The way forward for monitoring and inspection
The way forward for monitoring and inspection

There are methods for attacking networks that even cutting-edge security systems cannot detect, and Advanced Evasion Techniques (AETs) are one example.

The special features of AETs are the nearly infinite ways in which they can be combined to disguise attacks. As a result, they differ markedly from already-known evasion techniques.

The first part of our article series demonstrated that evasions have long been known as a way to disguise malware. So far, they are limited to only a few techniques against which most security systems offer adequate protection.

In 2010 however, Stonesoft discovered a new kind of evasion in its test lab: the so-called Advanced Evasion Techniques.

Various tests on Stonesoft's own products demonstrated that there are many more ways to circumvent an Intrusion Prevention System (IPS) or a firewall using evasion techniques, and even to cause the security systems to crash. The researchers used special low-level tools, including TCP/IP stacks.

The special feature of the protocol packets is that they are modified in such a way that their sending behaviour is much more flexible than required by conventional, standard operating systems. This deviation from the IP rules alone led the researchers to discover far more evasions than were previously known. Tests using modern IPS and similar devices of different manufacturers confirmed that these new types of evasions can successfully circumvent security systems.

Shortly after making its discovery, Stonesoft reported the AETs to the Finnish security agency, CERT-FI, and made their patterns of AET data packets (traffic packets) available. It is the agency's job to notify IT security providers around the world of new threats so that they can develop security mechanisms in time. After testing the different patterns, the CERT-FI issued a security alert.

Testing with ICSA Labs confirmed that most security systems cannot detect attacks that have been disguised by AETs and that they present a serious danger to networks.

In the meantime, Stonesoft has begun using an internally developed test generator, the Predator 3.0, to further research the different AET methods. Since the tool can execute more than two septendecillion (55 zeros) different attacks, the possible combinations of the new evasion techniques appear to be nearly limitless.

AETs are usually based on the principle of de-synchronising monitoring systems that observe the data traffic from the perspective of the end host. A data packet is modified in different ways so that the security system no longer detects the malicious code contained in the packet and allows it to enter the network.

It also does not leave any traces behind in the log files, which could alert the administrator to a possible attack. Once the end host has interpreted the data stream, the attacks are released.

For example, the signature for the work ‘attack' is stored in an IPS and identified as malicious code. If the security system detects this word in the data traffic, it will interrupt the connection to the network.

However, if the word is divided between two different data packets: with ‘att' in one packet and ‘ack' in the other one, the IPS will no longer see the malicious code and allow the fragments to pass. However, the host re-assembles the word when it interprets the packet and the ‘attack' has ultimately arrived at the target system.

Unlike conventional evasions, AETs combine diverse methods to disguise a malicious code. At the same time, they use different levels within the network traffic, including the IP and transport levels (TCP, UDP) and application layer protocols, including SMB (server message block) and RPC (remote procedure call).

For example, an AET combines IPv4 fragments from 8-byte data packets with 2-byte TCP segments and SMB protocols with one byte of data per message. Or each IPv4 packet contains random data fragments and is sent twice.

At the same time, the IPv4 selection field contains an ascending number, for example 0x00000001 in the first packet, 0x00000002 in the second packet, etc so an IPS may detect an 8-byte data fragmentation as an evasion. However, combined with the additional methods of disguise on the different levels of the network traffic, the malicious code becomes invisible.

The possible AET variations are so numerous that they can no longer be detected by an IPS after only slight variation in, for example, the number of bytes. A simple computation example will clarify this: as few as six known evasion techniques on the IP level would yield as many as 64 direct possible combinations.

With 16 different TCP-based evasions, this figure would rise to 65,536. Combined, this would result in more than one million different variants. Due to these dynamics, conventional security mechanisms such as protocol analysis and signature recognition are no longer effective.

Fingerprint updates cannot cover all possible combinations, security patches are virtually rendered ineffective and in most IPS systems, the inspection of data traffic is limited exclusively to the IP or transport level. As a result, these systems cannot detect AETs that move on the level of the application protocols, for example.

AETs can also deceive firewalls. This involves altering a data packet with malicious code so that it meets all criteria of the stored security rules. The examples described here for AETs are quite simple. However, far more complex combinations exist, which can even cause the security mechanisms to crash.

Attacks involving AETs are complex and require extensive knowledge. When used effectively they offer cyber criminals a ‘master key' for accessing any vulnerable system. Once the attacker has penetrated the network undetected, they can usually look around undisturbed for a security vulnerability.

An AET slips the necessary malicious code past the IPS, which is actually supposed to be protecting the server between maintenance windows, without the IPS noticing.

Even networks of large companies and organisations are vulnerable to the new threat. Government agencies, banks, military facilities and large corporations contain the very data that professional hackers covet. The complex use of an AET therefore pays off for well-organised cyber criminals, with the cost often less than developing a new virus.

AET also pose a new risk for cloud providers. Cloud computing environments are an especially attractive target for the use of AETs, since a successful attack can be used to monitor or steal the data of a large number of companies.

Hackers today can circumvent 99 per cent of the conventional network security systems with the aid of AETs. There is still no long-term solution available on the market that offers full protection against dynamic attack methods. Nevertheless, companies can take precautionary measures to prevent AET attacks.

Ash Patel is country manager for UK & Ireland at Stonesoft

The third and final part of this series will be published next week and will look at protection and preventive measures against AETs.