Security vendor Stonesoft has come up with 26 more ways to beat most intrusion prevention systems without leaving a trace, highlighting the threat posed by advanced evasion techniques (AET).
After announcing its discovery of 16 AETs last week, the company now says its researchers have come up with more of them and urges IPS vendors to take steps to combat the threat, which can sneak past IPSs undetected and deliver malware to vulnerable machines.
Because AETs slip through conventional defenses unnoticed, it's difficult to know how widely they are used in the real world if at all, says Mark Boltz, senior solutions architect at Stonesoft. "We do not have reason to believe that these tools are being widely used in the wild at this time," he says. "We have no proof one way or the other. They're difficult to detect."
Stonesoft says it keeps banging the drum about AETs because they are potentially so effective. Security vendors should work out defenses against them before they become more widespread. "We're trying to get vendors to be proactive rather than in the reactive state we tend to operate in as security professionals," he says.
One upside of the problem is that it is difficult to craft AETs that both evade detection by IPSs and that also successfully carry their malicious payload to targeted machines. "AETs are not for the faint of heart," he says. Stonesoft has developed a tool it won't release that it uses in its research to create AETs.
Stonesoft discussed AETs with analysts, researchers, customers and press during a conference call Tuesday.
One remedy Stonesoft suggests is a protocol normaliser, an engine within an IPS that reconstructs traffic that may contain AETs so that the traffic unambiguously follows protocol rules. This normalised traffic is then inspected by the IPS and if found to be clean, is passed through to the machine it is addressed to.
The problem with that is normalised traffic could differ enough from raw traffic that it never reaches the end machine or can't be understood by the end machine, says Samuel Gorton, a researcher with network security firm Skaion, who wrote about combining evasion techniques in 2003 and participated in the conference call.
Boltz agrees that normalising traffic so target systems will still accept it is difficult. "That is the largest challenge to overcome at this point," he says. "There has to be an answer to that problem."
Another key to battling AETs is using IPSs tuned to accept updates quickly as new AETs are recognised and that have central management platforms that can push these updates to IPS devices says Boltz.
In addition to announcing it had found 26 more AETs, Stonesoft set up its conference call to deny criticism that publicising them was a marketing ploy, says Matt McKinley, US director of product management.
McKinley called on Jack Walsh, ICSA's network IPS program manager, to speak in favour of the disclosures. Walsh headed a team that validated that the AETs Stonesoft initially disclosed actually worked.
He says making the problem public will prod vendors to address it before it becomes a reliable means of attack. "If fixes are in place, everybody benefits," Walsh says, "except for the attackers."