Security

Advanced Evasion Techniques allow stealthy perimeter attacks

Network perimeters are under attack. That's not news, but the techniques now being used are. Michael Kassner reports on AETs -- Advanced Evasion Techniques.

A friend and fellow IT-type called last week. "What do you know about AET?" Not wanting to appear deficient, I quickly googled it while asking about her family -- smooth, huh? There were plenty of links, but nothing of interest to either of us. Great.

With as much decorum as I could muster, I said, "Why, you thinking about buying solar panels?" (Alternate Energy Technologies was the first hit on Google that made any sense.)

"What on earth are you talking about?" she asked. "You have no idea, do you?"

Time for me to fess up. "Nope."

"I know you're searching right now, so look up Advanced Evasion Technique (AET)." I did and there wasn't much to find. But, I had an idea. If there are advanced techniques, there must also be regular ones.

Fortunately, Wikipedia came to the rescue with the entry: Intrusion Detection System Evasion Techniques.

"Evasion is a term used to describe techniques of bypassing an information security device in order to deliver an exploit, attack, or other malware to a target network or system, without detection."

Evasion techniques have been talked about since 1998. Where have I been? More importantly, what are AETs? I told my friend I'd check into it if she would as well. First one to find anything wins; oops, I mean calls.

Game on.

Advanced Evasion Techniques

I had an idea. I've asked Rick Moy, CEO of NSS Labs for his help many times before. And, a NSS Lab forte is pen testing perimeter devices. Here's what he had to say about AETs:

"Evasions let an attacker disguise or hide their attacks to circumvent security products. AETs are combinations of evasions which make them even harder to catch.

AET is a recent marketing term and probably why it's not popular yet. Regardless, the threat caused by AETs is very real. People should be concerned and ensure their security can cope with them.

NSS has been testing evasions for years and AETs are a big part of our testing this year."

Rick saying that NSS Labs is already testing for AETs was huge. With some sleuthing, I was able to learn that Rick tested products developed by Stonesoft.com. And, Stoneoft has a website, Antievasion.com, dedicated to AET research.

A phone call was now in order, but not to my competitive friend -- not just yet. Instead, I got in touch with the people at Stonesoft, telling them about my predicament. Heather Pritchett, PR spokesperson, acted as my intermediary:

Kassner: The term "evasion techniques" is not used a great deal. What does it mean to Stonesoft? Stonesoft: Technically speaking, evasion techniques are a method of, as Rick said, disguising an attack in a specially-crafted way to avoid detection by IPS/IDS with the intent of delivering an attack to the intended target.

More than that, evasion techniques represent an area of IPS/IDS research that has been largely neglected because of their somewhat esoteric nature compared with the hype that surrounds other threats such as "zero-day" attacks, worms, and other easier-to-digest concepts. Stonesoft considers evasions to be of particular importance because, with the proper motivation (money), evading an IPS is not that difficult.

And for hackers, with dollar signs in their eyes, making a small investment of time and energy to develop automated tools to generate many combinations of evasions in an effort to slip past the IPS/IDS is well worth the time. Therefore, Stonesoft is willing to invest time and effort in perfecting how normalization is done and sharing our research with the security community.

Kassner: Would you assume Intrusion Detection Systems (IDS) and Intrusion Prevention Systems (IPS) to be the main defense against mainstream evasion techniques? Are they effective? Stonesoft: Yes. IPS/IDS devices are well suited to the task. They are, usually, dedicated devices with the goal of determining if the information they see is carrying an attack. Part of this is spotting attempts to hide the attack by making the data stream look incorrect, odd, or just plain confusing.

For the most part, IPS/IDS devices are quite good at this, as long as the evasion technique in use does not go too far beyond the boundaries of traditional evasion techniques. When evasions are performed at multiple levels of the stack, simultaneously, then the efficacy of IPS/IDS devices drops precipitously.

Kassner: I read that in 2010, Softstone took on a unique challenge. The development team decided to become experts on evasion techniques in order to develop anti-evasion capabilities. How did that work out? Stonesoft: We were surprised at what we found. The tools required to create advanced evasions are well within the means of hackers. Moreover, simple combinations of evasions are quite effective at bypassing most IPS/IDS devices on the market today.

This led us to investigate ways to improve IPS/IDS devices and ways to improve normalization in the long run. The research exposed some weaknesses in modern IPS/IDS devices that require immediate attention to ensure IPS/IDS devices are delivering the protection that customers expect. Hackers are not easily dissuaded. Money is a powerful motivator.

Kassner: During the course of investigating, Stonesoft researchers found what they call Advanced Evasion Techniques (AET), 23 of them, in fact. What is different about AETs? Stonesoft: In a nutshell, traditional evasion techniques for IDS/IPS devices involve specific manipulations in one layer of the OSI model.

For example, at the IP layer, one could fragment the packet in an effort to confuse the IPS or overwhelm its ability to make any sense of a bunch of fragments. Fortunately, this technique and other similar ones are well known.

AETs, on the other hand, involve multiple manipulations to several layers of the OSI model, simultaneously. A good example would be segmenting a packet at the level of TCP and then reversing the order of the data that the receiving host sees at another layer.

When one evasion is used, IPS/IDS devices are adept at spotting them. However, when multiple evasions are used in the same packet, IPS/IDS devices have a difficult time making sense of the packet, a process referred to as normalization.

When a packet cannot be properly normalized, e.g., the IPS/IDS cannot make heads or tails of what it's seeing. Then, by design, the IPS/IDS must allow the packet, thereby permitting a malicious payload it may be carrying. Where firewalls have a default deny posture, IPS/IDS have a default allow posture.

For reference, the OSI model breaks communications over the internet down into layers. For example:

  • Layer 7: Application (Example protocol: HTTP, SMTP)
  • Layer 6: Presentation (Example protocol: ASCII)
  • Layer 5: Session (Example protocol: MSRPC)
  • Layer 4: Transport (Example protocol: TCP)
  • Layer 3: Network (Example protocol: IP)
  • Layer 2: Data Link (Example protocol: ARP)
  • Layer 1: Physical connectivity

A manipulation at any one layer, and an IPS/IDS will probably catch it. Manipulate more than one, creatively, and that's a different ball game. If an attacker can successfully create a packet that sufficiently overwhelms the IPS/IDS's capability to make sense of it (normalization), then it goes through.

Kassner: What does Stonesoft intend to do with its research? Also, how is the security community responding to your findings? Stonesoft: Starting last year, we have been working with CERT to disclose samples of the evasions we have been testing. We are doing this in an effort to jostle the security community to redress the weaknesses in the ability of IPS/IDS device to spot evasions if more than one is used at the same time.

Reactions to our research have been a mixture of skepticism and concern.  Some believe that AETs are impractical and unlikely, while others see this as a logical next step for hackers in the never-ending struggle to make more money off online information.

Many have asked if these AETs have been observed in the wild. Because of their nature and that mechanisms are poorly adapted to identify them, it is quite possible that they are already in use. To that end, we feel research in this area is warranted and well worth it to provide the best level of protection possible.

Final thoughts

Another initialism is not what I wanted. Regardless. AETs are here whether I like it or not. And, until IDS/IPS developers can figure it out, we need to be extra careful.

Almost forgot. I did finally call my friend. She was pretty excited. But not about AETs. She just bought a solar-charging system for her iPhone.

About

Information is my field...Writing is my passion...Coupling the two is my mission.

30 comments
Charles Bundy
Charles Bundy

Enjoyed learning something new today! Caution rambling follows... An IPS would have to be 'inline' to process (and potentially deny) traffic. LOTS 'O traffic... Thus there is only a small window of processing that can be done on the bitstream before everything starts to backup. If you present a large enough 'picture' through AET you won't see things beyond the 'window frame'. IDS on the other hand could be either 'inline' or 'parallel'. But even if it is in parallel and snooping on traffic, there is again that processing time in which enough scenery will overwhelm the IDS. At a guess I would assume someone has to be conducting research into specialized hardware, including massive parallelization to make that 'window' really big wrt pattern recognition (content and behavior.) ADDENDUM After reading the evasion website I'm also afraid... It sounds like if you have already been compromised internally, they aren't certain they could detect point to point traffic using AET...

Dusterman
Dusterman

Michael .. .. I always learn something when you post :-)

rutledgepj
rutledgepj

Maybe I am missing the point however, it seems to me that the initial approach would be for IPS/IDS to be setup with a default deny posture. Based on the article this would at least deter the multiple attack of the stack, causing the IPS/IDS defaulting (to the allowed posture) with the door wide open because the confusion factor is exploited.

AnsuGisalas
AnsuGisalas

Does the IPS/IDS system use the lower-level content to verify the normalization of the higher levels? Isn't it then comparable to a double encryption, with two different ciphers in serial? I take it the stream it monitors would be fatally disrupted by a default-deny setting?

HAL 9000
HAL 9000

Just what we need another attack vector that we can not adequately guard against. I think I'll just slit my wrists now and save the pain and suffering latter. Col ;)

santeewelding
santeewelding

You manage to get away from the subject of security without getting away from it. Let me explain. AET is another assault in an unending affair of online assault. It is another, "Now, what?" You don't do it that way. You do, but you don't. You bring something to it. You bring your own self. You bring hope, along with a wink. It's what I come to expect: One who knows the thing backward and forward, communicating that between the lines, and a helpful way through the sordid affair with hopeful material. Thank you.

seanferd
seanferd

I really can't comment further, except to thank you for the article.

Michael Kassner
Michael Kassner

Advanced Evasion Techniques consist of multiple attack vectors melded together. Doing so, overloads/confuses security devices or apps to a point where the malware traffic is allowed to pass.

Spitfire_Sysop
Spitfire_Sysop

A UTM is inline filtering and it is multi-layered. A UTM is much more than a firewall it also: filter HTTP, virus scan files, IPS, IDS and it can make you lunch. All without slowing down your communications much. You need some good hardware if you have over 100 users. Try this one: www.untangle.com

Spitfire_Sysop
Spitfire_Sysop

As with anything that works on a blacklist if the traffic doesn't match a signature it must be passed. Worse than a bottleneck you would shut off all communication if you set them to fail closed. In order to create a whitelisting IPS\IDS you would first have to give it a list of every type of packet it will ever see and any traffic that didn't match your approved communications would be implicitly denied. This is how a firewall works on layer 7 except it would be much more difficult at layers 4,3 and 2. It's possible but I've never seen it done.

Michael Kassner
Michael Kassner

As I mentioned earlier, I am not an expert, but I suspect the problem is that default-deny would create a bottleneck.

Michael Kassner
Michael Kassner

I'm not an expert, but my take is that as you move through the stack, the previous information is shed. To me that means there is not as you say a re-encrypting. I also suspect that default-deny would be terribly inefficient, resulting in significantly less traffic capacity.

Michael Kassner
Michael Kassner

You have too much to offer. Besides misery loves company.

Michael Kassner
Michael Kassner

It is an interesting race on the perimeter. IPS versus pen testing.

Alpha_Dog
Alpha_Dog

Untangle is good, but while you are at it, check out Endian Community Firewall.

JCitizen
JCitizen

Ha! :D Maybe I could firmware flash my UTM with this new fangled code! :p

ed34222
ed34222

As long as IPS hardware speeds are there then why not switch to a denial default? As it is now, the number of snort signatures being processed by IDS/IPS systems requires faster hardware than in the past anyway. If the packet can't be processed, do to problems with it, why can't the per-processor kick it, and actually speed up the overall traffic by having fewer bad packets to reject later. The standard snort per-processor already does a bunch of rejections by default, even some that create headaches for web admins; so, rejecting unrecognizable packets actually seems like a good idea; although, perhaps I'm missing something.

AnsuGisalas
AnsuGisalas

this is something I don't understand. Where does the problem with multiple evasions come from? I read between the lines that exploit efficiency increases dramatically with even just two evasions at once, but why is that? It can't simply be a cumulative efficiency, because that wouldn't give the right form of increase. It sounds like something in the presence of a second layer of evasion makes the normalization of the first layer harder, and vice versa, giving perhaps exponential increase in efficiency. Did I get this wrong?

JCitizen
JCitizen

I like my CheckPoint UTM - most configurations are automatic, and it always seems like the competitors have some kind of detraction, like no PPoE or limited VPN capability, or the software packages are too expensive. I'm just not sure. The hard ware on the untangle looks interesting, but I'da know. The Endian appliance in the same range as mine looks limited, but that ARM processor may be better. I'm pretty spoiled with the support and ease of use and reliability of my Safe@Office 500W; I be thinking of upgrading to the 1000WN.

Spitfire_Sysop
Spitfire_Sysop

I have used both. I found a directly proportionate relationship between funcionality and resource use. I was able to use Endian on an old P3 server that refused to run Untangle at all. So if you are looking for a great little in-line filter to run on a small or cheap device then Endian is the clear winner. Untangle has more features and as a consequence it needs more hardware. I find Untangle to be more user friendly as well. This is why I recommend it to people.

Spitfire_Sysop
Spitfire_Sysop

It is a blacklist. You would have to write an engine from the ground up that can recognize "good" traffic on it's whitelist. That is the opposite of what snort currently does. The problem then becomes encrypted packets. Due to their nature you just have to pass them.

Michael Kassner
Michael Kassner

I have a suspicion that it depends on where, what, and when the IPS checks each section of the packet. That's a guess on my part, to be honest, but it comes from my work with packet traces.

AZ_IT
AZ_IT

It seems to me that if an IPS/IDS just dropped all packets that were not formed correctly then this problem would be solved. Packets from legitimate sources should flow freely since they are formed and formatted properly or should be. How frequently are legitimate packets corrupted? And how? However someone brought up the issue of encryption. I haven't looked myself but I supposed encrypted packets also appear to be malformed or incorrectly formatted. Is that where the problem lies? Either deny by default and lose encryption or allow by default to ensure that you receive encrypted traffic? At our office we use VPN which is obviously completely encrypted couldn't you simply place the IPS/IDS behind the firewall where the encryption ends and solve that problem? PS. Michael thanks for a great article!

Alpha_Dog
Alpha_Dog

The issue is that as the data rate increases, so does the potential for threats. This causes the data that must be evaluated to increase in volume at a greater rate than the data rate. It's not a geometric progression, but it's close. In order to keep the data flowing, most commercial firewalls will hit an "Aw, screw it" point and pass everything they can't inspect since they are based upon a blacklist (allow all, deny anything on the list). Following NSA's configuration guidelines will cut this threat down closer to zero, but will significantly affect the ability to put data through the wall in the event of a significant attack on a high volume network, particularly if it's polymorphic. One would not expect a firewall application to be CPU intensive, but the good ones are. Our commercial offering uses a dual core processor, while the "big and bad" prototype we have guarding the office is a quad core with specific processes assigned to hardware (partitioned). During a heavy attack our firewall has hit 85% load, but only lost connection once the IDS determined the threat was credible and nuked the port temporarily.

AnsuGisalas
AnsuGisalas

Is it so that the default-allow kicks in after a certain time has passed? Because, apparently the engine doesn't keep crunching at it until it has an answer, it cuts to "don't know = allow" at some point. Did I get that right? If that's how it is then I understand how stacking the evasions can in effect deny normalization, the trail grows cold before it catches up.

Stonesoft1
Stonesoft1

You are exactly right. IPS devices are quite good at looking for evasions when just one is used at any layer of the stack at any given time. But, when the second, third, etc. is added, there is a large increase in resources required to properly and completely decode the packet to find the actual attack. The reason is that the normalization engine is not designed to handle normalization in higher layers or perhaps it lacks resources. In either case, IPS devices have evolved largely in response to confirmed exploits and evasions without a keen eye on the future. Here we have a logical evolution in evasions and IPS devices will, no doubt, be playing catch-up for a while until normalization engines are made more efficient and modular so that they can be updated as signatures are today. Efficiency is key here. As you noted, the addition of just one evasion, let alone 2 or 3, presents a significant problem for current normalization. The trick is increase the efficiency, anticipate logical combinations of evasions, and re-design normalization with the idea that more than one evasion is very effective in bypassing security.

Spitfire_Sysop
Spitfire_Sysop

I think it has to do with the time it takes to process each packet. If you spend too much time analyzing packets you will eventually fill up your buffer and start dropping packets. Your choices at this point are to become the victim of a DoS due to your packet backlog or to pass the packets to keep up with the traffic.

Michael Kassner
Michael Kassner

I have passed your questions onto Stonesoft. Hopefully, they will answer. Something that might help are the chapters and packet traces that are at the Antievasion website: http://www.antievasion.com/

Editor's Picks