9
Industry Experts Speak Out on Advanced Evasion Techniques What’s Next Presented by Intel Security

“What’s Next” Europe Report: Advanced Evasion Techniques

Embed Size (px)

DESCRIPTION

Industry experts speak out on the topic of network security threats, Advanced Evasion Techniques.

Citation preview

Page 1: “What’s Next” Europe Report: Advanced Evasion Techniques

Industry Experts Speak Out on Advanced Evasion TechniquesWhat’s Next

Presented by Intel Security

Page 2: “What’s Next” Europe Report: Advanced Evasion Techniques

The ExpertsMarco Cremonini Assistant Professor, Computer Science University of Milan

Lawrence Pingree Research Director, Gartner @lpingree

Lawrence Pingree, research director at Gartner, has been an active member of the information security industry for many years. He has consulted for large ߬�¬¡§�ª�§¬±²§²³²§­¬±��¡­°®­°�²§­¬±���¬¢�¥­´£°¬«£¬²�£¬²§²§£±�­¬�ß°£µ�ªª±��§¬²°³±§­¬�detection, networks, system penetration, risk management, compliance, e-discovery, and forensics. He has served as a chief security architect at both PeopleSoft and NetScreen.

Marco Cremonini is assistant professor at the Department of Computer Science at the University of Milan, Italy. From 2000 to 2001, he worked as a research assistant at the Institute for Security Technology Studies (ISTS) at Dartmouth College in the US.

His research and teaching activity is focused on IT security and privacy, socioeconomic aspects of security technologies, risk analysis, and dynamic networks.

He is a speaker at many academic conferences, industrial and public events, and coordinator of a master class on IT governance. He is also a member of the Editorial Board of Infosecurity Magazine (UK).

Andrew Blyth Head of Information Research Group and Computer Security Incident Response Team University of Glamorgan

Professor Andrew Blyth is one of the UK’s most respected information security academics. As the head of the University of Glamorgan’s Information Research Group and GSC-CSIRT, the Computer Security Incident Response Team for the University of Glamorgan’s School of Computing, Blyth leads groundbreaking research projects looking at system security. He teaches advanced information security courses in the University’s Faculty of Advanced Technology (FAT), including computer forensics, computer systems security, and wireless security. He regularly publishes papers on intrusion detection systems and information security early warning systems and has written a book entitled Information Assurance. Blyth has performed consultancy for the following organisations:

• Government agencies, such as Defence Science and Technology Laboratory/Ministry of Defence (DSTL/MOD) and ²¦£��� §¬£²��á¡£�

• Law enforcement agencies such as, Metropolitan Police (MET Police) and Police Service of Northern Ireland (PSNI).

Kamal Hennou Professor, Network Security ESGI @Oxygate

Kamal Hennou, has served as an educational leader at ESGI in Paris specializing in network security, and researcher at the Cyber Security Laboratory since 2009. From 1999 to 2009, he held various technical and management positions. He worked in security research and development, specializing in cryptographic protocols, malware analysis, computer virology. From 1995 to 1999, he was a researcher at the Institut National des Télécomunications (now Télécom SudParis), Evry, France.

From 1990 to 1995, he studied at Université Pierre et Marie Curie, where he received a high degree diploma in computer science in 1995. Kamal Hennou regularly participates §¬�±¡§£¬²§ß¡��¬¢�²£¡¦¬§¡�ª��¢´§±­°·� ­�°¢±��program committees, and conferences. In 2013 and 2014 he co-chaired the ESGI Security Day in Computer Security.

Page 3: “What’s Next” Europe Report: Advanced Evasion Techniques

Put the pieces together. AETs disguise APTs by:

Advanced evasion techniques, or AETs, are delivery mechanisms used to disguise advanced persistent threats (APTs) and permit them to slip through network security undetected.

AETs work by splitting up malicious payloads into smaller pieces, disguising them, and delivering them simultaneously across multiple and rarely used protocols. Once inside, AETs reassemble to unleash malware and continue an APT attack.

Advanced Evasion �£¡¦¬§¯³£±��£ß¬£¢

Splitting up malicious code into multiple benign payloads.

The pieces reassemble and unleash the APT.

<1% of AETS are ¢£²£¡²£¢� ·�«­±²�ß°£µ�ªª±�

Security pros believe there are 330KAETs in existence.

61%believe they have a network security solution to defend against AETs.

Of these 50%use a combination of network security solutions that can’t detect AETs.

Sending disguised payloads across rarely used or lax protocols.

Slipping pieces of malicious code ²¦°­³¥¦�ß°£µ�ªª±�

���±�¡�¬� £�£¶²°£«£ª·�¢§á¡³ª²�²­�¢£²£¡²�¤­°�two reasons:

They are shape-shifters.AETs create millions of “new” evasion techniques from only a few combinations.

ONE

TWO They are misunderstood.AETs get confused with APTs, creating a false sense of security.

The actual number of AETs is

800M+.

The APT steals data over weeks, months, or years.

Page 4: “What’s Next” Europe Report: Advanced Evasion Techniques

New/Not New1While AETs have been attracting more and more attention recently, they have

actually been with us for quite some time.

Expert insights

Kamal Hennou

Marco Cremonini

Andrew Blyth

“They’ve always been with us, and they’re not going away. The nature of the advanced evasion may change, but the core concept of advanced evasion techniques is constant.”

Andrew Blyth

“Advanced evasion techniques were initially described by Thomas Ptacek and Timothy Newsham in their 1998 work, ‘Insertion, Evasion, and Denial of Service: Eluding Network Intrusion Detection.’ We’ve known about them and the danger they pose for some time.”

“AETs are not particularly important because they exhibit a bunch of new vulnerabilities that must be patched somehow. They are important because they ultimately demonstrate ²¦£�¤³¬¢�«£¬²�ª�à�µ�­¤�£¶§±²§¬¥�®°­²­¡­ª��¬�ª·±§±�²¦�²�µ£��ªª�should have known about for the last 15-plus years.”

“Do they exist? Yes. Are they real? Yes. Have we seen them? Yes. Do they pose a threat? Yes. They’ve always been with us, and they’re not going away. The nature of the advanced evasion may change, but the core concept of advanced evasion techniques is constant.”

Page 5: “What’s Next” Europe Report: Advanced Evasion Techniques

A Growing Concern2AETs represent a real and growing concern, due in part to their increasing

sophistication and in part to the proliferation of tools that make it easy for even

inexperienced attackers to create and deploy them.

Expert insights

“Are advanced evasion techniques a growing threat? Yes, but it’s important to quantify how it is growing. It’s growing in that more people now have access to advanced evasion techniques. Thanks to the Internet, it is much easier for someone wanting to deploy an evasion technique to get a hold of an AET and use it even if they’re relatively inexperienced.”

Andrew Blyth

Marco Cremonini

Security pros believe there are 330KAETs in existence.

The actual number of AETs is

800M+.

“It is now easier than ever to develop and deploy AETs.”

Marco Cremonini“From a technical standpoint, it is now easier than ever to develop and deploy AETs. On the other side, the usual �®®°­�¡¦]²­�­¬ª·��±©�¤­°���¬£µ�ߪ²£°§¬¥�²£¡¦¬­ª­¥·�­°�new patches to plug holes as they are discovered —has demonstrated natural limitations with AETs.”

Page 6: “What’s Next” Europe Report: Advanced Evasion Techniques

Technology Is Not Enough3Technology can certainly help mitigate the threat posed by AETs, but it is not

enough to eliminate the risk together. Competing priorities, lack of awareness,

�¬¢���¤�ª±£�±£¬±£�­¤�±£¡³°§²·��ªª�¦§¬¢£°�£Þ£¡²§´£�±£¡³°§²·�°£±®­¬±£±�

Expert insights

“It’s a matter of competing priorities. Companies tend to react to large numbers of attacks, and many are focusing more on network speed than network security.”

“My belief is that many security practitioners are largely unaware of the risks that advanced evasion techniques °£®°£±£¬²�²­�²¦£§°�±£¡³°§²·���ª²¦­³¥¦�¬³«£°­³±�¡­¬ß¥³°�²§­¬�options exist in security products, many are not tuned by default for the most advanced protection against attackers.”

“AETs represent a three-sided problem. Measurement, risk management, and technology all need to be part of the response. Branded security solutions might address the technology, but without the other two, they can at best provide a measure of mitigation.”

“For every sword there’s a shield, and for every shield a sword. No solution is ever 100% perfect. Technology? It helps, but it’s only part of the solution. There needs to be more awareness, better education and better training.”

Kamal Hennou

Lawrence Pingree

Marco Cremonini

Andrew Blyth

70% 50%of CIOs and security managers

believe they know what an AET is.¡�¬�¡­°°£¡²ª·�¢£ß¬£��¢´�¬¡£¢�

evasion techniques.

but fewer than

“Many security practitioners are largely unaware of the risks that advanced evasion techniques represent to their security.”Lawrence Pingree

Page 7: “What’s Next” Europe Report: Advanced Evasion Techniques

Cause for Optimism?4When asked which side would evolve faster over the next decade —

defenders or attackers—our experts expressed some optimism that

defenders would pull out front, or at least keep pace.

Expert insights

“IT security will evolve faster, and we’ll see IT start thinking �¬¢�µ­°©§¬¥�µ§²¦�¢§Þ£°£¬²��®®°­�¡¦£±��¬¢�¢§Þ£°£¬²�integrated solutions.”

Î�� £ª§£´£�µ£�µ§ªª�±££�¬£¶²[¥£¬£°�²§­¬�ß°£µ�ªª±�£´­ª´£�¯³§¡©ª·�to meet the needs of large companies … so whether security evolves faster depends on the degree to which large companies perceive the AET threat.”

“Who will evolve faster? Both. Neither. It’s a war. They develop capability. We develop capability. They develop capability to counter our capability. It’s a cycle. Now…the nature of the attack surface is expanding to include additional points of entry, such as mobile devices. So on one level, it’s going to change. But on another, you say, nothing changes.”

“Security is a cat-and-mouse game. Attackers will always from time to time get ahead of our defenses, so providers must always seek to augment their technologies and strategies to compensate and mitigate the latest techniques.”

Marco Cremonini

Kamal Hennou

Andrew Blyth

Lawrence Pingree

“Whether security evolves faster depends on the degree to which large companies perceive the AET threat.”

Kamal Hennou

Page 8: “What’s Next” Europe Report: Advanced Evasion Techniques

A People-Driven Future5How can organizations best protect themselves in the future? Technology

¡£°²�§¬ª·�®ª�·±���±§¥¬§ß¡�¬²�°­ª£�� ³²�²¦£�£¶®£°²±�µ£�±®­©£�µ§²¦��ª±­�±²°£±±£¢�²¦£�human side of the security equation.

Expert insights

“We will better protect ourselves by acting as humans did §¬�®°£¦§±²­°·��µ§²¦��¢�®²�²§­¬��ࣶ§ §ª§²·��§¬²£ªª§¥£¬¡£���¬¢�a willingness to change and experiment. It’s time to start §¬²£¥°�²§¬¥�¢§Þ£°£¬²�©¬­µª£¢¥£��¢§Þ£°£¬²��®®°­�¡¦£±���¬¢�¢§Þ£°£¬²�±²°�²£¥§£±�Ï�

“We need to embrace a socio-technical approach to security. Technology is part of the solution, but so is the way that people ³±£�²¦�²�²£¡¦¬­ª­¥·���£­®ª£�¦�´£�²­� £�ࣶ§ ª£�§¬�²¦£�µ�·�²¦�²�they work, but by the same token, the technology has to give people what they need. If technology gets in the way of users �¬¢�µ¦�²�²¦£·Ì°£�²°·§¬¥�²­�¢­��§²Ì±�³±£ª£±±���¦£·�µ§ªª�¨³±²�߬¢���way to circumvent it.”

Andrew Blyth

Marco Cremonini

Î�²Ì±�²§«£�²­�±²�°²�§¬²£¥°�²§¬¥�¢§Þ£°£¬²�©¬­µª£¢¥£��¢§Þ£°£¬²��®®°­�¡¦£±���¬¢�¢§Þ£°£¬²�±²°�²£¥§£±�Ï

Marco Cremonini

Page 9: “What’s Next” Europe Report: Advanced Evasion Techniques

What’s Next?6

You’ve just heard industry experts say that the game must change if organizations are going to be capable of meeting the security threats of tomorrow.

For more information visit www.mcafee.com/aet-hub

Intel and the Intel logo are registered trademarks of the Intel Corporation in the US and/or other countries. McAfee and the McAfee logo are registered trademarks or trademarks of McAfee, Inc. or its subsidiaries in the US and other countries. Other marks and brands may be claimed as the property of others. Copyright © 2014 McAfee, Inc.

WHAT DO YOU THINK?

Join the discussion

#NGFW

#WhatsNext