Analysing industry reactions to AETs
Analysing industry reactions to AETs

Advanced Evasive Threats (AETs) have come a long way since our research team here at Stonesoft went public on the security problem in October of 2010.

Initially our industry gave the subject a sceptical reception, with one article saying that the initial batch of AETs our research teams had spotted were an ‘obscure class of packet-based probing at the ground level of the TCP/IP stack'.

Since those early days, however, the discussion surrounding AETs has evolved considerably and computer emergency readiness teams (CERTs) have joined the fray in warning about the problem. Since then several vendors have attempted to develop their own technology solutions to address the serious threat that AETs pose.

But we are – as an industry - still at an early stage in our understanding of this new attack vector. There are clear parallels between the evolution of our knowledge of AETs and the situation the IT industry was at regarding worms, viruses and other malware back in the late 1980s when PC operating systems were very much in their formative stages.

The difference today is that the pace at which our understanding is evolving - and therefore the industry's ability to counter the threat that AETs pose - is a lot more rapid.

Whereas it took from 1971 when the Creeper virus first appeared on the Arpanet to the development of Elk Cloner 10 years later in 1981 - the first malware to create a performance degradation - our understanding of AETs has grown immensely in the last 18 months.

In fact, when you look at the timetable of malware evolution and the gap between the Brain virus being spotted in 1986 and IBM's first VirusScan software being released in 1989, it's clear that the IT security industry of the late 1980s took some time to reach the stage where coders could develop defences against a new and developing IT security threat.

Even though it's only been around 18 months since the topic of AETs first burst upon the security scene, several of our colleague vendors in the IT security space have been talking about the attack vector for some time – and in some cases attempting to develop a number of solutions.

Our observations suggest that just as with the evolving security threat landscape of the late 1980s and early 1990s, many of the AET `security solutions' we have seen are relatively static in their defence strategies. This means that as the AET attack vector evolves, these solutions are unable to maintain their effectiveness.

This is perhaps understandable, given the fact that AETs are, by definition, an attack technique that changes over time as new technologies arrive in the IT marketplace. Also as cyber criminals come up with new and more complex attacking strategies, something still needs to be done in order to better defend company IT resources against the AET threat.

Just as with the anti-virus industry of the late 1980s and early 1990s, the security technology that was required to better defend against the latest generation of malware evolved from an anti-virus base into a broader IT security category of defences, so AET defences and remediation processes need to undergo a similar evolution.

The evolution of AET attack vectors is something that Stonesoft's labs monitor all the time, as even relatively simple changes to an AET – such as changing the byte size and segmentation offset – allow them to bypass a given static security product's detection capabilities.

More than anything, this demonstrates that most vendors are only providing temporary and inflexible fixes to the growing AET concern, rather than researching and solving the fundamental architecture issues that cause these vulnerabilities.

This need to research and solve the architecture issues was demonstrated at the Infosecurity Europe show back in April of this year when a panel session hosted by Stonesoft discussed a real-world attack session using our Predator software to insert a Conficker worm infection into a remote server that was defended using a mainstream IT security appliance technology.

In the session, Alan Cottom, Stonesoft's UK head of technical, explained to his audience that the demonstration could be replicated using most IT security software in the industry.

Cottom then went on to show a Conficker worm insertion between Stonesoft's labs server and a remote test server – both on an unprotected basis, and then with a leading third party firewall appliance in place. Both times the worm was successfully inserted and when Stonesoft's technology was used, the infection was blocked and logged. This reveals a weakness in many vendor's capabilities at protecting against AETs.

Cottom told his audience that it was worth noting that whilst some IT security defence systems generate logs showing they had blocked an attack, the infections were often successful.

“I'll leave you to draw your own conclusion on which is better: not to know you have been infected or to think you have blocked an infection and actually be infected,” he noted.

The Infosecurity Europe show demonstration showed that there is clearly more to the AET threat than meets the eye - extensible code and evolving threats mean that today's real world solutions need to be multi-layered and adaptable.

Simply claiming that a given IT security product defends against AETs is no longer going to cut the mustard in today's security landscape – just as with the threat landscape of the late 1980s, the practical solutions needed to defend corporate IT resources need to be both adaptive and flexible.

Joona Airamo is CISO at Stonesoft