Advanced Evasion Techniques BITTERSWEET DISCOVERY Those ways are called as ADVANCED EVASION TECHNIQUES AETs See more at aetstonesoftcom True Story Stonesoft security researchers in the outskirts of Europe discovered that there is ID: 276952
Download Presentation The PPT/PDF document "Stonesoft" is the property of its rightful owner. Permission is granted to download and print the materials on this web site for personal, non-commercial use only, and to display it on your personal computer provided you do not modify the materials and that you retain all copyright notices contained in the materials. By downloading content from our website, you accept the terms of this agreement.
Slide1
Stonesoft
Advanced Evasion
Techniques-Slide2
BITTERSWEET DISCOVERY
Those ways are called as:
ADVANCEDEVASION
TECHNIQUES-AETs
See more at: aet.stonesoft.com
True Story
Stonesoft
security researchers in the outskirts of Europe discovered that there is
millions and millions of ways
to bypass
the most advanced and leading network security solutions
without leaving any traces or alerts on management systems.
Being a good citizen Stonesoft has reported in public hundreds out of those millions and millions.
But it is the tip of the iceberg
”do the math” yourselfSlide3
Story In a NutshellOur research idea was very simple: “to break all the principles and rules in sending and receiving data” Just Like Hackers Do!
Thinking unthinkable.
Failed in NSS group testsDedicated Evasion research team startedCreation of automated tools and setting up a test lab to ease product testing
Discovery of Advanced Evasion Techniques Test run against all the leading IPS and NGFW products. 99% ineffectiveCommunicating through CERT to other vendors and finally in publicSlide4
Advanced Evasion Techniques (AET)
What
are they?
Any technique to engineer a network based attack in order to evade and bypass security detection.What makes them advanced?
Combination of evasions working simultaneously on multiple protocol layersCombination of evasions that can change during the attackCarefully designed to evade inspection
Typically, AETs are used as part of Advanced Persistent Threats (APT)APT = motivationSlide5
Advanced Evasion Techniques disguise and make cyber attacks /malicious payloads/ exploits look normal and safe when the security device inspects the data traffic. The number of AETs can be virtually limitless as you can combine, vary and modify them dynamically.
Everything looks safe and normal when evasions are used and security devices are not anti-evasion ready.Slide6
…but this can be reality.Slide7
So Why worry ?
AETs can breach sensitive data
AETs can ruin brand reputationAETs can cause financial losses AETs can harm business continuity AETs can risk critical infrastructure
AETs can risk national securityAs long as there is a vulnerable target- and there always is, advanced evasion techniques can deliver any known and unknown (zero day) exploits to it.
And nobody knows it.
Currently AETs work as a
Master Key that security vendors DO NOT HAVE. Slide8
Industry Blind Spot
Why this is possible?Slide9
Comprehensive description of attacks
by
Ptacek and
Newsha
Article in the
Phrack
Magazine describes ways to by-pass network intrusion detection
The seminal text on
attacks against IDS
systems appeared in 1997
Stonesoft
starts to design multilayer normalization capabilities in its IPS
1997 1998 2001
Evasion Research so far…Slide10
2004 2006 2007
Evasion Research so far…
Moore and Caswell discuss evasions at Black Hat
Gorton and Champion suggest combinations
Handley and
Paxson
suggest normalizationSlide11
Stonesoft’s
Evasion research
Starts
Tests expanded against all leading security devices
Dedicated team starts
testing Stonesoft with the Automated Evasion tools
NSS test results boost evasion research
First version of evasion testing tool with 12
non-stackable evasions
2007 2009 2010
Evasion Research so far…Slide12
2010 2011 2012
Evasion Research so far…
Mar 2011: 180+ stackable and combinable evasions
in the testing framework.
Feb 2011: 124 new AETs evasions reported
Dec 2010: CERT coordination process ends.
Vendors remain silent about their remediation.
Oct 2010: Public announcement of Advanced Evasion Techniques and the evasion threat
Oct 2010: Knowledge and awareness of evasions spreads
June 2010: First 23 AETs reported to CERT for global vendor remediationSlide13
2011 2012 …
Evasion Research so far…
UK cyber forensics team and leading computer science university verifies the existence of evasions in reality and Stonesoft signs up a collaboration agreement with the university to start an academic research.
Stonesoft delivers AERT tools to many of the leading security vendors and test labs.
May 2011 Stonesoft introduces first commercial version of
Antievasion
Readiness Test for other security vendors, test labs and organizations
Stonesoft publishes whitepaper of
how company’s technology differs from others and publishes new aet.stonesoft.com site.Slide14
Justified Question:Why this is possible? Design flaws.
It has been a industry blind spot or ignorance
Speed & false positive problem used to be a sales obstacles and that led to pure speed and minimized inspection orientation > industry sacrificed security Speed and some security functionalities were built on hardcoded security>impossible to dynamically update and evolve
Current Technologies are 15 years old and designed during the era of :” we-know-the-threat- and-that’s- why-we-can- deal-with-it”>Leading to match pattern and signature based detection only, not truly understanding the BIG picture of data stream. In the era of unknown and uncertain threats signatures only will not work! Slide15
Déjà vu
Automobile safety
in 1959
N
etwork security in 2010?
Status
Quo: Before 1959 all the established automobile brands marketed that
cars were safe and users believed
and f
elt
safe
.
Before 2010 all the Network Security
vendors marketed that their solutions offered high level of protection and organizations felt their digital assets were secured.
Disruption:
Then came one Nordic brand, VOLVO who claimed that current cars are not even close to be safe and innovations are needed.
Then came one Nordic brand, STONESOFT who claimed that the current security
solutions
are not as secured as they
should be.
(Disruption)
Technology breakthrough
:
In 1959 They introduced Three Point Seat Belts.
Technology
b
reakthrough:
2010
They introduced Advanced Evasion Techniques and innovative technologies to fight back.
Claim:
They claimed lives can be saved if all brands would start adding Seat Belts to their cars. (Tested facts and reality)
Claim:
They claimed governments,
businesses
and
brands
can be saved if their anti-evasion
technologies are taken into use.
Industry Response:
“This is marketing, Extra costs, No relevance to safety, dangerous, uncomfortable, People won´t use, theoretical only,
Industry Response:
“Most
kept silent and others claimed “
This is marketing, we can fix this,
only
extra costs, no relevance to security, unproven, theoretical, not happening in reality.”
Bottom Line
:
Millions of human lives have been and will be saved.
Bottom Line
: Organizations will be saved if AET threat is taken seriouslySlide16
We claimed: Businesses are driving without Seat Belts!
…And we can show and prove it to anybody!Slide17
For the record…
“Advanced Evasion Techniques can evade many network security systems. We were able to validate
Stonesoft’s
research and believe that these Advanced Evasion Techniques can result in lost corporate assets with potentially serious consequences for breached organizations.”
–
Jack Walsh, Program Manager
“If the network security system misses any type of evasion it means a hacker can use an entire class of exploits to circumvent security products, rendering them virtually useless. Advanced Evasion Techniques increase the potential of evasion success against the IPS, which creates a serious concern for today’s networks.” – Rick Moy, President
“Recent research indicates that Advanced Evasion Techniques are a real and credible – not to mention growing –and growing threat against the network security infrastructure that protects governments, commerce and information-sharing worldwide. Network security vendors need to devote the research and resources to finding a solution.“
– Bob
Walder
, Research Directo
r
We believe AETs pose a serious threat to network security and have already seen evidence of hackers using them in the wild. It is also very promising to see that Stonesoft is taking the threat posed by evasions seriously as they have been overlooked by many in the past
-Andrew
Blyth
,
Professor
of
Glamorgan
University
Meanwhile other security vendors keep radio silence!Slide18
For the record…
Meanwhile other security vendors keep radio silence!Slide19
Off the RecordSome are acquiring anti-evasion technology and knowledge from StonesoftSome are focusing on surviving next public tests
Some are doing workarounds and quick fixesSome are downplaying the threat and risks if they are asked directly
Some are protecting their business at the expense of customers Some have truly started to investigate their design flaws Some ignore and do NOTHING!
Meanwhile other security vendors are saving their business.Slide20
Reality.
M
arketed
Tested by NSS NGFW 2011
Palo Alto’s HTML evasion protection
33%
100%
NOTE!
In this particular test only simple, known and well documented evasions where used. What happens if more Advanced Evasions hit this security device??