Sunday, October 17, 2010

Discovery of Advanced Evasion Techniques (AET) Could Cause Headaches For IPS/NGFW Vendors

The Finnish security company Stonesoft said today it had found new techniques that bypass current security systems and which cyber-criminals could use to gain access to internal protected assets of many companies. Stonesoft said that as a result of the advanced evasion techniques (AETs) "companies may suffer a significant data breach including the loss of confidential corporate information."

Is this another round of hype or is there a genuine threat here?

Well, the bad news is that AETs do appear to exist. However, they are an extension of an existing threat category rather than a new one.

The problem is that a lot of in-line security devices - IPS in particular - don't do that good a job of coping with the basic stuff that is already out there, so this stuff is just going to make things worse!

Why is this a threat? Let's imagine you have something like Stuxnet which is proven to be effective at spreading itself around via remote exploits (amongst other techniques). Hopefully users will patch their systems, but in the mean time, they deploy sigs on their IPS, thinking that gives them additional time to test and roll out patches. It would be a trivial matter to alter Stuxnet to incorporate these evasion techniques, thus prolonging its life (don't forget - many users won't bother patching at all, and many more will delay - we know this is true from experience).

Or, another scenario: I am a cyber criminal with a new exploit for which I paid $5000 and which guarantees 100% ownership of a particular system. This I have tested and verified. So I run it against a public-facing target and find it is ineffective. I can be pretty sure this is as a result of in-line defenses. Do I throw out my $5k investment and move on? Not on your life. I deploy some simple evasion techniques and breeze on through.

For casual hacking by non-tech morons using toolkits and pre-packaged attack tools, evasion techniques are not widely used (though a number of the more advanced/expensive "blackware" tools do include evasion techniques). For those involved in targeted attacks, however, they are in common usage.

Right now Stonesoft has not released any of these tools (thank goodness!) Nor, I have to say, has it been particularly forthcoming in releasing any technical details. It claims that the AETs have been verified as real by independent test labs, but I have yet to see any evidence that this is true beyond a couple of vague quotes and sound bites. This has all the hallmarks of a carefully stage-managed publicity stunt about it.

That does not mean the threat is not real - I have seen the techniques in action and I am convinced they have the potential to cause significant mischief. There is a big difference, however, between watching a carefully managed demo by Stonesoft personnel over a secure link to getting one's hands dirty by testing hands-on. Right now it is possible that the majority of what is deemed "new" could be little more than layering older techniques on top of one another (something I was doing a decade ago to test IDS products). That doesn't make them any less effective, of course, it just means that this particular announcement is more about marketing than security. Once I see some hands-on verification by a trusted third party I will be happier.

I am also convinced that Stonesoft is not the only one to have discovered these flaws. My guess is that this is also just the tip of the proverbial iceberg. If I was making a living out of targeted attacks and cyber crime I would have been keeping these under my hat for a while now - I bet those shady folks are not happy that they are finally out in the open.

Even with the range of evasion tools and techniques currently freely available, however, security vendors have proven themselves incapable of handling even some of the most basic of those techniques. There are products on sale right now that I tested over 5 years ago and which still to this day cannot handle these issues. It is hard to do good TCP stream (and even IP packet) reassembly at high speeds - one major IPS vendor, for example, ships its IPS with all anti-evasion protection turned off by default because it is such a performance hog! It is not too much of a stretch to say that you might as well not bother deploying the thing at all if you are not going to switch them on!

If there is one takeaway from this round of publicity it is that you should make sure that the IDS/IPS/NGFW product you are about to buy or have already installed is resistant to these kinds of evasion techniques - and don't just take the vendor's word for it!

I have a research note in the works covering evasion. Follow me on Twitter (@bwalder) to keep up with announcements of research note releases.

One final point - this stuff is applicable to IDS and in-line protection only (i.e. IPS/NGFW) and does not help bypass good anti-malware scanning or EPP. Defense in depth, folks... defense in depth...

No comments: