, published device lab tests have not satisfactorily tested device behaviors when they encounter AETs.
Traffic handling, inspection and detection are three main weak points in a network. Traffic handling for many IPS devices is done with a throughput orientation, which does not allow for full normalization. Data traffic should be normalized 100 percent on every protocol layer before payload inspection is executed. This is not the case for many devices, which are instead designed to optimize the inline throughput performance. Furthermore, the devices are often optimized in a clean, or simulated, network that is never targeted with a complex attack. Instead of performing full normalization, many devices implement shortcuts and therefore only perform partial normalization and inspection. As a result, shortcut exploitation by evasions becomes a strong possibility. Rather than inspect only segments or pseudo-packets, proper security devices must inspect a constant data stream.
The vulnerability to AET infiltration is not simply a theory. Organizations have taken note of the tremendous risk AETs pose and have run their own series of tests through their own products as well as through other security devices. In a Stonesoft test running 124 randomly selected AETs through the leading devices, the devices largely failed to detect AETs, with the results reported through the CERT-FI vulnerability coordination process flow. Furthermore, ISACA reported on the AET testing results of leading firewalls, IDS and IPS systems and deemed some security appliances’ performance “downright useless when faced with these new style crafted threats.” Results from intrusion attempts running 104 AETs reported 34 successful intrusions, compared to 17 blocked attempts.
ISACA is not the only industry organization that has noted the extreme threat of AETs and what the non-profit calls “the future of insecurity.” Gartner explored AETs in a lengthy research report, asking if the techniques merited mention as being advanced or if they should instead be thought of as an evolution. Other industry organizations have expressed both dismay and concern at AETs’ ability to infiltrate even the most seemingly secure networks and devices.
Defeating AETs involves utilizing a data stream-based approach with layered protocol analysis. All data traffic must be recorded and analyzed with the utmost precision. Doing this requires multiple parallel and sequential state machines through which the data stream is fed and all data traffic is analyzed by default.
The lower protocol layers must be examined, with the security device only passing slightly modified or non-modified TCP segments and IP fragments. Those that contain overlapping data or conflicting data are not passed through, resulting in an effective normalization. This process ensures network traffic passing through the IPS is interpreted and the data stream reconstructed for inspection and analysis in the upper layers. Secondly, it is essential the TCP layer is inspected as a reassembled data stream, rather than in segments. Assembling the data transmitted in a TCP connection into a data stream provides detection of attacks in the stream that individual segment inspection may miss if the attack stretches across TCP segment boundaries. Finally, the higher protocol layer inspection must have the capability to inspect certain protocol elements in greater detail. This can be done by inspecting those elements as separate data streams and then normalizing them as per the protocol.
A centralized management system places network functions in one centralized location for viewing, monitoring and amending. Administrators may enable appliances and monitor all network devices. They are also able to create and change parameters across more than one device throughout the network, eradicating the risk of human error and the potential difficulties of configuration. A good centralized management system will offer comprehensive reports, automatic updates and reminders available in one enterprise-level location.
Reviewing your hosts and servers is essential to ensure everything is up-to-date. Inspect your hosts to guarantee they have the latest policy and virus definitions for both the hosts and server. Examine the infrastructure for disconnected hosts, as they can pose another point of vulnerability. Regularly monitoring scanning reports, alerts and infection reports is a must to assist with system protection. If a network attack is discovered, monitoring that attack by viewing the Internet shield status of the network is important.
Commercial testing is available through many vendors to detect network vulnerabilities and provide a deeper understanding of where a network may need additional fortification against threats in general and AETs in particular. Some commercial testing services are available at no cost to users. Many also provide the opportunity to launch controlled AET-borne test attacks using a variety of combinations.