Advanced evasion techniques under the microscope

Opinion by Dan Raywood

Late in 2010 Stonesoft warned of how attackers are using 'advanced evasion techniques' (AET) to bypass firewall and intrusion prevention solutions (IPS). Looking further into this issue, Joona Airamo, chief information security officer with Stonesoft, looks at how the threat can be neutralised.

Late in 2010 Stonesoft warned of how attackers are using ‘advanced evasion techniques' (AET) to bypass firewall and intrusion prevention solutions (IPS). Looking further into this issue, Joona Airamo, chief information security officer with Stonesoft, looks at how the threat can be neutralised.

Whilst the internet has become a near-universal communications medium, just as the analogue landline telephone did in the last century, its rapid ascension in terms of a global user base has meant some inherent security features are lacking.

Put simply, the implementation of the Internet Protocol (IP) in most instances is open and insecure. This is why most organisations make use of sophisticated IT security appliances and systems software to defend their digital data assets. These protective platforms are usually built around a base layer of an intrusion detection system (IDS) and/or intrusion prevention system (IPS) architecture in its many shapes and forms.

However the insecure nature of the IP standard, most notably the structure of the packet header and the packets themselves, means that a malformed header and/or set of packets can subvert the methodical nature of most IDS/IPS defence systems, no matter how sophisticated or evolved the platform is.

Using this type of subversion process has now come to be known in the IT security stakes as AET and without a highly advanced and heuristic set of security overlays, our supposition here at Stonesoft is that most conventional IT security defences can be compromised using AET methodologies. Contrary to what you may have heard, AET is not that new, even though some of its hacker-driven implementations are.

As a cracker attack vector, AET dates back to the late 1990s when two security researchers, Tim Newsham and Thomas Ptacek, released a whitepaper explaining how all current IDS systems could be beaten.

The paper entitled ‘Insertion, Evasion and Denial of Service: Eluding Network Intrusion Detection' identified two basic problems with passive IP analysis: the first of which is that there is rarely enough information available from the IP data stream itself to work out what is actually happening on a network machine.

The second problem is that since even the latest IDS-based IT security systems are passive, this makes them inherently ‘fail-open', meaning that a compromise in the availability of the IDS does not also compromise the availability of the network.

Despite this evolution, our observations suggest that most of the evasion techniques our researchers spotted 12 years ago are still with us today, despite considerable advances being made in the IT security space. 

The problem with even the latest and evolved IDS/IPS platforms is that, as well as reactive firewalls and almost all IT security solutions available today, they use a vector analysis technique to detecting digital threats, despite the fact that AET-driven attacks can avoid this method of detection.

The situation is arguably made worse by the fact that most modern IT security platforms place such reliance on the IDS aspect of their defences that previously detectable security flaws can be exploited by criminal hackers using a simple obfuscation (hiding) technique.

Obfuscation is central to the wave of SQL injection and iFrame attacks that started a few years ago and is commonly used by criminals wanting to attack business web servers and sites in order to infect visitors to those sites with malware.

The problem that obfuscation presents IT security professionals is that conventional heuristic analyses, used for so long to detect the presence of malware executables, can be circumvented.

Some media professionals have likened AETs to the continuing problem of Advanced Persistent Threats (APTs) but there are no direct similarities, as whilst AETs used to deliver the payloads needed to perform an APT-style attack, they are not directly linked. This is because AETs are simply a methodology used to deliver a payload, rather than the malware payload itself.

Despite being `only' a methodology, our belief is that AETs present a clear and present danger to the digital data assets of most organisations. The reason for this is the IP packet structure is so fundamental to modern networking, that any attack vector that deviates from the known structure is far more difficult to detect.

If one thinks of the IP structure like a railway line, it is relatively easy for an automated signalling system to detect the mass and speed of the train as it enters a stretch of line. From that data, the signalling system can make an accurate assessment as to what the train is, which schedule it belongs to and where it is headed.

AET attack vehicles use malformed packet headers and data streams, combined with obfuscated code calls, and the conventional IDS security platform cannot detect its presence, so the attack code passes into the IT resource unseen.

What if the IT resource only allows whitelisting code execution on the platform then AETs will be stopped - right? Wrong. Since the IP code does not adhere to normal IP standards, it can pass through conventional IP network gates and only when it is inside, does it make the necessary code call, which could be to trigger a conventional software element with a known vulnerability.

This consequential and hybridised attack vector means that a near-invisible stream of AET-driven IP packets can cause havoc on a company's IT resource, leaving little or no audit data trail that can be forensically traced.

According to Peter Wood, CEO of First Base Technologies that specialises in corporate penetration testing, IDS platforms have one other inherent weakness - the human element. He said that many companies view IDS/IPS platforms as a ‘magic bullet' form of security that is installed and then forgotten about.

Since few organisations have the budget and facilities to monitor a good IDS platform on a 24/7 basis, they often do the only `logical' thing and turn the alerting system off. This, he said, is what his team has actually seen happen on one client's IT system.

As any IT security auditor will tell you, the human element is what often causes the most data breaches. A good IT security platform however, can supply the backdrop to a well-trained IT department. That is no lie.


Find this article useful?

Get more great articles like this in your inbox every lunchtime

Upcoming Events