Innovation can be a wonderful thing. The trouble is, it’s a two-edged sword that can be used for good or ill. And when there’s profit involved, honest people and criminals alike have a huge incentive to look for that next interesting or useful thing.
Sadly for us, in the cat-and-mouse game of cyber security, the crooks have the edge. We plug one mouse hole, and they immediately chew out a couple more.
Sometimes it takes researchers a while to even figure out that there is a new threat. Gone are the days when an attack was trumpeted to the skies — today, it’s in the criminal’s best interest to be as stealthy as possible since the profit is in salable information acquired, not in bragging rights. That means getting malware past corporate defenses, preferably undetected.
At Intel Security’s annual user conference, FOCUS, researchers spent a lot of time talking about one way attackers are doing this — AETs or Advanced Evasion Techniques. They’re not new — Antti Kuvaja, director of product management at Stonesoft, a Finnish security company acquired last year by McAfee, a division of Intel Security, said he first saw publications discussing techniques for evading intrusion protection systems (IPS) back in 1997 — but they’ve increased in sophistication over the years. After hunting fruitlessly for products to help him test networks for AETs, Stonesoft decided to build its own.
AETs are not threats in themselves. They’re not malware, or Trojans, and they won’t hurt anything. But what they do allows malware to do plenty of damage. They deceive the deep packet inspection in IPSs so the systems don’t recognize malware.
How? According to Kuvaja, by playing tricks at the network level, in multiple layers of the TCP/IP stack. They chop programs into smaller than normal packets. They insert long delays between packets. They send things backwards. They exploit weaknesses in network protocols, doing things that are within spec, but still not quite right. Or they indulge in any of several hundred other ploys that confuse the IPS so it doesn’t realize there’s malware incoming. Those are all evasion techniques.
What turns simple evasion, which can be blocked once detected, into advanced evasion is the use of combinations of multiple evasion techniques. That turns a few hundred possibilities into a virtually endless quantity. And that makes them extremely difficult to detect and block.
It doesn’t help that AETs have been flying under the radar. According to a report by research firm Vanson Bourne, commissioned by McAfee in January 2014 to survey 800 CIOs and security managers from the US, UK, Germany, France, Australia, Brazil, and South Africa, less than half of survey respondents could even come up with the correct definition of an AET, or how describe how it differs from an APT (Advanced Persistent Threat).
The report explained the difference thusly: “AETs are used by well-resourced, motivated hackers to execute APT attacks. While the AET is not an attack by itself, as the bits of code in the AET are not necessarily malicious, they are used to disguise an attack. The danger lies in that AETs provide the attacker with undetectable access to the network. By developing a set of dynamic AETs, the hacker creates a “master key” to penetrate any locked-down network to exploit and compromise their vulnerable target victims.”
In other words, AETs are an attack enabler, so need to be detected and blocked to prevent malicious code from entering a network. Yet, the report said, the biggest difficulty respondents encountered was convincing their boards that action was needed (which, of course, means money has to be spent). As with any new and difficult-to-demonstrate threat, need can be a hard sell. Unfortunately, it’s a necessary one. Cyber criminals will use any tool at their disposal to get at corporate data, and that means companies have to weigh the risks and address them as appropriate if they don’t want to show up on the front page of the business section due to a breach.
Stonesoft’s test AET tool, Evader, is now offered as a free download by McAfee.