Advanced Evasion Techniques

Picture of sinsiter character in a hoodie Introduction:

An evasion is a procedure which targets security systems with the primary objective of avoiding detection. Once the evasion has succeeded, an attacker may be empowered to deliver a malicious payload to the systems behind the security barrier. Many evasion methods exist for firewalls, intrusion detection devices, deep inspection routers and other network security devices.

Picture of information on computer screen

An advanced evasion technique (AET) employs the following methods:

Combination of several existing evasion methods to create a new and more potent technique
Modification to the combination of evasions during the attack
Fashion network traffic that disregards protocol specifications
Exploit vulnerabilities and misconfigurations

Existing Security Device Limitations

In general, network security devices should perform traffic normalization on each TCP/IP layer. Oftentimes, the quest for higher performance rates supersedes thorough inspection of the TCP/IP stack and this practice creates opportunity for advanced evasions.

Traditional signature-based network security devices are unable to adequately handle Data-Stream-Inspection and hence only inspect segments or pseudo-packets. This is a design short coming and while effective for blocking existing and recently discovered threats, is useless against AETs. Next-generation firewalls and Intrusion Prevention Systems (IPS) apply protocol analysis in combination with pattern matching signature detection.

The networks ordinarily resident in many business organizations encompass routers, switches, gateways, wireless access points, servers and user devices each running a particular version of an operating system that is vulnerable to attack. A well-managed patching system can significantly reduce the risk of exploitation but cases exist where newly released patches cannot be applied in the short term. Typical examples of this situation are supervisory control and data acquisition (SCADA) networks that are integral to industrial control systems (ICS). Similar to SCADA, security of programmable logic controllers (PLC) is also a concern. Unlike past models, these ICS are no longer completely isolated as some level of connectivity has been introduced to improve manageability and functionality. Hence the risk has increased for electric power grids and other utility networks.

The Solution!...Next Generation Forcepoint Firewall

Animated picture of laserbeams seeking targets The sheer volume of possible evasion combinations has challenged many cyber security vendors and resulted in several firewalls and IPSs currently installed being blind to sophisticated attacks based on AETs. Based on our extensive research we believe that the Forcepoint next generation firewall (NGFW) provides the best protection against exploits that leverage AETs. A pioneer in research on AETs, Stonesoft exposed the technique to the world in 2010 and developed the firewall to detect and protect networks against malicious code delivery through AETs. The Forcepoint NGFW has been successfully tested against more than 800 million AET variants.

The Stonesoft (now Forcepoint) NGFW applies the following capabilities to detect and defeat AETs:

Full stack, multilayer traffic normalization deconstructs and decodes packets.
Stream-based data inspection and detection works better than individual packet inspection.
Vulnerability-centric fingerprint detects exploits in normalized data streams.
Evasions are removed and evasion characteristics logged in matching context.
Continual process analysis looks at layers 2 through 7 and all protocols (TCP, UDP, and others).
Provides low false-positive alerts and reports on advanced evasions.

Data Normalization for True Evasion Identification

A thorough and comprehensive data normalization process is the most effective way to protect networks from AETs and other threats that may otherwise disguise themselves and be undetected. Data normalization is the process of intercepting and storing incoming data so it exists in one form only. This eliminates redundant data and protects the data’s integrity. Stonesoft NGFW ensures that evasions are removed through the normalization process before the data stream is even inspected. This normalization is successful because it combines a data stream-based approach, layered protocol analysis, and protocol specific normalization at different levels. It helps fortify a network’s three weakest points — traffic handling, inspection, and detection.

Full Stack Inspection

Traditional security defenses try to optimize throughput and performance by relying on partial inspection of normalized data. For more accurate detection, it is necessary to analyze and decode the data layer by layer. Since the attack may be obfuscated by evasions at many different layers, normalization and careful analysis must be carried out on the appropriate layer. Stonesoft NGFW decodes and normalizes traffic on all protocol layers, giving you full stack visibility for maximum detection accuracy. And there is minimal performance impact.

Evader is a software-based, ready-made evasion test lab that permits the testing of security devices for susceptibility to AETs. Evader tests the ability of network security devices to detect, block, and report evasion disguised exploits coming through public or internal networks. Devices that can be tested include next-generation firewalls, intrusion prevention systems (IPS), and unified threat management systems from all major vendors, including Forcepoint. More information on Forcepoint evader may be accessed through the following link: https://www.forcepoint.com/product/network-security/evader-forcepoint/