Sly new tactic sneaks hackers past security dogs
Advanced evasion techniques can bypass network security, warn experts
Updated A new hacking technique creates a mechanism for hackers to smuggle attacks past security defences, such as firewalls and intrusion prevention systems.
So-called advanced evasion techniques (AET) are capable of bypassing network security defences, according to net appliance security firm Stonesoft, which was the first to document the approach. Researchers at the Finnish firm came across the attack while testing its security appliance against the latest hacker exploits.
Various evasion techniques including splicing and fragmentation have existed for years. Security devices have to normalise traffic using these approaches before they can inspect payloads and block attacks.
AET take this basic approach to the next level. Traffic is disguised and modified using a variety of evasion techniques in several protocol layers. By bundling IP fragmentation and SMB session mixing together at the same time it's more likely that security defences will correctly handle garbled traffic. And if devices don't recognise combined attacks then it more likely that these assault will make their way past security defences.
AETs are already in circulation on the net as part of targeted attacks and offer a mechanism to bypass network security systems before attacking exposed enterprise servers, according to Stonesoft.
Stonesoft reported its find and sent samples of AETs to Finland's national computer security incident response team (CERT-FI) earlier this month. It also sent samples to ICSA Labs, an independent third-party testing and security product certification division of Verizon Business.
CERT-FI plans to issue an updated advisory on the attack technique later on Monday (18 October). Stonesoft reckons that AETs are a particular problem for firms that still rely on hardware-coded inspection engines, which may be difficult if not impossible to upgrade.
Amichai Shulman, CTO of database security firm Imperva, described the evasion technique as the latest round in the constant cat and mouse game between malicious crackers and security defenders.
"A lot of what attackers are doing today is about evasion at various levels, there is substantial vigilance out there," Shulman commented. ®
INVISIBLE NINJAS May Be Sneaking Up On You At This Very Moment
For only $999.95 plus taxes and shipping, INVISIBLE NINJA GUARD offers 100% protection from all current and future forms of INVISIBLE NINJA. Warning: inferior products do not feature INVISIBLE NINJA GUARD's patented 120 dB klaxon which sounds every 5 minutes to confirm that INVISIBLE NINJAS are NOT able to kill you.
Relevant to my interests.
Please sign me up for your newsletter.
I[D/P]S has always been mostly useless
Their warning basically boils down to "existing IDS can't detect exploits obfuscated in new or composite ways". Big deal. Everyone who knew anything about IDS systems have known that since the year dot.
A few years ago, IDS couldn't detect web based attacks where the exploit is encoded in unicode, or hexadecimal notation. Hell, early firewalls couldn't deal with fragmented packets. IDS is, and always has been a 'catch-up' protection like AV.
They do provide some value but they are not as much of a panacea as the various IDS vendors (Stonesoft included) have tried to make them out to be.
System defences can only be fully effective at the same network layer as the thing they are protecting. Encapsulation means that there are many ways of encoding or obfuscating things, so the application layer simply cannot be fully defended from filtering at the network layer.
What's the solution? Until your IDSs do full application protocol decode and analysis and block anything that they can't decode, there will always be scope to encapsulate and obfuscate attacks. Most firewalls now hold and reassemble fragmented packets before forwarding them, throwing away anything that doesn't fit.
I'll also try to ignore how the alarmist press release and PoC (OK, I can forgive the PoC) ignores that firewalls and properly configured servers actually make up much more than 1% of network defences as opposed to their "can bypass 99% of current security devices" claim.