Evasion techniques evade the exiting network security devices such as signature based IPS and firewalls to enter the internal network to deliver exploits in servers. Most of the Intrusion detection and prevention system rely on attack signatures to identify malicious strings in the traffic. The strings used to evade the devices are not malicious themselves. Their main purpose is to pass through IDS without triggering alarms.
How would a system administrator will come to know about the attack if the security device fail to recognize attack signature that resembles normal traffic? The truth is that preventing advanced evasion attack is extremely difficult because signature based IDS cannot recognize something that is not in its database and which looks like normal payloads. At the end of this post you will learn about what we can do to prevent this advanced level of evasion (AET), but before that we need to look how network security administrator and system security administrator secure their network as part of their daily job. Normally, network admin or system admin examine the firewall and other security device configuration and logs to give a certain level of assurance, while IT auditors do almost the same thing when they audit a network.
Firewall, IPS protects a network from well known security threats. We transmit sensitive data in encrypted format when we transmit them via public network. Firewall mainly relies on its configuration rules to either allow or deny packets and services, while and IDS(intrusion detection system) also heavily rely on its database to match well-known attack signatures. That is why we always have to accept the risk that a novel signature without any prior records of existence may go undetected by the IPS.
Therefore, we need to remember that encryption will protect our system only if any malicious string is not encrypted as a normal payload. Firewall defend the systems only when the set rules are not evaded by any evasion techniques.
Understand the threats and their impact.
Common evasion techniques are encryption, tunneling, traffic fragmentation, traffic insertion, resource exhaustion etc.
Remember that network based intrusion detection system, usually, do not check encrypted traffic.
Apart from authentication and authorization, the other major security concerns of an organization is to secure the following devices, which has becoming increasing ineffective to protect systems against advanced evasion techniques.
- Firewall configuration
- Proxy filtering
We have to realize that without a proper IT security team, we will always stay one step behind than the advanced attackers. An organization’s management feel assured about security when they implement security detection and monitoring system, in which case they heavily real on the assurance provided by the vendors’ assurance on their products. Besides venrdors’ claim we get a sense of assurance from internal testing, auditor’s review of the system, security analyst’s evaluation. No matter whatever type of security assurance you have, make sure that your organization have a proper strategy against AET.
What is evasion and how they work?
Some attacks will be visible to you while the other will little visible or invisible. The attacks that goes undetected by our IDS are considered evasion. They work by fooling the logic of the IDS. A IDS consists of a number of logic and knowledge base that helps it to distinguish an attack from the flow of normal data flow.
Ask the following questions when you devise a security plan
- How do we know that our network security can protect us when we will experience real attacks from both internal and external threats.
- Can we protect us against browser and other application exploits such as .pdf and Microsoft office vulnerabilities.
- Does all our security devices provide us enough security? Why do they fail?
- How do we identify the invisible evasion to our system?
- Network security device need to handle millions of concurrent connections. Is the security devices fast enough to follow all the traffic. Is it making our network slower?
The two types of server vulnerabilities are: client side vulnerabilities and server side vulnerabilities. Client side vulnerabilities are browsers, pdf readers, office programs, while server side vulnerabilities are web servers, name servers, file servers.
Evasion Testing Tools
Why evasion tools can break network security devices?
- Most of the network security devices focus on the throughput of traffic. When you have a high speed network connection, you need to make sure the the network security device protecting the connection do not slow down the speed of the traffic because of its own processing limitations.
- They fail to properly analyze network protocols. When the security devices only check the beginning of a connection for security and then it let the traffic pass without any monitoring, it expose itself to the risk of letting the malicious codes passing through the network.
- By manipulating the size of the TCP segment size attackers can fool the security system because usually attackers use small fragments to attack and devices are designed to identify small size TCP segments as an attack signature. But, security mechanism fails when an attacker artificially increase the size of the segment-it may evade the security system.
- Besides, we never know that whether the security devices has any design flaws or not unless the vendor declares it or IT auditor find it.
Remember that Evader just try to bypass the security device such as IPS or firewall, it never try to attack the real target.
What can we do to prevent evasion?
We have to accept the fact the evasion can happen at any time and our system will never be full proof. So, we need to decide to what extend our security device capable of protecting our network and accept some level of risk that is almost impossible to eliminate. Besides, we need to continuously improve our security monitoring procedures. Always measure the level of criticality of your IT assets. If your system is critical for your business continuity, plan for an advanced penetration testing and assess your IDS. Never forget to put stronger defense mechanism for all of the security layers: network and perimeter, human, servers and applications. Above all, make sure your organization have the right person who continuously trying to update your system against the advanced attacks.
You can use the Stonesoft’s free evasion technique tools to test the strength of your nework and security devices.