Evasion is bypassing an information security device in order to deliver an exploit, attack, or other form of malware to a target network or system, without detection. It may sound familiar but in fairness, not many CIO have much clue about them in respect to attack capability and their prevention options available today. Definition
An advanced evasion technique (AET) is a type of network attack that combines several different known evasion methods to create a new technique that's delivered over several layers of the network simultaneously. They can be explained as subtle techniques designed to get around security boxes such as firewalls, Intrusion Detection Systems (IDS), Intrusion Prevention Systems (IPS) and methods of disguise used to penetrate target networks undetected and deliver malicious payloads.
Another example of using AETs, an attacker can split apart an exploit into pieces, bypass a firewall or IPS appliance, and once inside the network, reassemble the code to unleash malware and continue an APT attack.
AETs first discovered in 2010 by network security specialist Stonesoft (acquired by McAfee). According to McAfee, the ignorance over AETs comes at a high price in terms of data breaches, an average of $931,000 per incident using its own research to be precise. This climbs to $2 million a pop in financial services.
AETs key patterns to an extent are as below:
- Look for weak points in Network devices by exploiting the technical and inspection limitations of security devices: memory capacity, performance optimization, design flaws and so on
- Use unusual combinations of multiple evasion techniques
- Craft network traffic that disregards strict protocol specifications
- Craft AET attacks do not rely on protocol anomalies and violations
Advance Evasion Techniques examples are as below. AET disguise Advance persistent threats and also known as shape shifters. Many security professional believes that there are more than 300K AET exist and only 1% of them get detected by generally used modern firewalls today.
- Splitting up Malicious code into multiple benign payloads
- Manipulating the size of the TCP segment size attackers can fool the security system because usually attackers use small fragments to attack and devices are designed to identify small size TCP segments as an attack signature.
- Sipping pieces of Malicious codes through firewalls
- Sending disguised payloads across rarely used protocols
- Using encryption, tunneling, traffic fragmentation, traffic insertion etc
How to tackle AETs
To defend against AETs, following measures and tools can be used by organizations.
- Https/TLS Traffic inspection
- Traffic Anomaly detection
- End point Protection
- Decoding and normalizing traffic on all protocol layers
- Using Evasion detection tools across all the data
- Keep devices updated with all patches and updates