Mar 26, 2015 By Andrey Zhuk In

What are Advanced Evasion Techniques (AETs) and How to Defend Against Them? (Part 2)

In Part 1 of my blog on defending against AETs, we examined what constitutes an AET and how to test whether your network defenses are vulnerable to an attack utilizing AETs. In Part 2, we will look at ways to defend your information infrastructure from such exploits.

To solve the AET conundrum, we need to start with implementing proper network traffic inspection. What does “proper” network traffic inspection entail?

First, identify the assets you are trying to protect.

  1. Second, map out all the different ways to access those assets through your network.
  2. Third, secure the identified network paths using Intrusion Prevention System (IPS).

Sounds like a classic network security approach, right? Correct, except that traditional IPS technology is not robust enough to effectively deal with advanced evasions. An IPS needs to implement a technology called traffic normalization to be able to detect AETs in action and reveal the hidden attacks. So what is traffic normalization?

Let’s use an analogy: the English language. AETs are like using different dialects, slang, idioms, and code words to obfuscate the meaning of what is being said. For example, if two bank robbers are trying to discuss a plan for robbing a bank in the middle of a crowded room, they can use code words and phrases to avoid raising suspicion.

Policemen on the lookout for the would-be robbers might be listening for words such as “bank,” “money,” “vault,” and “keys.” This is the approach used by a traditional legacy IPS system. However, to understand what the criminals are saying, the policemen would have to know many different English dialects, idioms, slang terms, and, in this case, their secret code. Only then can they translate what the robbers are saying into plain English.

This process of going from a hidden code or obfuscation to plain English is called normalization. We can do the same thing with network traffic. If cyber criminals are utilizing AETs, we can use traffic normalization to remove evasions and reveal the malicious threat beneath them.

Advanced evasions work so well against all of the current network security devices because many IPSs can only inspect part of the data stream and, therefore, cannot fully understand the overall context of the network transaction. For traffic normalization to work against AETs, we have to be able to perform traffic normalization over a complete stream of data, not just some parts of it.

Changing from packet-based inspection to full, stream-based inspection is not trivial. Doing so requires big changes for low-level packet handling and a fundamentally different architecture for the network security device itself.  This is one of the reasons why so few vendors do a good job at it, despite all the claims.

So what would we look for from a vendor offering a next-generation IPS/firewall that is capable of AET detection? Here are some things to look for:

Full-stack visibility. IPS must provide full-stack visibility, decoding and normalizing traffic on all protocol layers.

  • Normalization-based evasion removal. The normalization process must remove evasions before inspection of the data stream to build a proper normalized baseline, and not just do inspection of individual segments or pseudo packets.
  • Application data stream-based detection. Vulnerability-based fingerprints detect exploits in the normalized application level data streams.
  • In-house research and tools. The vendor actively develops and tests new AET approaches and provides automated evasion fuzzing test tools to the community.
  • Updates and upgrades. Anti-evasion technologies are automatically updated in next-generation IPS and firewall engines.

Finally, try out Intel Security’s Evader tool ( and see if you can get past your organization’s IPS or firewall. AETs have changed the security landscape permanently. Regardless of how good the block rate or how many certification and awards a device has won, if an IPS/firewall is not capable of handling evasions, it is practically useless for large organizations worried about dangers of Advanced Persistent Threats (APTs).

Check out Intel Security’s infographic on the confusion between advanced evasion techniques (AETs) with advanced persistent threats (APTs) and how it can affects your vulnerability.