Tuesday, October 26, 2010

Advanced Evasion Techniques: A Long-Winded Explanation of the Threat

Recently a company called Stonesoft launched a website called http://www.antievasion.com/ with videos warning us about the threat of Advanced Evasion Techniques that can float right through your network security and attack systems you thought were protected. The videos on their site are worth watching, if for no other reason that they approach self-parody.

Their concern lies mostly in Intrusion Detection/Prevention System (IDS/IPS) software and appliances. These devices observe traffic passing through looking for behavior indicative of an attack in a fashion conceptually similar to antivirus/antimalware. IDS systems merely “observe and report” while IPS systems intervene, trying to cut connections or otherwise stop the attack. The limitation of these types of systems is that they’re primarily signature-based; they are looking for a specific set of indicators to determine that something is an attack. They cannot say with certainty that anything is safe.

Compare this to police mugshots. You can use them to identify known bad guys but you can’t use them to identify unknown bad guys or bad guys with convincing disguises. Modern IDS/IPS (and antivirus) are smarter. They’re better at recognizing fake beards, hats, and changes of clothes. These kinds of attack disguises have often been referred to as “IDS/IPS evasion techniques” and they’re almost as old as IDS/IPS technology itself. As is always the case on the Internet, the good guys cause the bad guys to evolve and vice versa. IDS/IPS technology gets better, IDS/IPS evasion techniques get better.

These “disguises” involve changing the properties of the transmission in ways that are still valid (enough) but violate the IDS/IPS product’s assumptions about how the data should be transmitted. For example, some IDS/IPS products can only look at one packet at a time. If you break the attack transmission into small enough pieces, the IDS/IPS won’t be able to see the signature. For IDS/IPS products that are a little smarter, transmitting the pieces in the wrong order might fool them. There are lots of permutations at various levels.

To build an analogy, IDS/IPS systems are like TSA personnel. They scan through your luggage looking for things that might be dangerous. They can’t possibly know every possible threat and disguising a threat, like hiding it in your underpants, can potentially get through the screening process (in all fairness, the underwear bomber didn’t go through TSA screeners, he might have got caught but that demonstrations a point about security; you attack through a channel with weaker defenses).

TSA screeners could be incredibly effective against a known threat. If we knew attackers were going to carry a weapon onboard a plane in a red stuffed unicorn, TSA personnel would have a clear thing to search for. If the weapon were moved to something else, maybe it would be found, maybe not. In the same vein, when a new vulnerability is discovered, providing a good signature for your IPS could provide adequate detection until a patch becomes available. That is, unless an attacker decides to put a moustache on it.

So what are Advanced Evasion Techniques? Simply put they are IDS/IPS evasion techniques that are applied at more levels of the network stack. Where previous techniques might manipulate the transmission at the IP and TCP/UDP levels, advanced techniques might also manipulate the application layer. It’s an evolution on the attackers’ part that many vendors didn’t anticipate but it’s not really breaking new ground.

What does this mean to your network? Hopefully, nothing. The conditions for a successful attack are that a service has to be exploitable and the attacker has to get the attack passed the IPS and… it has to get passed the firewall. The inability of your IPS to stop an attack is moot if the target is not vulnerable or if there is no path from attacker to target. If either of those cases hold you can be pretty confident. The “The Principles of AntiEvasion” video seems to presume that your IPS is the only thing protecting your unpatched services. If you’re relying on your IPS in that fashion then you probably are at risk. If your firewall is configured sanely and your patches and configuration are solid, that video is mostly just FUD.

To tie this up I’ll return to the “human screener” analogy. An IPS is like a person looking at people entering and leaving a building, trying to guess at motive. The building itself is like a firewall: it limits points of entry with walls and locked doors. Relying on your IPS to protect you is like foregoing walls and trying to guard a valuable resource in the middle of an open field with only a handful of guards.

No comments:

Post a Comment