AET - Med-IT

Stonesoft security researchers in the outskirts of
Europe discovered that there is millions and
millions of ways to bypass the most advanced
and leading network security solutions without
leaving any traces or alerts on management
Being a good citizen Stonesoft has reported in
public hundreds out of those millions and millions.
But it is the tip of the iceberg
”do the math” yourself
Those ways are called
See more at:
Story In a Nutshell
Failed in NSS group tests
Dedicated Evasion research team
Creation of automated tools and
setting up a test lab to ease product
Discovery of Advanced Evasion
Test run against all the leading IPS and
NGFW products. 99% ineffective
Communicating through CERT to other
vendors and finally in public
Our research idea was very
“to break all the principles
and rules in sending and
receiving data”
Just Like
Hackers Do!
Advanced Evasion Techniques (AET)
What are they?
Any technique to engineer a network based attack in order to evade and
bypass security detection.
What makes them advanced?
Combination of evasions working simultaneously on multiple protocol layers
Combination of evasions that can change during the attack
Carefully designed to evade inspection
Typically, AETs are used as part of Advanced Persistent
Threats (APT)
APT = motivation
Advanced Evasion Techniques disguise and make cyber attacks /malicious
payloads/ exploits look normal and safe when the security device inspects the
data traffic. The number of AETs can be virtually limitless as you can combine,
vary and modify them dynamically.
Everything looks safe and
normal when evasions are
used and security devices
are not anti-evasion ready.
…but this can be reality.
So Why worry ?
AETs can breach sensitive data
AETs can ruin brand reputation
AETs can cause financial losses
AETs can harm business continuity
AETs can risk critical infrastructure
AETs can risk national security
As long as there is a vulnerable target- and there
always is, advanced evasion techniques can deliver
any known and unknown (zero day) exploits to it.
And nobody knows it.
Currently AETs
work as a Master
Key that security
vendors DO NOT
Blind Spot
Evasion Research so far…
description of attacks
by Ptacek and Newsha
The seminal text on
attacks against IDS
systems appeared in 1997
Article in the Phrack
Magazine describes ways
to by-pass network
intrusion detection
Stonesoft starts to design
multilayer normalization
capabilities in its IPS
Evasion Research so far…
Handley and Paxson
suggest normalization
Gorton and Champion
suggest combinations
Moore and Caswell
discuss evasions at
Black Hat
Evasion Research so far…
NSS test results
boost evasion
Evasion research
Dedicated team starts
testing Stonesoft with the
Automated Evasion tools
First version of evasion
testing tool with 12
non-stackable evasions
Tests expanded
against all leading
security devices
Evasion Research so far…
June 2010: First 23 AETs
reported to CERT for global
vendor remediation
Dec 2010: CERT coordination
process ends. Vendors remain
silent about their remediation.
Oct 2010: Public announcement of
Advanced Evasion Techniques and
the evasion threat
Oct 2010: Knowledge
and awareness of
evasions spreads
Feb 2011: 124 new AETs
evasions reported
Mar 2011: 180+ stackable
and combinable evasions
in the testing framework.
Evasion Research so far…
May 2011 Stonesoft
introduces first commercial
version of Antievasion
Readiness Test for other
security vendors, test labs
and organizations
Stonesoft delivers AERT tools to
many of the leading security vendors
and test labs.
UK cyber forensics team and leading
computer science university verifies the
existence of evasions in reality and Stonesoft
signs up a collaboration agreement with the
university to start an academic research.
Stonesoft publishes whitepaper of
how company’s technology differs from others
and publishes new site.
Justified Question:
Why this is possible?
Design flaws.
It has been a industry blind spot or ignorance
Speed & false positive problem used to be a sales obstacles and that led to
pure speed and minimized inspection orientation
> industry sacrificed security
Speed and some security functionalities were built on hardcoded security
>impossible to dynamically update and evolve
Current Technologies are 15 years old and designed during the era of :” weknow-the-threat- and-that’s- why-we-can- deal-with-it”
>Leading to match pattern and signature based detection only, not truly understanding the
BIG picture of data stream. In the era of unknown and uncertain threats signatures only
will not work!
Déjà vu
Automobile safety in 1959
Network security in 2010?
Status Quo: Before 1959 all the established automobile brands
marketed that cars were safe and users believed and felt safe.
Before 2010 all the Network Security vendors marketed that
their solutions offered high level of protection and
organizations felt their digital assets were secured.
Disruption: Then came one Nordic brand, VOLVO who claimed
that current cars are not even close to be safe and innovations
are needed.
Then came one Nordic brand, STONESOFT who claimed that
the current security solutions are not as secured as they should
be. (Disruption)
Technology breakthrough: In 1959 They introduced Three
Point Seat Belts.
Technology breakthrough: 2010 They introduced Advanced
Evasion Techniques and innovative technologies to fight back.
Claim: They claimed lives can be saved if all brands would start
adding Seat Belts to their cars. (Tested facts and reality)
Claim: They claimed governments, businesses and brands can
be saved if their anti-evasion technologies are taken into use.
Industry Response: “This is marketing, Extra costs, No
relevance to safety, dangerous, uncomfortable, People won´t
use, theoretical only,
Industry Response: “Most kept silent and others claimed “This
is marketing, we can fix this, only extra costs, no relevance to
security, unproven, theoretical, not happening in reality.”
Bottom Line : Millions of human lives have been and will be
Bottom Line: Organizations will be saved if AET threat is taken
We claimed: Businesses are
driving without Seat Belts!
…And we can show and prove
it to anybody!
For the record…
“Advanced Evasion Techniques can evade many network security
systems. We were able to validate Stonesoft’s research and believe
that these Advanced Evasion Techniques can result in lost corporate
assets with potentially serious consequences for breached
– Jack Walsh, Program Manager
“If the network security system misses any type of evasion it means a
hacker can use an entire class of exploits to circumvent security
products, rendering them virtually useless. Advanced Evasion
Techniques increase the potential of evasion success against the IPS,
which creates a serious concern for today’s networks.”
– Rick Moy, President
“Recent research indicates that Advanced Evasion Techniques are a
real and credible – not to mention growing –and growing threat against
the network security infrastructure that protects governments,
commerce and information-sharing worldwide. Network security
vendors need to devote the research and resources to finding a
– Bob Walder, Research Director
We believe AETs pose a serious threat to network security and have
already seen evidence of hackers using them in the wild. It is also very
promising to see that Stonesoft is taking the threat posed by evasions
seriously as they have been overlooked by many in the past
-Andrew Blyth, Professor of Glamorgan University
other security
vendors keep
radio silence!
For the record…
other security
vendors keep
radio silence!
Off the Record
Some are acquiring anti-evasion technology and
knowledge from Stonesoft
Some are focusing on surviving next public tests
Some are doing workarounds and quick fixes
Some are downplaying the threat and risks if they are
asked directly
Some are protecting their business at the expense of
Some have truly started to investigate their design flaws
Some ignore and do NOTHING!
other security
vendors are
saving their
In this particular test only simple, known and well documented evasions where used. What
happens if more Advanced Evasions hit this security device??
Palo Alto’s HTML evasion protection
Tested by NSS NGFW 2011

similar documents