Advanced Evasion Techniques (AET's)

Evasion techniques are simply modifications which are made to cyber-attacks in order to elude IDS devices stopping them from detecting, preventing and reporting the event. These techniques were originally noted by Timothy Newsham and Thomas Ptacek in January 1998 and documented in their white paper - Insertion, Evasion, and Denial of Service: Eluding Network Intrusion Detection where they discuss a lack of information being available from the IP data stream and IDS bases security systems being passive which makes them inherently ‘fail open’.

‘Advanced’ Evasion Techniques (AET’s) are next generation evasion techniques discovered by a vendor based Research and Development team in Finland. Stonesoft tasked their R&D team with a detailed investigation into Evasion Techniques following disappointing test results from NSS Labs on their IPS, Stonegate.

Advanced evasion techniques can be altered or combined in any order to avoid detection by security systems. AETs are, by their nature, dynamic, unconventional, virtually limitless in quantity, and unrecognizable by conventional detection methods. They can work on all levels of the TCP/IP stack and work across many protocols or protocol combinations.

Stonesoft have reported their discoveries to security authorities including CERT- FI, US-CERT and CERT/CC. This has included an initial release of 23 AET’s which some vendors now claim to have produced patches for. However, the R & D team in Finland have now announced the discovery of a further 124 new AET’s. They have also developed their Stongate IPS so that they have the leading product in the detection of AET’s.

The team at Computer Network Defence Ltd decided to review the validity of these claims, deciphering between and actual threat and a Stonesoft marketing stunt. Regardless we felt that it was important to quantify the actual threat AET’s hold on the thousands of multi-vendor IDS and IPS devices that we currently use to monitor secure networks. In order to do this we invited Stonesoft to our head office in Bath along with the leading engineer responsible for the discovery of AET’s in order to demo the tools they use. Following the test, Stonesoft certainly caught our attention. We invited the team to run a second test on a demo network with a leading IPS which we tuned and updated with all the latest patches in order to detect the attack, sadly the AET’s were also successful on our demo system, we are now hounding the vendor to provide a solution.

At CND we feel that AET’s are a genuine threat, presenting a very real risk to your network. The decision on the management of that risk is entirely your own. Currently there is no solid evidence proving that AET’s are or are not being used against our systems today.

Having reviewed these claims in depth we feel that there are a number of elements which offer a layer of security in your network, one of which is the attackers need to have an understanding on which products you are using. Without it you are likely to receive a list of events suggesting failed attacks. However with blogs and networking sites such LinkedIn it is easier now than ever to socially engineer the information that would be required.

CND now offer an AET test as part of our more in depth Penetration Testing service, CPR. The AET test will be carried out on your system, covering all of the AET’s that have been released by Stonesoft. This test will be executed over a two day period in which we can almost guarantee a successful attack without detection. We will then provide you with consultative advice on how you can tune your devices in order to best protect your system against AET’s prior to introducing a solid fix. We also give you a detailed report including a list of the AET’s used and their detection or success, which you can then use in your Risk Management decisions or take back to your current vendor to respond on.