Advanced Evasion Techniques Under the Microscope
Joona Airamo, chief information security officer with Stonesoft, explains what AETs are and how the threat can be neutralised…
Whilst the Internet has become a near-universal communications medium - just as the analogue landline telephone did in the last century - its rapid ascension in terms of a global user base has meant some inherent security features are lacking. Put simply, the implementation of the Internet Protocol (IP) in most instances is open and insecure. This is why most organisations make use of sophisticated IT security appliances and systems software to defend their digital data assets.
These protective platforms are usually built around a base layer of intrusion detection system (IDS) and/or intrusion prevention system (IPS) architecture in its many shapes and forms.But the insecure nature of the IP standard, most notably the structure of the packet header and the packets themselves, means that a malformed header and/or set of packets can subvert the methodical nature of most IDS/IPS defence systems, no matter how sophisticated or evolved the platform is. Using this type of subversion process has now come to be known in the IT security stakes as Advanced Evasion Techniques (AET) - and, without a highly advanced and heuristic set of security overlays, our supposition here at Stonesoft is that most conventional IT security defences can be compromised using AET methodologies.
Contrary to what you may have heard, AET is not that new, even though some of its hacker-driven implementations are. As a cracker attack vector, AET dates back to the late 1990s when two security researchers, Tim Newsham and Thomas Ptacek, released a white paper explaining how all current IDS systems could be beaten. The paper - entitled `Insertion, Evasion and Denial of Service: Eluding Network Intrusion Detection' - identified two basic problems with passive IP analysis, the first of which is that there is rarely enough information available from the IP data stream itself to work out what is actually happening on a network machine.
The second problem is that, since even the latest IDS-based IT security systems are passive, this makes them inherently `fail – open,' meaning that a compromise in the availability of the IDS does not also compromise the availability of the network.
Having been around since the early 1990s, Stonesoft picked up on Newsham and Ptacek's 1998 critiques and, building on them, launched its first firewall/VPN technology in 2001, since when we have been continually refining the security platform. Despite this evolution, our observations suggest that most of the evasion techniques out researchers spotted 12 years ago are still with us today, despite considerable advances being made in the IT security space. The problem with even the latest and evolved IDS/IPS platforms is that, as well as reactive firewalls and almost all IT security solutions available today, they use a vector analysis technique - i.e. an algebraic approach - to detecting digital threats, despite the fact that AET-driven attacks can avoid this method of detection.
The situation is arguably made worse by the fact that most modern IT security platforms place such reliance on the IDS aspect of their defences that previously detectable security flaws can be exploited by criminal hackers using a simple obfuscation (hiding) technique.
Obfuscation is central to the wave of SQL injection and iFrame attacks that started a few years ago and are commonly used by criminals wanting to attack business Web servers and sites, in order to infect visitors to those sites with malware. The problem that obfuscation presents IT security professionals is that conventional heuristic analyses - used for so long to detect the presence of malware executables - can be circumvented. Some media professionals have likened AETs to the continuing problem of Advanced Persistent Threats (APTs) but there are no direct similarities, as, whilst AETs used to deliver the payloads needed to perform an APT-style attack, they are not directly linked. This is because AETs are simply a methodology used to deliver a payload, rather than the malware payload itself.
Clear and present danger
Despite being `only' a methodology, our belief here at Stonesoft is that AETs present a clear and present danger to the digital data assets of most organisations. The reason for this is that, because the IP packet structure is so fundamental to modern networking, any attack vector that deviates from the known structure is far more difficult to detect.
If one thinks of the IP structure like a railway line - which in Europe has a standard gauge of 4 feet, 8.5 inches (or 1.435 metres, depending on which side of the metric divide you are) - it is relatively easy for an automated signalling system to detect the mass and speed of the train as it enters a stretch of line. And from that data, the signalling system can make an accurate assessment as to what the train is, which schedule it belongs to, and where it is headed - all of which makes life easier for the signal control staff.
But what happens if a customised maintenance vehicle comes down the line with its rail wheels retracted and its rubber tyres extended, in preparation for off-rail trackside repairs? The signalling system has no data to detect what the vehicle is, let alone where it is headed. In fact, within its parameters, the system may not even detect the presence of the vehicle. And so it is with AET attack vehicles, which use malformed packet headers and data streams, combined with obfuscated code calls. The conventional IDS security platform cannot detect its presence, and so the attack code passes into the IT resource unseen.
Aha, you say, but what if the IT resource only allows specific code to execute on the platform - a technology known as whitelisting code execution - then AETs will be stopped - right? Wrong. Since the IP code does not adhere to normal IP standards, it can pass through conventional IP network gates and only when it is inside, does it make the necessary code call, which could be to trigger a conventional software element with a known vulnerability. This consequential and hybridised attack vector means that a near-invisible stream of AET-driven IP packets can cause havoc on a company's IT resource, leaving little or no audit data trail that can be forensically traced.
Stonesoft's approach to detecting AETs is a fundamentally different one to that used by most IT security systems and software. Our systems add an overview to the detection process in our allegory of railway lines and the trains that run on them. Stonesoft's technology provides the equivalent to a non-rail-based mass and motion detection element to the signalling system. In other words, Stonesoft’s security technology normalising the IP data traffic, that is, interpreting the data in the same manner as the traffic destination would deal with the data stream. And that is what we believe makes our AET-detection approach so unique in our constantly changing industry.
But wait, there's more, as according to Peter Wood, CEO of fellow IT security vendor First Base Technologies, whose firm specialises in corporate penetration testing, IDS platforms have one other inherent weakness - the human element. Wood, who is also an ISACA conference committee member, says that many companies view IDS/IPS platforms as a `magic bullet' form of security that is installed and then forgotten about. And since few organisations have the budget and facilities to monitor a good IDS platform on a 24x7 basis, they often do the only `logical' thing and turn the alerting system off. This, he says, is what his team has actually seen happen on one client's IT system. And as any IT security auditor will tell you, the human element is what often causes the most data breaches. A good IT security platform, however, can supply the backdrop to a well-trained IT department.
And that's no lie.
--------------------------------------------
For more information about Advanced Evasion Techniques, please visit www.antievasion.com.
