Stonesoft ADVANCED EVASION TECHNIQUES- TRUE STORY BITTERSWEET DISCOVERY Stonesoft security researchers in the outskirts of Europe discovered that there is millions and millions of ways to bypass the most advanced and leading network security solutions without leaving any traces or alerts on management systems. Being a good citizen Stonesoft has reported in public hundreds out of those millions and millions. But it is the tip of the iceberg ”do the math” yourself Those ways are called as: ADVANCED EVASION TECHNIQUESAETs See more at: aet.stonesoft.com THINKING UNTHINKABLE. Story In a Nutshell Failed in NSS group tests Dedicated Evasion research team started Creation of automated tools and setting up a test lab to ease product testing Discovery of Advanced Evasion Techniques Test run against all the leading IPS and NGFW products. 99% ineffective Communicating through CERT to other vendors and finally in public Our research idea was very simple: “to break all the principles and rules in sending and receiving data” Just Like Hackers Do! Advanced Evasion Techniques (AET) What are they? Any technique to engineer a network based attack in order to evade and bypass security detection. What makes them advanced? Combination of evasions working simultaneously on multiple protocol layers Combination of evasions that can change during the attack Carefully designed to evade inspection Typically, AETs are used as part of Advanced Persistent Threats (APT) APT = motivation Advanced Evasion Techniques disguise and make cyber attacks /malicious payloads/ exploits look normal and safe when the security device inspects the data traffic. The number of AETs can be virtually limitless as you can combine, vary and modify them dynamically. Everything looks safe and normal when evasions are used and security devices are not anti-evasion ready. …but this can be reality. So Why worry ? AETs can breach sensitive data AETs can ruin brand reputation AETs can cause financial losses AETs can harm business continuity AETs can risk critical infrastructure AETs can risk national security As long as there is a vulnerable target- and there always is, advanced evasion techniques can deliver any known and unknown (zero day) exploits to it. And nobody knows it. Currently AETs work as a Master Key that security vendors DO NOT HAVE. Industry Blind Spot WHY THIS IS POSSIBLE? Evasion Research so far… Comprehensive description of attacks by Ptacek and Newsha The seminal text on attacks against IDS systems appeared in 1997 1997 1998 Article in the Phrack Magazine describes ways to by-pass network intrusion detection Stonesoft starts to design multilayer normalization capabilities in its IPS 2001 Evasion Research so far… Handley and Paxson suggest normalization Gorton and Champion suggest combinations Moore and Caswell discuss evasions at Black Hat 2004 2006 2007 Evasion Research so far… NSS test results boost evasion research Stonesoft’s Evasion research Starts Dedicated team starts testing Stonesoft with the Automated Evasion tools First version of evasion testing tool with 12 non-stackable evasions 2007 2009 Tests expanded against all leading security devices 2010 Evasion Research so far… June 2010: First 23 AETs reported to CERT for global vendor remediation Dec 2010: CERT coordination process ends. Vendors remain silent about their remediation. Oct 2010: Public announcement of Advanced Evasion Techniques and the evasion threat Oct 2010: Knowledge and awareness of evasions spreads 2010 2011 Feb 2011: 124 new AETs evasions reported Mar 2011: 180+ stackable and combinable evasions in the testing framework. 2012 Evasion Research so far… May 2011 Stonesoft introduces first commercial version of Antievasion Readiness Test for other security vendors, test labs and organizations Stonesoft delivers AERT tools to many of the leading security vendors and test labs. UK cyber forensics team and leading computer science university verifies the existence of evasions in reality and Stonesoft signs up a collaboration agreement with the university to start an academic research. Stonesoft publishes whitepaper of how company’s technology differs from others and publishes new aet.stonesoft.com site. 2011 2012 … Justified Question: Why this is possible? Design flaws. It has been a industry blind spot or ignorance Speed & false positive problem used to be a sales obstacles and that led to pure speed and minimized inspection orientation > industry sacrificed security Speed and some security functionalities were built on hardcoded security >impossible to dynamically update and evolve Current Technologies are 15 years old and designed during the era of :” weknow-the-threat- and-that’s- why-we-can- deal-with-it” >Leading to match pattern and signature based detection only, not truly understanding the BIG picture of data stream. In the era of unknown and uncertain threats signatures only will not work! Déjà vu Automobile safety in 1959 Network security in 2010? Status Quo: Before 1959 all the established automobile brands marketed that cars were safe and users believed and felt safe. Before 2010 all the Network Security vendors marketed that their solutions offered high level of protection and organizations felt their digital assets were secured. Disruption: Then came one Nordic brand, VOLVO who claimed that current cars are not even close to be safe and innovations are needed. Then came one Nordic brand, STONESOFT who claimed that the current security solutions are not as secured as they should be. (Disruption) Technology breakthrough: In 1959 They introduced Three Point Seat Belts. Technology breakthrough: 2010 They introduced Advanced Evasion Techniques and innovative technologies to fight back. Claim: They claimed lives can be saved if all brands would start adding Seat Belts to their cars. (Tested facts and reality) Claim: They claimed governments, businesses and brands can be saved if their anti-evasion technologies are taken into use. Industry Response: “This is marketing, Extra costs, No relevance to safety, dangerous, uncomfortable, People won´t use, theoretical only, Industry Response: “Most kept silent and others claimed “This is marketing, we can fix this, only extra costs, no relevance to security, unproven, theoretical, not happening in reality.” Bottom Line : Millions of human lives have been and will be saved. Bottom Line: Organizations will be saved if AET threat is taken seriously We claimed: Businesses are driving without Seat Belts! …And we can show and prove it to anybody! For the record… “Advanced Evasion Techniques can evade many network security systems. We were able to validate Stonesoft’s research and believe that these Advanced Evasion Techniques can result in lost corporate assets with potentially serious consequences for breached organizations.” – Jack Walsh, Program Manager “If the network security system misses any type of evasion it means a hacker can use an entire class of exploits to circumvent security products, rendering them virtually useless. Advanced Evasion Techniques increase the potential of evasion success against the IPS, which creates a serious concern for today’s networks.” – Rick Moy, President “Recent research indicates that Advanced Evasion Techniques are a real and credible – not to mention growing –and growing threat against the network security infrastructure that protects governments, commerce and information-sharing worldwide. Network security vendors need to devote the research and resources to finding a solution.“ – Bob Walder, Research Director We believe AETs pose a serious threat to network security and have already seen evidence of hackers using them in the wild. It is also very promising to see that Stonesoft is taking the threat posed by evasions seriously as they have been overlooked by many in the past -Andrew Blyth, Professor of Glamorgan University Meanwhile other security vendors keep radio silence! For the record… Meanwhile other security vendors keep radio silence! Off the Record Some are acquiring anti-evasion technology and knowledge from Stonesoft Some are focusing on surviving next public tests Some are doing workarounds and quick fixes Some are downplaying the threat and risks if they are asked directly Some are protecting their business at the expense of customers Some have truly started to investigate their design flaws Some ignore and do NOTHING! Meanwhile other security vendors are saving their business. Reality. NOTE! In this particular test only simple, known and well documented evasions where used. What happens if more Advanced Evasions hit this security device?? Palo Alto’s HTML evasion protection 100% 33% Marketed Tested by NSS NGFW 2011