Emerging cyber threat: Evasion techniques that combine to conquer
Security company identifies a new batch of AETs for malicious exploits
SAN FRANCISCO — Stonesoft, the Finnish security company that announced last year the discovery of a new class of evasion techniques for malicious exploits, said it has found 124 new advanced evasion techniques that could allow attackers to steal silently through network defenses.
Advanced evasion techniques, or AETs, are combinations of simple evasion techniques that can be used to evade standard security tools, such as intrusion detection and prevention systems, that might detect a stand-alone trick. Because they can use multiple combinations of simpler components, there are hundreds of thousands — if not millions — of potential AETs, said senor security architect Mark Boltz.
“The additional 124 [AETs] that we have discovered are just the tip of the iceberg because of the possibilities out there,” Boltz said.
The value of identifying 124 new AETs is not so much to create defenses against them but to raise awareness of what Stonesoft says is a significant new threat that has not been adequately addressed.
Hackers may have advanced evasion techniques
“It allows the community to look at how well our architecture is addressing the issue,” Boltz said.
Stonesoft announced the new AETs at the RSA Security Conference being held this week. The new techniques have been given to the Finnish Computer Emergency Response Team, which is coordinating the global response, the company said.
The company began researching this subject in 2009 as part of an effort to see how well its own products responded to evasion techniques. It found that some combinations were able to slip through undetected, and it identified 23 AETs for which tools from other companies also were vulnerable.
“Evasion techniques have been around for quite some time,” Boltz said. “What’s new is that we have demonstrated that if you combine different evasions you make the whole thing more effective. The combinations have a cumulative effect. They protect each other as well.”
Evasion techniques manipulate TCP/IP protocols that underlie the Internet and other IP networks, using tricks such as packet fragmentation and TCP segmentation. Breaking up an exploit and putting it into packet fragments, for instance, can confuse intrusion prevention systems. But the packets will be reassembled by the host device being attacked.
“The IPS doesn’t like to reassemble the packets, and they don’t necessarily have the ability to interpret how the target is going to interpret it,” Boltz said.
This simple technique could be easily defended against, but other techniques can work anywhere throughout the TCP/IP stack, so the combinations built into AET can thwart most defenses. Because of the vast number of possible AETs and the ease of making small changes in them, signature-based defenses are not adequate.
There is no single solution to the threat, but “the problem can be fixed,” Boltz said. What is needed is better normalization of TCP/IP traffic by network defenses to strip away the evasive tricks and expose the exploits. Progress should be possible through upgrades of current products without requiring wholesale replacement of the security infrastructure, he said.
“It’s only a matter of time before people start engineering these techniques into their attacks,” he said.
Attacks using AETs have not yet appeared in the wild, Boltz said. “Not that we’ve found. But we wouldn’t necessarily know.” About 20 percent of system breaches studied by researchers are not attributed to known attacks, he said, "so maybe they are already out there.”
William Jackson is a senior writer of GCN and the author of the CyberEye blog.