Advanced evasion techniques (AETs) offer cyber criminals a virtually unlimited number of options for the undetected infiltration of networks with malware.
At this time, the market does not offer any solutions that provide full protection against AETs. However, companies can still implement a number of measures to achieve the best possible protection.
The first two parts of this series of articles focused on the history of evasion techniques and on the way AETs work. But how can companies protect themselves against attacks disguised with AETs? A number of specific solutions have to work together to achieve the best possible protection against attacks using AETs.
At two to the power of 180, the number of possible AETs is virtually endless. New variants of this evasion software are discovered on an ongoing basis. However, considering the almost limitless number of possible combinations, such discoveries merely represent the proverbial drop in the bucket.
Therefore it is important that companies use IPS systems that investigate data traffic that is not just based on the characteristics of known malicious codes that use finger printing and signature-based detection.
Advanced evasion techniques can only be recognised by security systems that provide additional options to check data traffic. One example is the multi-layer normalisation process that takes into account data packets that are not received by the end system, or protocols that can be decrypted in a variety of ways.
IPS systems with this functionality have the ability to decode and put together data packets exactly like the end system. This feature enables them to detect a disguised malicious code more easily and stop it before it gets into the network.
In contrast to hardware-based solutions, such security devices focus on more than just the TCP/IP layer and are also able to capture other relevant protocol layers for each connection, including HTTP.
This greatly reduces the risk that data packets that do not conform to the classic rules of internet protocol can sneak into the network undetected. In addition, network performance can be maintained at a high level if the normalisation function is separate from the connection and signature check.
Only those security solutions that offer quick and flexible update options are able to provide protection against dynamic and quickly changing AETs. However, most companies use out-of-date hardware-based solutions to protect their networks, mainly for cost reasons.
These types of solutions have one serious disadvantage: they are static. Updating them to the state of technology often requires a lot of time and is sometimes even impossible. For this reason, hardware-based solutions are not able to keep up with dynamic and quickly changing AETs.
On the other hand, software-based intrusion prevention systems (IPS) and firewall systems can be rapidly brought up to date, including the testing and normalisation functions, which means that newly discovered evasive patterns can be quickly deposited in the IPS and firewall. Software-based technology also makes it possible to implement updates at any time and apply configurations with minimal effort.
The ability to gain rapid access to current security information is the only way administrators can quickly respond to attacks and roll out preventive protective measures for the entire system. Therefore software-based solutions should be combined with a central management solution.
Updates and security guidelines can be rolled out over the entire network in a centralised manner and across locations, if necessary via remote access, so that all applications and systems can be quickly protected against a new evasion variant if a new AET pattern is detected.
By using some additional measures, companies can also better protect their networks against attacks disguised with AETs. Because of the constant appearance of new AET variants, companies are advised to always keep an eye on this issue.
They should obtain information about AETs, analyse risks, further develop patch management and review the IPS solution.