Evasion techniques slipping through IT defences
New research shows many leading intrusion prevention systems (IPSs) are vulnerable to hackers using advanced evasion techniques (AETs).
In a white paper launched by Professor Andrew Blyth of the University of South Wales at the Infosecurity conference in London this week, a study has shown that seven out of nine IPS failed to detect between 34 and 49 per cent of attacks targeting a well-documented vulnerability when they used AETs.
There are currently about 200 known evasion techniques that are recognized by vendor products, but AETs can create millions of new evasion techniques delivered over several layers of the network simultaneously by combining known evasions, which are much harder for IPSs to recognise.
The experiment, which Blyth says took about a year, made use of the open source Evader tool created by cyber-security firm Stonesoft, which allows users to launch controlled attacks at their own defence technology to see if known exploits can be delivered using AETs.
The IPSs used in the experiment were from Sourcefire, IBM, PaloAlto, Fortigate, McAfee, Checkpoint, Juniper, Cisco and Stonesoft and were all up-to-date and configured, using a best configuration scenario.
“It will be interesting to see the response that we get from the vendors. I think we will either get a very vociferous defence of people’s products or they will ignore it,” says Blyth.
The study used attacks on two well-known vulnerabilities using AETs. All ISP managed to block 90 per cent or more of attacks on the first vulnerability using AETs.
But performance on the attack against the second vulnerability was markedly worse with only Stonesoft and Fortigate’s systems registering detection rates of over 90 per cent and seven out of nine failing to detect between 34 and 49 per cent of attacks.
Despite the results Blyth thinks the vendors may ignore the results as he suspects some vendors see AETs as a marketing gimmick by some companies. But the results he has seen from an Intrusion Detection System Grid his university operates to monitor attacks say otherwise.
“I think the argument that they don’t exist is naïve and foolish. I think some people are sticking their heads in the sand,” he says.
“We detect something like a quarter of a million attacks per machine per day. Of that I would say 10 to 20 per cent of attacks are using what we would class as AETs.
“We see them on a daily basis. They are real, they exist, they are out there.”
Despite attempts to make contact with the other vendors Blyth only received cooperation from Stonesoft.
“We wanted it to be a collaborative study done with lots of partners. We wanted to engage companies so we can build up a good picture of what their capabilities are,” he says.
“Part of the problem you have is that it’s like buying a car. There’s an argument that says when you buy a car vendors don’t want to make direct comparisons.”
And he believes the results of his study show that no one IPS is able to deal with these AET attacks and layered defences using several systems are the only way to protect networks.
“What we’ve learned is that defence in depth is the best approach, not one size fits all.”
A copy of the white paper is available here.