Industry Experts Speak Out on Advanced Evasion Techniques. What s Next Presented by Intel Security

Transcription

1 Industry Experts Speak Out on Advanced Evasion Techniques What s Next Presented by Intel Security

2 The Experts Lawrence Pingree Research Director, Kamal Hennou Professor, Network Security Assistant Professor, Computer Science University of Milan Head of Information Research Group and Computer Security Incident Response Team University of Glamorgan Lawrence Pingree, research director at Gartner, has been an active member of the information security industry for many years. He has consulted for large financial institutions, corporations, and government entities on firewalls, intrusion detection, networks, system penetration, risk management, compliance, e-discovery, and forensics. He has served as a chief security architect at both PeopleSoft and NetScreen. Kamal Hennou, has served as an educational leader at ESGI in Paris specializing in network security, and researcher at the Cyber Security Laboratory since From 1999 to 2009, he held various technical and management positions. He worked in security research and development, specializing in cryptographic protocols, malware analysis, computer virology. From 1995 to 1999, he was a researcher at the Institut National des Télécomunications (now Télécom SudParis), Evry, France. From 1990 to 1995, he studied at Université Pierre et Marie Curie, where he received a high degree diploma in computer science in Kamal Hennou regularly participates in scientific and technical advisory boards, program committees, and conferences. In 2013 and 2014 he co-chaired the ESGI Security Day in Computer Security. is assistant professor at the Department of Computer Science at the University of Milan, Italy. From 2000 to 2001, he worked as a research assistant at the Institute for Security Technology Studies (ISTS) at Dartmouth College in the US. His research and teaching activity is focused on IT security and privacy, socioeconomic aspects of security technologies, risk analysis, and dynamic networks. He is a speaker at many academic conferences, industrial and public events, and coordinator of a master class on IT governance. He is also a member of the Editorial Board of Infosecurity Magazine (UK). Professor is one of the UK s most respected information security academics. As the head of the University of Glamorgan s Information Research Group and GSC-CSIRT, the Computer Security Incident Response Team for the University of Glamorgan s School of Computing, Blyth leads groundbreaking research projects looking at system security. He teaches advanced information security courses in the University s Faculty of Advanced Technology (FAT), including computer forensics, computer systems security, and wireless security. He regularly publishes papers on intrusion detection systems and information security early warning systems and has written a book entitled Information Assurance. Blyth has performed consultancy for the following organisations: Government agencies, such as Defence Science and Technology Laboratory/ Ministry of Defence (DSTL/MOD) and the Cabinet Office. Law enforcement agencies such as, Metropolitan Police (MET Police) and Police Service of Northern Ireland (PSNI).

3 Advanced Evasion Techniques Defined Advanced evasion techniques, or AETs, are delivery mechanisms used to disguise advanced persistent threats (APTs) and permit them to slip through network security undetected. AETs work by splitting up malicious payloads into smaller pieces, disguising them, and delivering them simultaneously across multiple and rarely used protocols. Once inside, AETs reassemble to unleash malware and continue an APT attack. Put the pieces together. AETs disguise APTs by: AETs can be extremely difficult to detect for two reasons: Splitting up malicious code into multiple benign payloads. ONE They are shape-shifters. AETs creat millions of new evasion techniques from only a few combinations. Sending disguised payloads across rarely used or lax protocols. Security pros believe there are 330K AETs in existence. The actual number of AETs is 800M+. <1% of AETS are detected by most firewalls. Slipping pieces of malicious code through firewalls. TWO They are misunderstood. AETs get confused with APTs, creating a false sense of security. The pieces reassemble and unleash the APT. The APT steals data over weeks, months, or years. 61% believe they have a network security solution to defend against AETs. Of these 50% use a combination of network security solutions that can t detect AETs.

4 1 New/Not New While AETs have been attracting more and more attention recently, they have actually been with us for quite some time. They ve always been with us, and they re not going away. The nature of the advanced evasion may change, but the core concept of advanced evasion techniques is constant. Kamal Henou Advanced evasion techniques were initially described by Thomas Ptacek and Timothy Newsham in their 1998 work, Insertion, Evasion, and Denial of Service: Eluding Network Intrusion Detection. We ve known about them and the danger they pose for some time. AETs are not particularly important because they exhibit a bunch of new vulnerabilities that must be patched somehow. They are important because they ultimately demonstrate the fundamental flaw of existing protocol analysis that we all should have known about for the last 15-plus years. Do they exist? Yes. Are they real? Yes. Have we seen them? Yes. Do they pose a threat? Yes. They ve always been with us, and they re not going away. The nature of the advanced evasion may change, but the core concept of advanced evasion techniques is constant.

5 2 A Growing Concern AETs represent a real and growing concern, due in part to their increasing sophistication and in part to the proliferation of tools that make it easy for even inexperienced attackers to create and deploy them. It is now easier than ever to develop and deploy AETs. Are advanced evasion techniques a growing threat? Yes, but it s important to quantify how it is growing. It s growing in that more people now have access to advanced evasion techniques. Thanks to the Internet, it is much easier for someone wanting to deploy an evasion technique to get a hold of an AET and use it even if they re relatively inexperienced. From a technical standpoint, it is now easier than ever to develop and deploy AETs. On the other side, the usual approach to only ask for a new filtering technology or new patches to plug holes as they are discovered has demonstrated natural limitations with AETs. Security pros believe there are 330K AETs in existence. The actual number of AETs is 800M+.

6 3 Technology Is Not Enough Technology can certainly help mitigate the threat posed by AETs, but it is not enough to eliminate the risk together. Competing priorities, lack of awareness, and a false sense of security all hinder effective security responses. 70% 50% but fewer than Kamal Hennou It s a matter of competing priorities. Companies tend to react to large numbers of attacks, and many are focusing more on network speed than network security. of CIOs and security managers believe they know what an AET is. can correctly define advanced evasion techniques. Lawrence Pingree My belief is that many security practitioners are largely unaware of the risks that advanced evasion techniques represent to their security. Although numerous configuration options exist in security products, many are not tuned by default for the most advanced protection against attackers. Many security practitioners are largely unaware of the risks that advanced evasion techniques represent to their security. AETs represent a three-sided problem. Measurement, risk management, and technology all need to be part of the response. Branded security solutions might address the technology, but without the other two, they can at best provide a measure of mitigation. For every sword there s a shield, and for every shield a sword. No solution is ever 100% perfect. Technology? It helps, but it s only part of the solution. There needs to be more awareness, better education and better training. Lawrence Pingree

7 4 Cause for Optimism? When asked which side would evolve faster over the next decade defenders or attackers our experts expressed some optimism that defenders would pull out front, or at least keep pace. IT security will evolve faster, and we ll see IT start thinking and working with different approaches and different integrated solutions. Whether security evolves faster depends on the degree to which large companies perceive the AET threat. Kamal Hennou I believe we will see next-generation firewalls evolve quickly to meet the needs of large companies so whether security evolves faster depends on the degree to which large companies perceive the AET threat. Kamal Hennou Who will evolve faster? Both. Neither. It s a war. They develop capability. We develop capability. They develop capability to counter our capability. It s a cycle. Now the nature of the attack surface is expanding to include additional points of entry, such as mobile devices. So on one level, it s going to change. But on another, you say, nothing changes. Lawrence Pingree Security is a cat-and-mouse game. Attackers will always from time to time get ahead of our defenses, so providers must always seek to augment their technologies and strategies to compensate and mitigate the latest techniques.

8 5 A People-Driven Future How can organizations best protect themselves in the future? Technology certainly plays a significant role, but the experts we spoke with also stressed the human side of the security equation. It s time to start integrating different knowledge, different approaches, and different strategies. We will better protect ourselves by acting as humans did in prehistory: with adaptation, flexibility, intelligence, and a willingness to change and experiment. It s time to start integrating different knowledge, different approaches, and different strategies. We need to embrace a socio-technical approach to security. Technology is part of the solution, but so is the way that people use that technology. People have to be flexible in the way that they work, but by the same token, the technology has to give people what they need. If technology gets in the way of users and what they re trying to do, it s useless. They will just find a way to circumvent it.

9 6 What s Next? You ve just heard industry experts say that the game must change if organizations are going to be capable of meeting the security threats of tomorrow. WHAT DO YOU THINK? Join the discussion #NGFW #WhatsNext For more information visit Intel and the Intel logo are registered trademarks of the Intel Corporation in the US and/or other countries. McAfee and the McAfee logo are registered trademarks or trademarks of McAfee, Inc. or its subsidiaries in the US and other countries. Other marks and brands may be claimed as the property of others. Copyright 2014 McAfee, Inc.