Stonesoft ADVANCED EVASION TECHNIQUES-

BITTERSWEET DISCOVERY

Those ways are called as: ADVANCEDEVASIONTECHNIQUES-AETs

See more at: aet.stonesoft.com

TRUE STORY

Stonesoft security researchers in the outskirts of Europe discovered that there is millions and millions of ways to bypass the most advanced and leading network security solutions without leaving any traces or alerts on management systems. Being a good citizen Stonesoft has reported in public hundreds out of those millions and millions. But it is the tip of the iceberg”do the math” yourself

Story In a Nutshell

Our research idea was very simple:

“to break all the principles and rules in sending and receiving data”

Just Like Hackers Do!

THINKING UNTHINKABLE.

Failed in NSS group tests

Dedicated Evasion research team started

Creation of automated tools and setting up a test lab to ease product testing

Discovery of Advanced Evasion Techniques

Test run against all the leading IPS and NGFW products. 99% ineffective

Communicating through CERT to other vendors and finally in public

Advanced Evasion Techniques (AET)

What are they?Any technique to engineer a network based attack in order to evade and bypass security detection.

What makes them advanced?Combination of evasions working simultaneously on multiple protocol layersCombination of evasions that can change during the attackCarefully designed to evade inspection

Typically, AETs are used as part of Advanced Persistent Threats (APT)

APT = motivation

Advanced Evasion Techniques disguise and make cyber attacks /malicious payloads/ exploits look normal and safe

when the security device inspects the data traffic. The number of AETs can be virtually limitless as you can combine, vary and

modify them dynamically.

Everything looks safe and normal when evasions are used and security devices are not anti-evasion ready.

…but this can be reality.

So Why worry ? AETs can breach sensitive data

AETs can ruin brand reputation

AETs can cause financial losses

AETs can harm business continuity

AETs can risk critical infrastructure

AETs can risk national security

As long as there is a vulnerable target- and there always is, advanced evasion techniques can deliver any known and unknown (zero day) exploits to it. And nobody knows it.

Currently AETs work as a Master Key that security vendors DO NOT HAVE.

Industry Blind SpotWHY THIS IS POSSIBLE?

Comprehensive description of attacks by Ptacek and Newsha

Article in the Phrack Magazine describes ways to by-pass network intrusion detectionThe seminal text on

attacks against IDS systems appeared in 1997 Stonesoft starts to design

multilayer normalization capabilities in its IPS

1997 1998 2001

Evasion Research so far…

2004 2006 2007

Evasion Research so far…

Moore and Caswell discuss evasions at Black Hat

Gorton and Champion suggest combinations

Handley and Paxson suggest normalization

Stonesoft’s Evasion researchStarts

Tests expanded against all leading security devices

Dedicated team starts testing Stonesoft with the Automated Evasion tools

NSS test results boost evasion research

First version of evasion testing tool with 12 non-stackable evasions

2007 2009 2010

Evasion Research so far…

2010 2011 2012

Evasion Research so far…

Mar 2011: 180+ stackable and combinable evasions in the testing framework.

Feb 2011: 124 new AETs evasions reported

Dec 2010: CERT coordination process ends. Vendors remain silent about their remediation.

Oct 2010: Public announcement of Advanced Evasion Techniques and the evasion threat

Oct 2010: Knowledge and awareness of evasions spreads

June 2010: First 23 AETs reported to CERT for global vendor remediation

2011 2012 …

Evasion Research so far…

UK cyber forensics team and leading computer science university verifies the existence of evasions in reality and Stonesoft signs up a collaboration agreement with the university to start an academic research.

Stonesoft delivers AERT tools to many of the leading security vendors and test labs.

May 2011 Stonesoft introduces first commercial version of Antievasion Readiness Test for other security vendors, test labs and organizations

Stonesoft publishes whitepaper of how company’s technology differs from others and publishes new aet.stonesoft.com site.

Justified Question:Why this is possible? Design flaws.

It has been a industry blind spot or ignorance

Speed & false positive problem used to be a sales obstacles and that led to pure speed and minimized inspection orientation

> industry sacrificed security

Speed and some security functionalities were built on hardcoded security>impossible to dynamically update and evolve

Current Technologies are 15 years old and designed during the era of :” we-know-the-threat- and-that’s- why-we-can- deal-with-it”

>Leading to match pattern and signature based detection only, not truly understanding the BIG picture of data stream. In the era of unknown and uncertain threats signatures only will not work!

Déjà vuAutomobile safety in 1959 Network security in 2010?Status Quo: Before 1959 all the established automobile brands marketed that cars were safe and users believed and felt safe.

Before 2010 all the Network Security vendors marketed that their solutions offered high level of protection and organizations felt their digital assets were secured.

Disruption: Then came one Nordic brand, VOLVO who claimed that current cars are not even close to be safe and innovations are needed.

Then came one Nordic brand, STONESOFT who claimed that the current security solutions are not as secured as they should be. (Disruption)

Technology breakthrough: In 1959 They introduced Three Point Seat Belts.

Technology breakthrough: 2010 They introduced Advanced Evasion Techniques and innovative technologies to fight back.

Claim: They claimed lives can be saved if all brands would start adding Seat Belts to their cars. (Tested facts and reality)

Claim: They claimed governments, businesses and brands can be saved if their anti-evasion technologies are taken into use.

Industry Response: “This is marketing, Extra costs, No relevance to safety, dangerous, uncomfortable, People won´t use, theoretical only,

Industry Response: “Most kept silent and others claimed “This is marketing, we can fix this, only extra costs, no relevance to security, unproven, theoretical, not happening in reality.”

Bottom Line : Millions of human lives have been and will be saved.

Bottom Line: Organizations will be saved if AET threat is taken seriously

We claimed: Businesses are driving without Seat

Belts!

…And we can show and prove it to anybody!

For the record…“Advanced Evasion Techniques can evade many network security systems. We were able to validate Stonesoft’s research and believe that these Advanced Evasion Techniques can result in lost corporate assets with potentially serious consequences for breached organizations.”– Jack Walsh, Program Manager

“If the network security system misses any type of evasion it means a hacker can use an entire class of exploits to circumvent security products, rendering them virtually useless. Advanced Evasion Techniques increase the potential of evasion success against the IPS, which creates a serious concern for today’s networks.” – Rick Moy, President

“Recent research indicates that Advanced Evasion Techniques are a real and credible – not to mention growing –and growing threat against the network security infrastructure that protects governments, commerce and information-sharing worldwide. Network security vendors need to devote the research and resources to finding a solution.“

– Bob Walder, Research Director

We believe AETs pose a serious threat to network security and have already seen evidence of hackers using them in the wild. It is also very promising to see that Stonesoft is taking the threat posed by evasions seriously as they have been overlooked by many in the past -Andrew Blyth, Professor of Glamorgan University

Meanwhile other

security vendors keep radio silence!

For the record…Meanwhile

other security

vendors keep radio silence!

Off the RecordSome are acquiring anti-evasion technology and knowledge from Stonesoft

Some are focusing on surviving next public tests

Some are doing workarounds and quick fixes

Some are downplaying the threat and risks if they are asked directly

Some are protecting their business at the expense of customers

Some have truly started to investigate their design flaws

Some ignore and do NOTHING!

Meanwhile other

security vendors are saving their business.

Reality.

Marketed Tested by NSS NGFW 2011

Palo Alto’s HTML evasion protection

33%

100%

NOTE! In this particular test only simple, known and well documented evasions where used. What happens if more Advanced Evasions hit this security device??