Advanced Evasion Techniques (AET)



Similar documents
New Methods and Combinatorics for Bypassing Intrusion Prevention Technologies

Effectiveness of blocking evasions in Intrusion Prevention Systems. White Paper. April, Konstantinos Xynos, Iain Sutherland, Andrew Blyth

DATA CENTER IPS COMPARATIVE ANALYSIS

Inspection of Encrypted HTTPS Traffic

50. DFN Betriebstagung

First Line of Defense to Protect Critical Infrastructure

Overview of F5 Networks. Fatih Bilger Senior Systems Engineer, Prolink.

WHITE PAPER. The Need for Wireless Intrusion Prevention in Retail Networks

On-Premises DDoS Mitigation for the Enterprise

Guideline on Firewall

Frequent Denial of Service Attacks

Barracuda Web Application Firewall vs. Intrusion Prevention Systems (IPS) Whitepaper

Protecting What Matters Most. Bartosz Kryński Senior Consultant, Clico

A Modern Framework for Network Security in the Federal Government

Building a Business Case:

Enterprise Cybersecurity: Building an Effective Defense

How To Make An Attack Unnoticed By A Network Security System (Ipo) Or A Network (Ngfw) Without Being Detected (Ngw)

Firewalls. Securing Networks. Chapter 3 Part 1 of 4 CA M S Mehta, FCA

Complete Protection against Evolving DDoS Threats

Industrial Network Security for SCADA, Automation, Process Control and PLC Systems. Contents. 1 An Introduction to Industrial Network Security 1

McAfee Next Generation Firewall Optimize your defense, resilience, and efficiency.

NEXT GENERATION APPLICATION SECURITY

Intrusion Detection Systems

you us MSSP are a Managed Security Service Provider looking to offer Advanced Malware Protection Services

Cisco and Sourcefire. AGILE SECURITY : Security for the Real World. Stefano Volpi

Changing the Enterprise Security Landscape

Evading Infrastructure Security Mohamed Bedewi Penetration Testing Consultant

85% of business networks identified with bot infections 63% of business networks identified to have downloaded malware files 89% of business networks

Remote Firewall Deployment

Defending Against Cyber Attacks with SessionLevel Network Security

Internet Safety and Security: Strategies for Building an Internet Safety Wall

A Layperson s Guide To DoS Attacks

HP ENTERPRISE SECURITY. Protecting the Instant-On Enterprise

Network that Know. Rasmus Andersen Lead Security Sales Specialist North & RESE

White paper. TrusGuard DPX: Complete Protection against Evolving DDoS Threats. AhnLab, Inc.

Understanding and Defending Against the Modern DDoS Threat

Non-Geeks Guide to. Network Threat Prevention

CaaS Think as a bad guy Petr Hněvkovský, CISA, CISSP HP Enterprise Security

Cyber Security. BDS PhantomWorks. Boeing Energy. Copyright 2011 Boeing. All rights reserved.

Technical Note. ForeScout CounterACT: Virtual Firewall

Whitepaper. Starting Managed Security Services with the Stonesoft MSSP Solution

Automotive Ethernet Security Testing. Alon Regev and Abhijit Lahiri

White Paper. Why Next-Generation Firewalls Don t Stop Advanced Malware and Targeted APT Attacks

Why should I care about PDF application security?

SAP Cybersecurity Solution Brief. Objectives Solution Benefits Quick Facts

The Importance of Cybersecurity Monitoring for Utilities

William Hery Research Professor, Computer Science and Engineering NYU-Poly

Protecting Your Data, Intellectual Property, and Brand from Cyber Attacks

NEXT GENERATION FIREWALL COMPARATIVE ANALYSIS

Achieve Deeper Network Security

Applying machine learning techniques to achieve resilient, accurate, high-speed malware detection

Can Consumer AV Products Protect Against Critical Microsoft Vulnerabilities?

SECURITY FLAWS IN INTERNET VOTING SYSTEM

StoneGate. High Availability Firewall and Multi-Link VPN. Security Availability Manageability Scalability

Top 10 Reasons Enterprises are Moving Security to the Cloud

Cyber Range Training Services

Introducing IBM s Advanced Threat Protection Platform

Zone Labs Integrity Smarter Enterprise Security

Secure Software Programming and Vulnerability Analysis

Enterprise Cybersecurity: Building an Effective Defense

Building A Secure Microsoft Exchange Continuity Appliance

IBM Security Intrusion Prevention Solutions

WHITE PAPER. Best Practices for Securing Remote and Mobile Devices

Holistic View of Industrial Control Cyber Security

The Advanced Cyber Attack Landscape

Sourcefire Solutions Overview Security for the Real World. SEE everything in your environment. LEARN by applying security intelligence to data

Devising a Server Protection Strategy with Trend Micro

Sophistication of attacks will keep improving, especially APT and zero-day exploits

Cloud Based Secure Web Gateway

White Paper. Automating Your Code Review: Moving to a SaaS Model for Application Security

Stallion SIA Seminar PREVENTION FIRST. Introducing the Enterprise Security Platform. Sami Walle Regional Sales Manager

FROM PRODUCT TO PLATFORM

Critical Security Controls

Network Control Meets Endpoint Security

Devising a Server Protection Strategy with Trend Micro

The Cisco ASA 5500 as a Superior Firewall Solution

The Fortinet Advanced Threat Protection Framework

Gateway Security at Stateful Inspection/Application Proxy

Cybercrime myths, challenges and how to protect our business. Vladimir Kantchev Managing Partner Service Centrix

Security threats and network. Software firewall. Hardware firewall. Firewalls

Specific recommendations

Denial of Service Attacks, What They are and How to Combat Them

Steelcape Product Overview and Functional Description

Malicious Network Traffic Analysis

Product Overview. customers in the business of service provider, enterprise, financial services, and public sectors.

Transcription:

Advanced Evasion Techniques (AET) Are they being used to bypass your security? Alan Cottom Solutions Architect, Stonesoft

Stonesoft Global Company Customer Focus Innovation A Global Security Company, in business since 1990 Operations in USA, EMEA and Asia Integrated network security and business continuity solutions Listed in the Helsinki stock exchange (HEX) Corporate HQ in Helsinki, Finland Global 24/7 support Customers in more than 70 countries Focus on customers requiring advanced network security and always-on connectivity R&D Teams in France, Finland & Poland Multiple Patents for core technologies

It s OK, we re protected. X X X X

Are you sure? Advanced Evasion Techniques

AETs in action

AETs in action AETs vs Next Gen FW

Evasion (definition) Evasion techniques are a means to disguise and/or modify cyber attacks to avoid detection and blocking by information security systems. Evasions enable advanced and hostile cyber criminals to deliver any malicious content, exploit or attack to a vulnerable system without detection, that would normally be detected and stopped. Security systems are rendered ineffective against such evasion techniques. (In the same way a stealth fighter can attack without detection by radar and other defensive systems)

Evasion timeline 1997-98 First papers appeared detailing attacks against or ways to bypass network intrusion detection. 2004 Possibility to combine evasions suggested 2007 12 known (traditional) evasion methods Stonesoft R&D begin research into evasions

Evasion timeline 2010 Stonesoft share findings on new evasion threat Stonesoft deliver 23 STACKABLE AETs to CERT 2011 February Stonesoft deliver 124 new AETs October Stonesoft deliver further 160 new AETs Today Approx. 2^300 Advanced Evasion Techniques

Why AETs are different The TCP/IP and OSI Models In order to understand what an advanced evasion is we must refer back to the rules surrounding network communications and specifically TCP/IP. Known evasions target specific layers of the TCP/IP protocol stack. This makes them relatively easy to detect and stop. Application Host-to-Host Application Presentation Session Transport Advanced evasions target multiple layers of the protocol stack and combine multiple evasion methods. They do not conform to the rules. Making them virtually impossible to detect. Internet Network Access TCP/IP Network Data Link Physical OSI

AET Example TCP Evasion Open and close a TCP connection. Open a new TCP-connection to the same service using the same TCP-source port. According the TCP RFC, the TCP client MUST wait TIME-Wait Delay amount of seconds before reusing a source port. If the attacker uses his their own TCP/IP Stack, they can open and close a TCP-connection and immediately open a new TCP connection using the same source port. The IPS stack should handle new connections as new connections regardless of the TIME-Wait-Delay

AET Example MSRPC Evasion The client may change the current context using the Alter Context method. All subsequent requests then go to the new context. Example: The client binds to non vulnerable context and then changes into a vulnerable context and sends the exploit.

Surely my current IPS/IDS/NGFW can stop them? It is possible to effortlessly evade most market-leading security solutions by using one or more advanced evasion techniques (AETs). NOTE! Tests include all of the highest ranked security devices from the Gartner Magic Quadrant All products are running the latest versions and updates. StoneGate products were originally vulnerable but now include comprehensive protection against AETs as standard.

How can I defend against AETs? Cover the basics (Patch, permissions etc.) Know your assets (Who, What, When & Where) Be vigilant (Monitor) Deploy Advanced Evasion ready network security (Scalable, responsive) Review (Don t be complacent)

AETs - Comment Advanced Evasion Techniques can evade many network security systems. We were able to validate Stonesoft s research and believe that these Advanced Evasion Techniques can result in lost corporate assets with potentially serious consequences for breached organizations. Jack Walsh, Program Manager If the network security system misses any type of evasion it means a hacker can use an entire class of exploits to circumvent security products, rendering them virtually useless. Advanced Evasion Techniques increase the potential of evasion success against the IPS, which creates a serious concern for today s networks. Rick Moy, President Recent research indicates that Advanced Evasion Techniques are real and credible not to mention growing a growing threat against the network security infrastructure that protects governments, commerce and information-sharing worldwide. Network security vendors need to devote the research and resources to finding a solution. Bob Walder, Research Director

Summary AETs are real AETs are NOT exploits Most vendors are severely lacking in this area AETs will not just go away You CAN defend against AETs

alan.cottom@stonesoft.com www.stonesoft.com

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information