Many organizations are so intent on identifying new malware that they are failing to address or in some cases even recognize advanced evasion techniques (AETs) that can enable malware to circumvent their security defenses. AETs pose a great threat because most security solutions can’t detect, much less stop them. Security professionals and executive managers need to wake up to this real and growing threat.
Advanced persistent threats (APTs) have been a huge focus in network security discussions over the past few years with good reason. Numerous organizations are implementing new solutions to protect themselves from this determined type of malware. Even so, cyber criminals have been penetrating the network defenses of even the most robust security infrastructures, including some very high-profile enterprises.
How do they do it? Using AETs. Evasions are simply attempts to disguise attacks to avoid detection and blocking by network security systems. Evasions come in many flavors, and include a variety of techniques. Some are defined in specifications and used in the way they were intended like IP fragmentation, while others are defined in a spec, but not used according to it, as in “endian” manipulation. There are plenty more, including using a technique in a spec that was designed for a different purpose, or simply using a technique that is forbidden in a spec, but might be accepted by a target system. Advanced evasions combine multiple techniques simultaneously across multiple protocols, with more than 800 million unique combinations, according to McAfee.
The McAfee next generation firewall uses data normalization techniques to enable full inspection of data traffic by reconstructing data streams that have been hidden or obscured by AETs. Data normalization deconstructs or decodes packets for all protocols, at all layers of the stack. McAfee fully inspects and reconstructs data streams, identifying evasions that can carry or forge the path for exploits and removing them.
While testing its next generation Firewall, we talked with McAfee about AETs at length. Stonesoft–acquired by McAfee in 2013–first informed the public about AETs in 2010, and released a free tool in 2012 to enable anyone to test AETs against their own network security. This tool, Evader, is freely available for download here.
ESG Lab used Evader and found that evasions could be used to easily bypass multiple flavors of network perimeter technologies. In each case, malware was installed and actions were remotely performed without the device even noticing. When no evasions were used, the malware was detected and blocked at the perimeter. The McAfee next generation firewall was able to detect the evasions and block access in every configuration we tried.
No, I’m not going to name the devices we tested–but rest assured that they were fully up to date, current versions of shipping products. In reality, it doesn’t really matter WHAT device we tested, what matters is whether advanced evasions are able to bypass the devices in YOUR network. The beauty of Evader is that anyone can download and run it against any system in their network, quickly and easily. If you find that you are not vulnerable to any advanced evasions, you can breathe a little easier. If not...you may not be concerned about AETs, but you should be. These dirty, little, secret weapons are trained on your network. Want to learn more? Read the report here: ESG Lab Validation of the McAfee Next Generation Firewall.