Stonesoft, with the University of Glamorgan, launched a research paper which shows the effectiveness of a number of Intrusion Prevention Systems against blocking evasions, namely Advanced Evasion Techniques (AETs). Evasion techniques are a recognised problem in network security. Advanced Evasion Techniques, on the other hand, are overlooked by many, they claim.
Attacks on networked systems are becoming increasingly complex and targeted. Evasion techniques make use of protocol design flaws, or use the current protocol design, to their advantage such that an attack may go undetected. By combining evasion techniques it is possible for attackers to evolve a more stealthy approach, one that is even harder to detect and often resulting in a successful attack. These are known as Advanced Evasion Techniques (AET) and are likely to become increasingly significant as detection engines become more efficient and organisations more complacent by the protection provided at the perimeter.
Recent trends concerning techniques used to evade detection by Intrusion Detection Systems (IDS) and Intrusion Prevention Systems (IPS) have proved troubling to the security community.
This report presents the findings of an experiment that tested a number of evasion techniques against a set of well-known and commercially available Intrusion Prevention Systems (IPS). The IPS were all up-to-date (e.g., software and signatures) and configured, using a best configuration scenario. This ensured that all attack attempts against the provided vulnerabilities, were being blocked while not using evasion techniques.
The findings provide some cause for concern and should be a warning to those organisations that rely on simple and/or outdated implementations of IPS, especially those that do not patch their systems. With advances in evasions occurring rapidly the time between discovery, publishing and usage is minimal, IPS vendors and organisations need to be able to protect against an ever-evolving threat and one that has the ability to employ evasion techniques in more complex attacks. In broad terms, evasion techniques involve the manipulation of certain circumstances that permit an attack to go unnoticed by the detection engine.
Malware developers constantly use evasion techniques to evade Antivirus engines. This report shows that it is still possible to make use of AETs to bypass IPS detection and successfully launch an undetected attack on networked systems. As the threat continues to grow, these techniques will soon be widely adopted by opportunistic attackers.
