Embed Size (px)
Citation preview
Klaus Majewski, Business Development Manager
Advanced Evasion
Techniques
Paradigm shift
“Political Cyberattacks Hit Large Companies”
“Zeus botnet thrivingDespite recent arrests.”
Where are we today…
The 2009 CSI Annual Survey:
Cost of cyber attacks $ 235,000 on average
Financial fraud $ 450,000 per incident
Theft of information $ 710,000 per incident
Verizon Business’ 2010 Data Breach Investigations
Report reveals that 40% resulted from hacking, while
38% used malware. The overwhelming majority of
attacks were from organized crime, at 85%.
How Cyber criminals and
hackers can improve success
rate of targeted attacks?
To put it simple.
Use
Advanced
Evasion
Techniques.
Evasion Definition
In the same way a stealth fighter can attack without detection
by radar and other defensive systems.
Evasion techniques are a means to disguise and/or modify cyber
attacks to avoid detection and blocking by information security systems.
Evasions enable advanced and hostile cyber criminals to deliver any
malicious content, exploit or attack to a vulnerable system without
detection, that would normally be detected and stopped. The security
systems are rendered ineffective against such evasion techniques.
Security is easy if
criminals follow
the same rules as
we are following?
Are they?
The Background
Evasions enable advanced and hostile cyber
criminals to deliver any malicious content,
exploit or attack to a vulnerable system,
without detection, that would normally be
detected and stopped.
Evasion research has been carried out since
at least the late 1990s.
Most evasion techniques to date have stayed
within the confines of established rules for
network traffic.
Security systems can be rendered ineffective
against evasion techniques, in the same way a
stealth fighter can attack without detection by
radar and other defensive systems.
Stonesoft R&D has discovered and reported a new species of evasion techniques that can be altered or combined in any order to avoid detection by security systems.
Advanced Evasion Techniques (AETs)
Use of AETs
In highly advanced and targeted attacks
against well-protected networks.
By organizations with many resources and high stakes.
From the point of view of cyber criminals and hackers, AETs work like a master key to anywhere. They provide all the time in the world to try exploits and find the one that works.
They’re insurance against getting caught.
What does this mean...
Digital assets aren’t well protected
AETs do not behave in traditional ways,
and the current protection against them is
weak.
False perception of security creates easy
targets
The majority of security appliances are
unable to provide protection
Predator 3.0
• Network security device research
environment built for automated
testing
• Evasion fuzzer
– Fuzz the carrier protocols, but
leave payload intact as a targeted
server actually sees it
– Able to use multiple, randomly ran
evasion techniques
simultaneously on multiple layers
Predator Evolution
First version written in 2007, had 12 evasions that
were not stackable
Current Version 3.0 has 180+ evasions that are
stackable. And counting…
2180 =
15324955408658888583583470271503091836187
39122183602176
Becomes impossible to test all combinations
IPv6 will offer much bigger combination universe
Some thoughts on AETs
“Advanced Evasion Techniques can evade many network security systems. We were able to validate Stonesoft’s research and believe that these Advanced Evasion Techniques can result in lost corporate assets with potentially serious consequences for breached organizations.”
- Jack Walsh, Program Manager.
“If the network security system misses any type of evasion it means a hacker can use an entire class of exploits to circumvent security products, rendering them virtually useless. Advanced Evasion Techniques increase the potential of evasion success against the IPS, which creates a serious concern for today’s networks.”
- Rick Moy, President.
“Recent research indicates that Advanced Evasion Techniques are a real and credible – not to mention growing –and growing threat against the network security infrastructure that protects governments, commerce and information-sharing worldwide. Network security vendors need to devote the research and resources to finding a solution.“
- Bob Walder, Research Director.
Vision for the Future
• We believe that our research
has a clear positive impact to
the quality of the whole IPS /
NGFW industry
• Test labs and the research
community will bring more
focus to the evasions
• There is a lot of work to be
done…
Total # of reported
evasions techniques
(traditional +
advanced)
Discovery of
AETsNumber of reported
evasion techniques
Se
curity
ga
ps
Static/ Dynamic protection
Time 2010-2011
Protection level offered by the static protection
Estimated increase of
reported evasions and
protection levels
(dynamic vs. static)
Normalization
• Protocol normalization is a way to fight against
evasions
• The Anti Evasion readiness depends on the
capabilities and efficiency to do normalization on all
levels
• This means, that all protocol decoding is normalized
and exploits can be detected by fingerprint matching -
> there is a need for only representation of exploit
Financial Effects
Loss of reputation & trust
Operations continuity breakages
Data asset thefts and spying
Quality damages
Ongoing evaluation and auditing
More knowledge needed
Patching and human errors
Operational workload
Migration to continuously and
automatically updatable systems
Compliance requirement changes
Replacement of non updatable
devices, systems and
endpoints
Anti evasion ready appliances
Security is a processIncrease your
knowledge of advanced evasion techniques at
antievasion.com
Audit critical infrastructure,
applications (ERP,CRM) and critical data
Identify which servers are hosting those critical
assets and evaluate AETs protection
Protect those assets with anti evasion ready solutions and latest
updates
Make a plan how to migrate to dynamic
(software based)
security.
Disconnect all critical assets which can not be
patched or protected against AETs
www.antievasion.com
