E N D
Stonesoft Advanced Evasion Techniques-
True Story Stonesoft security researchers in the outskirts of Europe discovered that there is millions and millions of ways to bypass the most advanced and leading network security solutions without leaving any traces or alerts on management systems. Being a good citizen Stonesoft has reported in public hundreds out of those millions and millions. But it is the tip of the iceberg ”do the math” yourself BITTERSWEET DISCOVERY Those ways are called as: ADVANCEDEVASIONTECHNIQUES- AETs Seemore at: aet.stonesoft.com
Thinking unthinkable. Failed in NSS group tests Dedicated Evasion research team started Creation of automated tools and setting up a test lab to ease product testing Discovery of Advanced Evasion Techniques Test run against all the leading IPS and NGFW products. 99% ineffective Communicating through CERT to other vendors and finally in public Story In a Nutshell Our research idea was very simple: “to break all the principles and rules in sending and receiving data” Just Like Hackers Do!
AdvancedEvasionTechniques (AET) • Whatarethey? • Any technique to engineer a network based attack in order to evade and bypass security detection. • What makes them advanced? • Combination of evasions working simultaneously on multiple protocol layers • Combination of evasions that can change during the attack • Carefully designed to evade inspection • Typically, AETs are used as part of Advanced Persistent Threats (APT) • APT = motivation
Advanced Evasion Techniques disguise and make cyber attacks /malicious payloads/ exploits look normal and safe when the security device inspects the data traffic. The number of AETs can be virtually limitless as you can combine, vary and modify them dynamically. Everything looks safe and normal when evasions are used and security devices are not anti-evasion ready.
AETs can breach sensitive data AETs can ruin brand reputation AETs can cause financial losses AETs can harm business continuity AETs can risk critical infrastructure AETs can risk national security As long as there is a vulnerable target- and there always is, advanced evasion techniques can deliver any known and unknown (zero day) exploits to it. And nobody knows it. So Why worry ? Currently AETs work as a Master Key that security vendors DO NOT HAVE.
Industry Blind Spot Why this is possible?
Evasion Research so far… Comprehensive description of attacks by Ptacek and Newsha Article in the Phrack Magazine describes ways to by-pass network intrusion detection The seminal text on attacks against IDS systems appeared in 1997 Stonesoft starts to design multilayer normalization capabilities in its IPS 1997 1998 2001
Evasion Research so far… Handley and Paxson suggest normalization Gorton and Champion suggest combinations Moore and Caswell discuss evasions at Black Hat 2004 2006 2007
Evasion Research so far… Stonesoft’sEvasion research Starts NSS test results boost evasion research First version of evasion testing tool with 12 non-stackable evasions Tests expanded against all leading security devices Dedicated team starts testing Stonesoft with the Automated Evasion tools 2007 2009 2010
Evasion Research so far… June 2010: First 23 AETs reported to CERT for global vendor remediation Dec 2010: CERT coordination process ends. Vendors remain silent about their remediation. Feb 2011: 124 new AETs evasions reported Oct 2010: Public announcement of Advanced Evasion Techniques and the evasion threat Mar 2011: 180+ stackable and combinable evasions in the testing framework. Oct 2010: Knowledge and awareness of evasions spreads 2010 2011 2012
Evasion Research so far… Stonesoft delivers AERT tools to many of the leading security vendors and test labs. May 2011 Stonesoft introduces first commercial version of Antievasion Readiness Test for other security vendors, test labs and organizations UK cyber forensics team and leading computer science university verifies the existence of evasions in reality and Stonesoft signs up a collaboration agreement with the university to start an academic research. Stonesoft publishes whitepaper of how company’s technology differs from others and publishes new aet.stonesoft.com site. 2011 2012 …
Justified Question:Why this is possible? Design flaws. • It has been a industry blind spot or ignorance • Speed & false positive problem used to be a sales obstacles and that led to pure speed and minimized inspection orientation • > industry sacrificed security • Speed and some security functionalities were built on hardcoded security • >impossible to dynamically update and evolve • Current Technologies are 15 years old and designed during the era of :” we-know-the-threat- and-that’s- why-we-can- deal-with-it” • >Leading to match pattern and signature based detection only, not truly understanding the BIG picture of data stream. In the era of unknown and uncertain threats signatures only will not work!
We claimed: Businesses are driving without Seat Belts!…And we can show and prove it to anybody!
For the record… Meanwhile other security vendors keep radio silence!
For the record… Meanwhile other security vendors keep radio silence!
Off the Record • Some are acquiring anti-evasion technology and knowledge from Stonesoft • Some are focusing on surviving next public tests • Some are doing workarounds and quick fixes • Some are downplaying the threat and risks if they are asked directly • Some are protecting their business at the expense of customers • Some have truly started to investigate their design flaws • Some ignore and do NOTHING! Meanwhile other security vendors are saving their business.
Reality. NOTE! In this particular test only simple, known and well documented evasions where used. What happens if more Advanced Evasions hit this security device?? Palo Alto’s HTML evasion protection 100% 33% Marketed Tested by NSS NGFW 2011