What are Advanced Evasion Techniques (AETs) and How to Defend Against Them? (Part 1)
Advanced Evasion Techniques, or AETs, are the way of the future when it comes to infiltrating networks of both government and commercial enterprises. Many government agencies and mid-to-large commercial organizations have a solid, defense-in-depth approach for securing their information technology (IT) resources. These security controls tend to do a good job of defending against moderately sophisticated attackers. However, what happens when the stakes get raised and your organization is faced with an Advanced Persistent Threat (APT) of a nation state? This is where AET detection becomes critical.
So what is an AET anyway? An AET combines several known evasion methods to create a new technique that is delivered over multiple network layers simultaneously. In plain English, AET is a way to deliver attacks on your IT resources without being detected by conventional means. Some examples of AETs include:
- Evasions that are based on techniques defined in a protocol specification and used according to the specification. IP fragmentation is an example of this type of technique where IP datagrams are broken down into smaller datagrams to disguise the contents.
- Techniques defined in a specification, but not used according to the specification. An example of this technique is Microsoft Remote Procedure Call (MSRPC) endian manipulation, in which MSRPC is used in “big-endian” format rather than “little-endian” as defined in the specification.
- Techniques defined in a specification for some other component, but used in a different way. MSRPC network data representation (NDR) value manipulation is an example of this technique.
- Evasion techniques that are forbidden by a specification but accepted by the target system, such as TCP overlap where overlapping segments of a TCP stream are sent with conflicting data to hide malicious code.
To make things worse:
- Evasions exist in every protocol
- Evasions can be combined together to create new evasions
- The order of combined evasions is important
- The number of different evasion combinations is enormous
Many reading this blog may say: “The Next Generation Firewall (NGFW) I just bought protects me from AETs, so I am safe.” The truth is, it probably offers only rudimentary evasion detection. If you would like to see how well your NGFW copes with evasion techniques, check out the Evader tool provided by Intel Security / McAfee: http://evader.mcafee.com/.
The Evader tool was developed for in-house testing to gauge whether a given defense appliance was capable of detecting evasions. Your organization can use the Evader tool to verify vendor claims or perform testing on your existing defenses. It is important to note that Evader is not a hacking tool or a penetration test harness. Evader simply tests if a known exploit can be delivered using AETs through currently installed security devices to a target host.
Please let us know how your defenses did in the blog comments section below. Please visit us again for Part 2 of this article, where we will discuss some of the best practices on how to defend your environment from threats delivered by means of AETs.