New style of attack can slip past firewalls, prevention systems
- By William Jackson
- Oct 12, 2011
Researchers at Stonesoft, the Finnish security company that announced last year the discovery of a new class of evasion techniques for malicious exploits, say they have identified a new set of advanced evasion techniques that can be delivered to a network via port 80 HTTP traffic.
The finding means that AETs can pass undetected by firewalls, which ramps up the threat posed by exploits using the techniques, said Brian Vosburgh, security solutions architect for Stonesoft.
“It’s not necessarily unexpected,” Vosburgh said of the new vector. “It expands the reach of AETs. It becomes a firewall issue, not just an intrusion prevention system issue.”
Emerging cyber threat: Evasion techniques that combine to conquer
Security vendors slow to respond to new evasion techniques
Vosburgh said the company has reported 163 new AETs to the Finnish Computer Emergency Response Team.
Advanced evasion techniques are combinations of simple evasion techniques that can be used to get around standard security tools, such as intrusion detection and prevention systems, that might detect a stand-alone trick. Because they can use multiple combinations of simpler components, there are hundreds of thousands — if not millions — of potential AETs. The value of identifying a few hundred possible technique combinations lies in raising the profile of the threat, Vosburgh said.
“It’s about driving industry to address traffic normalization,” he said.
The company says what is needed to counter this class of threats is better normalization of TCP/IP traffic by network defenses to strip away the evasive tricks and expose the exploits. Progress should be possible through upgrades of current products without requiring wholesale replacement of the security infrastructure.
Evasion techniques have been around for quite a while, and the company began researching the subject in 2009 as part of an effort to see how well its own products identified and responded to them. Stonesoft found that some combinations of techniques were able to slip through undetected and identified 23 AETs last year that tools from other companies also did not detect. It identified another 124 early this year.
The techniques manipulate TCP/IP protocols that underlie the Internet and other IP networks, using tricks such as packet fragmentation and TCP segmentation. Breaking up an exploit and putting it into packet fragments, for instance, can confuse intrusion prevention systems. But the packets will be reassembled by the host device being attacked.
The same types of tricks also can be used with the HTTP and HTTPS protocols, Stonesoft says.
Industry response to the new class of threats has been muted somewhat because, a year after the initial announcement, there still are no verified cases of threats in the wild using AETs. CERT-FI, Finland’s Computer Emergency Response Team, has coordinated the release of vulnerabilities found by Stonesoft to IPS vendors, some of which have begun efforts to block and report the attacks.
Vosburgh said the industry is beginning to pay attention to the issue.
“I don’t want to give the impression that the industry has made great strides in protecting against AETs,” he said. “It hasn’t, and there is still a lot of work that needs to be done around inspection, detection and traffic normalization. However, in the past year, we’ve crossed a major hurdle, which has been getting the network security community to understand just how serious and dangerous AETs are.”
Testing labs and research facilities are beginning to incorporate AETs into testing methodologies and criteria, Vosburgh said, and vendors have started thinking about protection against them.
“In sum, the vendor community is at a point of ‘Hey, we get it. We’re taking it seriously’,” he said.
William Jackson is a Maryland-based freelance writer.