Skip to main content

Mitigating advanced evasion techniques (AETs)

Many evasion techniques are used by malicious actors to bypass solution security controls. Attackers often combine multiple techniques, such as disguising or modifying existing threats, to create a new intrusion approach that is then very difficult to detect and as a consequence block.

This makes it simple for malicious payloads to be slipped undetected into vulnerable systems behind a security solution. These tactics are a direct response from malware authors to combat the visibility afforded to security administrators by today’s most powerful security solutions, including Next Generation Firewalls (NGFWs).

Forcepoint Security Labs group splits evasion scenarios into three distinct categories- the inbound channel, the outbound channel and evasion to access denied resources. The first is when the inbound channel is exposed by an attack using evasion to slip through network defences. The second is when the outbound channel is compromised by an attack payload using evasion to call home; the most well-known example of evasion to access denied resources, is TOR - a web browser known for anonymising web use. Any one of these threats, known as advanced evasion techniques (AETs), signify a major threat to any organisation’s data security.

Advanced evasion techniques (AETs) are not a new type of threat. They have been used widely amongst the hacking community for years. Malicious actors use AETs to employ a scatter approach to exploits. AETs split a threat into multiple threads which are almost untraceable. The countless permutations of evasion methods used are proving much more successful in dodging current methods of detection. So, although an IPS, for example, might be able to stop a known AET from breaching a network, it would more than likely allow a similar attack that has been modified and disguised. Once inside the network, the threat reconstructs, unleashing malware and continuing with an advanced persistent threat (APT) data stealing attack.

Since the advent of AETs, there has been a long learning curve for security experts. It’s fair to say that AETs have had their fair share of misunderstandings, misinterpretation and ineffective safeguards applied by IT teams. It takes time to establish the correct protocol and procedures and each time a new threat is unleashed or discovered all of the rules change. Historically setbacks have been caused by inadequate network traffic inspection, sporadic updates to software-based intrusion prevention systems (IPS) and stagnating firewall settings resulting in substandard safeguards.

Outdated IT infrastructures, rigid security architectures and high-maintenance systems, compounded the problem, making it easier for hackers to access the network with the aid of AETs.

Exposing evasion techniques

AETs work like conventional evasion techniques by combining new methods of disguise with known evasion techniques to enable them to circumvent virtually any network security solution. They continuously vary the methods used to disguise an attack including varying the concentration levels in the network traffic to deliver malicious payload to a network without detection.

Malware and exploit authors have a huge repertoire of evasive methods to draw from that enable them to manipulate the protocol-level stream and bypass detection including:

  • IP Fragmentation - IP fragmentation is the process of breaking up a single Internet Protocol (IP) datagram into multiple packets of a smaller size, and is specified in RFC 79125. IP fragmentation exploits use the fragmentation protocol within IP as an attack vector by spreading the payload across multiple frames.
  • TCP Segmentation & Out-of-order - the Transmission Control Protocol (TCP) is defined in RFC 79326. Sequence numbers are used to correctly order segments that may have been received out of order. Attackers seek to disguise attacks by using this feature of TCP.
  • TCP URG Pointer: also specified in RFC 793 is the TCP Urgent Pointer field (URG). This pointer specifies the presence of urgent or out-of-band data which if included during payload analysis can cause malicious or exploit code to evade detection. 

The updated role of the firewall

Protecting against AETs has ever increasing significance as the volume of known cyber-security incidents continues to grow in volume and sophistication. Every year UK businesses lose in excess of £1 billion because of online crime and studies have shown that the average cost of a data breach has now risen to £2.8 million, an increase of 29 per cent since 2013. This is an alarming indication of the risk that businesses face.

Despite the majority of businesses being aware of this, when most network security systems are static, hardware- based solutions it’s very difficult and sometimes impossible to update them, especially in line with ever evolving threat patterns. In some cases where it is possible, the updates can be very costly and also time-consuming and while they might be able to defend against new known threats, and it’s still impossible to build in the flexibility to monitor for new AET variants. This means that administrators of this type of solution are not able to guarantee network security.

Comprehensive data normalisation is now widely considered the most effective way to protect networks from AETs and a vast number of other threats. Data normalisation is the process of intercepting and storing incoming data so it exists in a single form. While the traditional method of data inspection is packet-based, the normalisation method eliminates redundant data while protecting its integrity.

Network security experts choose data normalisation because it combines a data stream-based approach, layered protocol analysis and protocol-specific normalisation at different levels. This enables them to strengthen the three weakest points of the network - traffic handling, inspection, and detection.

For security solutions to be properly effective in the fight against dynamic and evolving AETs, it’s essential for solutions to be quick and easy to update so that as soon as any new variant is announced, software –based IPS and firewall systems can be automatically updated so they remain state of the art and a worthy barrier in the fight against cybercrime.

Carl Leonard, Principal Security Analyst for Forcepoint Security Labs

Image source: Shutterstock/igor.stevanovic

Carl Leonard
Carl Leonard is a Principal Security Analyst within Forcepoint’s Security Labs team. He is responsible for enhancing threat protection and threat monitoring technologies at Forcepoint, in collaboration with the company’s global Security Labs teams.