Evasion techniques are a known method that hackers use to trick security solutions. They disguise or modify cyber attacks so that security systems cannot detect and block them. Malicious payload can thus be slipped undetected into unprotected systems behind the security solution.
Discovered in 2010, Advanced Evasion Techniques (AETs) work like conventional evasion techniques by combining new methods of disguise with known evasion techniques to enable them to circumvent virtually any network security solution. They continuously vary the methods used to disguise an attack and employ different levels in the network traffic to deliver malicious payload to a network without detection.
So which networks are most at risk? The risk of falling victim to an AET attack is not the same in all companies or networks. The seriousness of the threat depends on multiple factors: companies whose data is extremely valuable to cyber criminals are most at risk, while outdated IT infrastructures, rigid security architectures and high-maintenance systems make it easier for hackers to access the network with the aid of AETs.
This is especially true for industrial networks. In these networks, the topology often makes system security more difficult. To a certain extent, administrators cannot use strict segmentation and firewall rules due to dynamic and poorly planned network services. In some industrial networks it may not be possible to install all the necessary operating system updates because outdated software and protocols are being used.
The multitude of patches and new versions of operating systems and applications along with their compatibility requirements prevent such systems from being kept up to date with the latest security developments on a regular basis. Furthermore, cloud computing environments are particularly attractive to hackers. A single successful attack allows them to access the data of a great many different companies.
So far, there is no way to fully protect systems against AETs. In order to do this at all, it must be possible to update security solutions quickly and at any time. Once new AET variants have been announced, software-based IPS and firewall systems can be automatically updated to the state of the art and corresponding patterns of disguise stored.
For the most part, static hardware-based solutions are currently being used as network security systems. Updating these systems flexibly is extremely difficult in light of rapidly changing threat patterns, it is also time-consuming and cost-intensive to update these systems.
A flexible response to new AET variants is virtually impossible, and network security cannot be guaranteed. Flexible, software-based security systems, combined with a central management function, therefore currently offer the best protection against AETs. Thanks to the software-based technology, updates can be loaded at any time and configuration work carried out easily.
Companies should also use IPS systems that check the data traffic for unknown malicious code patterns as the functions of a conventional IPS, such as fingerprinting and signature-based matching, which are typically used to guard against attacks, do not work with AETs.
To detect and protect against AETs, security systems must offer additional ways to check the data traffic, such as data packets that were not received by the end host or protocols that can be encrypted in different ways. The mechanism for implementing these additional checks is called normalisation. Security devices that can perform extensive multi-layer normalisation processes will interpret and fully re-assemble data packets in the same way as the end host. They will take into account all the relevant protocol layers for each connection. This reduces the danger of data packets that do not conform to the classic rules of the internet protocol being able to sneak into the network undetected.
There are some additional measures that help to offer the best possible precautions against AETs. Companies should learn as much as they can about AETs and the new dangers and analyse their risks: how are the critical infrastructure and handling of key company data organised? Where is this information currently being stored and is it backed up regularly?
In addition, timely patching of vulnerable systems remains one of the most effective measures against network attacks – both AET-disguised attacks and other types. While systems are not protected during the period in which the patches are being tested and provided, central network management systems help distribute new patches faster throughout the system.
It is also absolutely necessary to test the security system's anti-evasion functions in the company's 'real' network. Most security solutions on the market are only able to detect simulated, previously documented or predefined evasions in stable lab environments and often they are unable to protect a system's data against attacks that are disguised with unknown, dynamic evasions.
The actual performance of the security solution used can therefore be tested only by conducting regular tests under real-life conditions. On the whole, IT managers should remain critical and proactive and constantly look for better alternatives to the security solutions currently being implemented.
Ash Patel is country manager for UK & Ireland at Stonesoft