Advanced evasion techniques (AETs) pose a new challenge to network security systems as, in contrast to known evasions, they combine and modify methods to disguise an attack or malicious code.
This allows them to smuggle attacks into the network, attacks that are not detected by virtually all network security solutions. The specific risk associated with AETs is the almost limitless number of combination options employed by them.
According to current estimates, there is a ratio of 2:310 different AET variants that can be used by hackers to disguise an attack. This is beyond the capacities of the currently proven protection mechanisms of intrusion prevention systems or firewalls, which are no longer effective. While there is still no comprehensive protection against AETs, it is possible to secure networks on a preventative basis with different measures.
Evasions refer to methods used by hackers to disguise or modify malware in order to funnel it into networks without being detected. In the case of simple evasions and AETs, the protocol suite TCP/IP plays a central role in this regard.
It goes back to the IP standard RFC 791 and defines a liberal receiving pattern with a conservative sending pattern. Normally, only error-free data packets can be sent, while the system accepts all incoming data packets that can be interpreted by the end system. Therefore incoming data packets can feature different formats, but are always interpreted in the same way.
This liberal approach is based on the notion that interaction between different systems should be as reliable as possible. At the same time, this approach also opens the door to attacks and/or methods used to disguise attacks.
This is because different operating systems and applications display different behaviour when receiving data packets, which can lead to a situation in which an IPS does not detect the original context of the data packet and interprets the data flow differently from the target host.
This process is called ‘status desynchronisation' and it is also the starting point for evasion techniques and AETs, which use status desynchronisation to create data packets that appear normal and secure, and are only identified as an attack when they are interpreted by the end system. But by then, the malicious code is already in the network.
Just as conventional evasion techniques, AETs also start with the ‘status desynchronisation' method, but they act differently from simple evasions by constantly varying and combining the methods used to disguise an attack and also alternate the levels in network traffic.
Initially, testing identified the possibility of attacks using AETs particularly at the IP and transport level (TCP, UDP) and for application-layer protocols such as SMB and RPC. Therefore they were initially assessed as a mainly internal threat while AETs for different protocols, such as IPv4, IPv6, TCP and HTTP, were also discovered in the autumn of 2011.
If AETs use the HTTP protocol layer (Port 80), hence the internet, they can also deceive firewalls and smuggle malware into the network via web data traffic. This means that hacker attacks using AETs are a particularly serious threat for cloud computing environments, but also for any company whose applications and data are connected to the internet.
The new IPv6 internet protocol also offers AETs new ways of disguising attacks at the protocol or transport level; the new internet protocol requires further compromises regarding the definition of what a regular data packet must look like in order to ensure seamless communication.
Due to the required compatibility with IPv4, target systems must be more tolerant than previously when interpreting incoming data packets. This increases the leeway for AETs with regard to disguising malware programs. Another hindering factor is the current lack of comprehensive experience values with IPv6.
Devices that inspect data traffic generally work with protocol analysis and signature detection. This means that an IPS system must already be familiar with an attack pattern in order to avert it; this is extremely difficult considering the huge number of potential AETs.
It is true that the corresponding detection methods are generally added to the devices a few days after the discovery of a new IT threat. In addition, existing analytical functions also make it possible to detect and ward off malware programs that are similar to already-known malware.
Sometimes all that is required is a minimal change in the number of bytes, and the AET variant is no longer similar to any of the attack patterns filed in the IPS system. As a result, the security system does not recognise the malicious code encrypted within the AETs and lets it enter the network without any impediments. The attacker can then freely move around the system to look for a possible weak spot or a non-patched server.
Therefore the work mechanisms of IPS systems must take into account more than the characteristics of known malicious code patterns if they are supposed to detect attacks disguised with AETs. Security applications that are required to compare attack signatures received by the target host with already-known signatures are not able to take into account each single packet in the network traffic.
It is not sufficient to sort all packets in the right sequence and re-assemble all fragments. For this reason, the classic IPS functions such as fingerprinting or signature-based detection, which are generally used to protect against exploits, do not protect against AETs.
Security systems therefore must include additional options for inspecting data traffic. These additional controls can be implemented with normalisation, and security instruments that are capable of implementing comprehensive multi-layer normalisation processes interpret data packets and completely re-assemble them. In addition, they take into account all relevant protocol layers for each connection. This reduces the risk that data packets that do not behave according to the rules of RFC 791 can bypass security systems without detection.
Networks should also be protected with flexible and software-based security systems that can be adjusted to the quickly changing attack patterns of AETs more easily and quickly than hardware-based solutions; we also recommend the use of a management system.
The extent to which AETs are already being used for targeted attacks on networks cannot be said with certainty. Because AETs do not leave any trace, attacks are generally only discovered once the malicious code has already entered and spread in the network, but then it is no longer possible to tell which evasion technique was used to allow the malicious code to bypass the security systems.
Current test results indicate that some AETs are relatively easy to handle, which makes it likely that hackers are already using them while, in contrast, others are very complex and their use requires considerable financial resources and comprehensive technical know-how.
Such resources and know-how are available to organised cyber criminals acting out of economic or political interests. Therefore attacks disguised with AETs pose a particular threat to the sensitive data of large companies, government agencies or banks.
Ash Patel is country manager for UK & Ireland at Stonesoft