AETs and software-based security
The way forward for monitoring and inspection
A special feature of advanced evasion techniques (AETs) is that they have an infinite number of possible combinations, meaning only software-based security systems can provide effective protection against them.
Unlike hardware-based solutions, software can adapt quickly and dynamically to changing threat patterns, which means that they have the best chance to keep pace with the latest methods of disguise.
AETs combine and vary methods for disguising an attack or malicious code, using different levels within network traffic. This unusual behaviour means that even modern intrusion-prevention systems (IPSs) and next-generation firewalls are unable to detect the disguised malicious code.
Recent estimates set the number of possible combinations of AETs at a very high figure (2,180) and it appears that this dynamic threat will present long-term challenges to the security mechanisms of corporate networks.
Simply updating signatures can only protect against single AET methods and, as a result, this means of attack is currently giving cyber criminals a kind of master key for attacking any vulnerable system.
To disguise an attack, AETs make use of the way in which IPS architectures and firewalls work. For example, an IPS checks data traffic before passing it on to the network and blocks the data if the IPS suspects that it contains malicious code. The security system must therefore know the specific patterns of malware programs in order to detect them and protect the network.
Most IPS architectures use protocol analysis and signature recognition for this purpose. Upon detecting a new worm or virus, the devices usually update their fingerprint information within just a few days, sometimes even within hours. To a certain extent, existing analysis functions can detect and combat malicious software that is similar to known threats.
For their part, firewalls check data packets to determine their origin, destination, protocol and other properties. If the data packets fail to satisfy the network's internal security rules, the firewall rejects them and alerts the administrator.
However, the AET methods have so many possible variations that they no longer resemble any attack pattern stored in the IPS, even after only a slight modification. For example, in the number of bytes or the segment offset, a malicious code enters the network, with the appearance of regular data traffic despite a fingerprint update.
Therefore, security patches no longer offer protection, especially as AETs do not follow the classic rules of the TCP/IP protocol suite. Tests have shown that AETs are able to attack the IP and transport layers (TCP, UDP) as well as application layer protocols, including SMB and RPC.
Thus, an AET-disguised data packet can sneak past the IPS and enter the network on different levels of data traffic. For a firewall, a data packet of this type may also meet all criteria of the defined security rules externally and it is therefore allowed to pass.
In order for security solutions to offer any protection at all against dynamic and constantly evolving AETs, it must be possible to update these solutions quickly and at any time. Once new AET variants have been announced, software-based IPS and firewall systems can be automatically updated to state of the art, and corresponding patterns of disguise stored.
However, the overwhelming majority of network security systems in use today are static, hardware-based solutions that are extremely difficult and sometimes even impossible to update, especially in light of the rapidly changing threat patterns.
Updating them would be very time-consuming and costly and, at the same time, it is virtually impossible for them to react flexibly to new AET variants. This means that administrators can no longer guarantee network security.
Flexible, software-based security systems, combined with a central management function, therefore currently offer the best protection against AETs. Thanks to software-based technology, updates can be loaded at any time and configuration work carried out without a great deal of effort.
It is not yet possible to provide full protection against AETs. One solution is dynamically adaptable security systems, to which new functions for inspecting data traffic can be added with little time and effort, offering the best protection available today.
One example of this is ‘multi-layer normalisation', in which security devices interpret and fully assemble data packages in the same manner as the end system. This reduces the danger of disguised malicious code bypassing the security system undetected and entering the network.
Patch management and updating signature databases are not adequate solutions as these measures cannot keep up with the highly dynamic AET over the long term. Searching for the right AET method when 2,180 combinations are possible is like searching for one grain of sand in 500,000 galaxies.
Ash Patel is country manager for UK & Ireland at Stonesoft