Wednesday, October 20, 2010

Storm In A Teacup? More on Advanced Evasion Techniques (AET)

Following my recent post on the Advanced Evasion Techniques (AET) "discovered" by Stonesoft, I thought I would update you with a few discoveries of my own.

After further investigation it would appear that there is not really that much that is actually new here. Don't get me wrong, there is certainly a threat here, and if there is one good thing that comes out of this it is that a few vendors might start taking evasion testing more seriously than they have in the past.

It appears that Stonesoft went through an independent testing process at the end of last year, failed several of the evasion tests, and started to do some research in order to improve their product. In developing their own tool to help them test, they started "fuzzing" the evasion techniques - an automated process which tries millions of random evasions, both in isolation and in various combinations, in order to find those which work. Bear in mind that it is possible to "evade" a typical TCP/IP stack too, so for an evasion test to be valid, it should allow a previously-detected exploit to bypass and IPS/IDS undetected whilst remaining capable of being reassembled by the target vulnerable host.

What they came up with was a number of new "discoveries", which under closer scrutiny appear to be techniques which have been well known for many years in the testing industry. In particular, they are laying claim to the discovery that layering multiple evasions - particularly evasions from different layers of the protocol stack - can succeed where single evasions will not. Well I know for a fact that this technique - along with around 90% of the others which they are claiming are new, have been in use for 7 years or more in the testing industry. How do I know this? Because I was the one doing it!

As founder and CEO of NSS Labs, I pioneered a range of IPS/IDS/Firewall testing techniques which are still in use today. In particular, I devoted a significant amount of time to the study of evasion techniques and was using many of the "new" Stonesoft AETs - including the all-powerful layering - way back in the naughties. I had to use my own tools back then, developed in-house. That certainly made it a challenge to layer MSRPC fragmentation with TCP segmentation and IP fragmentation in the same attack, but it was doable. And I did it. What IS new from Stonesoft is the fancy Predator tool, which they are not releasing to anyone (sensibly). It is a GUI-driven "One Stop Evasion Shop" and looks a lot nicer than the multiple command line tools I developed....

In addition, one of the "evasions" they have discovered seems to be less of an evasion and more of an exploitation of a particular bug which can be found in some IPS products. Again, part of a data leakage test which I was running against these products some years ago. I am surprised that it is still causing problems for some vendors... but there you go!

There is nothing new under the sun. What Stonesoft has done is taken existing evasion techniques and extended them. In doing this, they have created a few specific evasions I have not used before, but they are still extensions of known techniques. Kudos to them for taking this so seriously - it should do wonders for the security of their IPS and firewall products. Hopefully it will also force other vendors to follow suit and take this more seriously. You, the customer, deserve that at least. There are far too many IPS/IDS products which are still today failing to protect against even the most basic of these techniques (as seen in recent independent tests), let alone the more complex variations Stonesoft is publicising. Signatures are just not enough!

But don't fall for the FUD here... nothing has changed. AETs are not the WMD that will bring our perimeter security to its knees. Yes, they are a serious problem, but no more serious than before Stonesoft launched its publicity drive. Except, of course, that the bad guys are watching too...

Don't forget to follow me on Twitter (@bwalder) to keep up with my blog entries, research notes and random thoughts on wine, coffee, Labradors, golf, life in France and.... oh yes.... security.

No comments: