Advanced Evasion Techniques allow stealthy perimeter attacks

Network perimeters are under attack. That's not news, but the techniques now being used are. Michael Kassner reports on AETs -- Advanced Evasion Techniques.

A friend and fellow IT-type called last week. "What do you know about AET?" Not wanting to appear deficient, I quickly googled it while asking about her family -- smooth, huh? There were plenty of links, but nothing of interest to either of us. Great.

With as much decorum as I could muster, I said, "Why, you thinking about buying solar panels?" (Alternate Energy Technologies was the first hit on Google that made any sense.)

"What on earth are you talking about?" she asked. "You have no idea, do you?"

Time for me to fess up. "Nope."

"I know you're searching right now, so look up Advanced Evasion Technique (AET)." I did and there wasn't much to find. But, I had an idea. If there are advanced techniques, there must also be regular ones.

Fortunately, Wikipedia came to the rescue with the entry: Intrusion Detection System Evasion Techniques.

"Evasion is a term used to describe techniques of bypassing an information security device in order to deliver an exploit, attack, or other malware to a target network or system, without detection."

Evasion techniques have been talked about since 1998. Where have I been? More importantly, what are AETs? I told my friend I'd check into it if she would as well. First one to find anything wins; oops, I mean calls.

Game on.

Advanced Evasion Techniques

I had an idea. I've asked Rick Moy, CEO of NSS Labs for his help many times before. And, a NSS Lab forte is pen testing perimeter devices. Here's what he had to say about AETs:

"Evasions let an attacker disguise or hide their attacks to circumvent security products. AETs are combinations of evasions which make them even harder to catch.

AET is a recent marketing term and probably why it's not popular yet. Regardless, the threat caused by AETs is very real. People should be concerned and ensure their security can cope with them.

NSS has been testing evasions for years and AETs are a big part of our testing this year."

Rick saying that NSS Labs is already testing for AETs was huge. With some sleuthing, I was able to learn that Rick tested products developed by And, Stoneoft has a website,, dedicated to AET research.

A phone call was now in order, but not to my competitive friend -- not just yet. Instead, I got in touch with the people at Stonesoft, telling them about my predicament. Heather Pritchett, PR spokesperson, acted as my intermediary:

Kassner: The term "evasion techniques" is not used a great deal. What does it mean to Stonesoft? Stonesoft: Technically speaking, evasion techniques are a method of, as Rick said, disguising an attack in a specially-crafted way to avoid detection by IPS/IDS with the intent of delivering an attack to the intended target.

More than that, evasion techniques represent an area of IPS/IDS research that has been largely neglected because of their somewhat esoteric nature compared with the hype that surrounds other threats such as "zero-day" attacks, worms, and other easier-to-digest concepts. Stonesoft considers evasions to be of particular importance because, with the proper motivation (money), evading an IPS is not that difficult.

And for hackers, with dollar signs in their eyes, making a small investment of time and energy to develop automated tools to generate many combinations of evasions in an effort to slip past the IPS/IDS is well worth the time. Therefore, Stonesoft is willing to invest time and effort in perfecting how normalization is done and sharing our research with the security community.

Kassner: Would you assume Intrusion Detection Systems (IDS) and Intrusion Prevention Systems (IPS) to be the main defense against mainstream evasion techniques? Are they effective? Stonesoft: Yes. IPS/IDS devices are well suited to the task. They are, usually, dedicated devices with the goal of determining if the information they see is carrying an attack. Part of this is spotting attempts to hide the attack by making the data stream look incorrect, odd, or just plain confusing.

For the most part, IPS/IDS devices are quite good at this, as long as the evasion technique in use does not go too far beyond the boundaries of traditional evasion techniques. When evasions are performed at multiple levels of the stack, simultaneously, then the efficacy of IPS/IDS devices drops precipitously.

Kassner: I read that in 2010, Softstone took on a unique challenge. The development team decided to become experts on evasion techniques in order to develop anti-evasion capabilities. How did that work out? Stonesoft: We were surprised at what we found. The tools required to create advanced evasions are well within the means of hackers. Moreover, simple combinations of evasions are quite effective at bypassing most IPS/IDS devices on the market today.

This led us to investigate ways to improve IPS/IDS devices and ways to improve normalization in the long run. The research exposed some weaknesses in modern IPS/IDS devices that require immediate attention to ensure IPS/IDS devices are delivering the protection that customers expect. Hackers are not easily dissuaded. Money is a powerful motivator.

Kassner: During the course of investigating, Stonesoft researchers found what they call Advanced Evasion Techniques (AET), 23 of them, in fact. What is different about AETs? Stonesoft: In a nutshell, traditional evasion techniques for IDS/IPS devices involve specific manipulations in one layer of the OSI model.

For example, at the IP layer, one could fragment the packet in an effort to confuse the IPS or overwhelm its ability to make any sense of a bunch of fragments. Fortunately, this technique and other similar ones are well known.

AETs, on the other hand, involve multiple manipulations to several layers of the OSI model, simultaneously. A good example would be segmenting a packet at the level of TCP and then reversing the order of the data that the receiving host sees at another layer.

When one evasion is used, IPS/IDS devices are adept at spotting them. However, when multiple evasions are used in the same packet, IPS/IDS devices have a difficult time making sense of the packet, a process referred to as normalization.

When a packet cannot be properly normalized, e.g., the IPS/IDS cannot make heads or tails of what it's seeing. Then, by design, the IPS/IDS must allow the packet, thereby permitting a malicious payload it may be carrying. Where firewalls have a default deny posture, IPS/IDS have a default allow posture.

For reference, the OSI model breaks communications over the internet down into layers. For example:

  • Layer 7: Application (Example protocol: HTTP, SMTP)
  • Layer 6: Presentation (Example protocol: ASCII)
  • Layer 5: Session (Example protocol: MSRPC)
  • Layer 4: Transport (Example protocol: TCP)
  • Layer 3: Network (Example protocol: IP)
  • Layer 2: Data Link (Example protocol: ARP)
  • Layer 1: Physical connectivity

A manipulation at any one layer, and an IPS/IDS will probably catch it. Manipulate more than one, creatively, and that's a different ball game. If an attacker can successfully create a packet that sufficiently overwhelms the IPS/IDS's capability to make sense of it (normalization), then it goes through.

Kassner: What does Stonesoft intend to do with its research? Also, how is the security community responding to your findings? Stonesoft: Starting last year, we have been working with CERT to disclose samples of the evasions we have been testing. We are doing this in an effort to jostle the security community to redress the weaknesses in the ability of IPS/IDS device to spot evasions if more than one is used at the same time.

Reactions to our research have been a mixture of skepticism and concern.  Some believe that AETs are impractical and unlikely, while others see this as a logical next step for hackers in the never-ending struggle to make more money off online information.

Many have asked if these AETs have been observed in the wild. Because of their nature and that mechanisms are poorly adapted to identify them, it is quite possible that they are already in use. To that end, we feel research in this area is warranted and well worth it to provide the best level of protection possible.

Final thoughts

Another initialism is not what I wanted. Regardless. AETs are here whether I like it or not. And, until IDS/IPS developers can figure it out, we need to be extra careful.

Almost forgot. I did finally call my friend. She was pretty excited. But not about AETs. She just bought a solar-charging system for her iPhone.