Attackers are advancing their techniques, and intrusion prevention systems need to advance as well. That is the lesson to be taken from new research from security firm Stonesoft.
The company published a report about a new trend of what it calls AET (advanced evasion techniques). The techniques allow attackers to bypass current network security devices and to drop malware that would otherwise be stopped at the gate.
“Advanced Evasion Techniques are methods of combining evasion techniques, some of which are well known, in many different ways in an effort to confuse an IPS into allowing the packet,” explained Matt McKinley, US director of Product Management at Stonesoft. “This is not a way to combining exploits – rather it is a way of combining stealthy methods of delivering any exploit desired.”
“In terms of an example, consider the well-known method of packet fragmentation, this alone would be caught,” he continued. “However, if this is combined with random IP options and a manipulation of how data is to be interpreted on the target…the attacker can successfully deliver a payload containing any attack.”
The appearance of these techniques may be challenging intrusion prevention systems (IPS), but that doesn’t mean the space is in danger. Gartner analyst John Pescatore noted that “stealth bombers didn’t put aircraft detection out of business,” and IPS technology will continue to grow to deal with the threats.
“Evasion has always been part of attacks, as AV vendors have seen for 15 years and IDS/IPS vendors have seen for five years,” he said. “Stonesoft has researched advanced ways of combining evasion techniques that bad guys can use – and the leading IPS vendors will continue to add ways of detecting those techniques and defeating.”
These threats are difficult to detect because the IPS cannot easily categorize or reference what it is seeing, McKinley said.
“Current evasions are fairly well understood, but some of them still work today, and that is only one evasion at a time,” he said. “Add several evasions together, and evade at multiple levels simultaneously, and you have a method the IPS can no longer recognize. We believe that this will reinvigorate the market to confront this challenge.”
In the meantime, Stonesoft recommends a centrally managed solution that allows for rapid updates to all devices within the security infrastructure.
“Because of the exceptionally large number of combinations of these evasion techniques, addressing them will require the capability to update the system rapidly,” McKinley said. “Moreover, we are actively encouraging and working with the entire security community to address any changes that need to be made to IPS technologies at an architectural level.”