SlideShare uma empresa Scribd logo
1 de 23
Baixar para ler offline
Anti evasion and evader - klaus majewski
Contents
 Summary – the Evader story
 AETs – what are they?
 AETs – what the experts say
 Current security devices fail on AETs
 The risk from AETs
 Evader – what is it?
 Evader – who is it for?
 Evader – how does it work?
 What if you are not AET-ready?
 AET-ready solutions
The Evader story
Stonesoft has been researching advanced evasions since 2007. In the
early days, Stonesoft found that all security products, including
Stonesoft’s own, failed to detect AET-borne cyber attack. Stonesoft
created anti-evasion technology, including full stack, multilayer
normalization, and stream-based data inspection and detection, to protect
organizations from AETs.

Stonesoft has been regularly reporting AETs to CERT since 2010.
Stonesoft’s lab tests for about two million evasion combinations
everyday. Published tests and competitor products are claiming 100%
protection but are only testing for exploit fingerprints – and AET
detection cannot be simply patched by software update. Stonesoft
shows regular open tests (e.g. Black Hat) to demonstrate the failure of
well-known vendors’ products to defend against AETs.

But vendors and published appliance tests still claim 100% threat
protection! Now Evader – the ready-made evasion test lab – is available
for free. All organizations can use Evader to conclusively real-world test
their own security against AETs – and find out the truth.
What are AETs and why do they exist?

 Advanced Evasion
       Techniques
Advanced Evasion Techniques
(AETs)
o What are they?
  o Any hacking technique/method used to
    implement network based attacks in order to
    evade and bypass security detection
o What makes them advanced?
  o Combinations of evasions working
    simultaneously on multiple protocol layers
  o Combinations of evasions that can change
    during the attack
  o Carefully designed to evade inspection
5 FACTS WE KNOW ABOUT
The AET threat
            Should we do
             something?
                           1)   Increasing threat research,
                                testing and understanding by
                                the security community
                           2)   Used by nation states and
                                advanced cyber criminals in
                                targeted and persistent cyber
                                attacks
                           3)   Enables the recycling of any
                                exploit (known or unknown)
                           4)   The majority of current security
                                devices are incapable of
                                detecting and stopping AETs
                           5)   They leave no trace. This
                                creates the illusion of security
For the record
    “Advanced Evasion Techniques can evade many network security systems.
    We were able to validate Stonesoft’s research and believe that these
    Advanced Evasion Techniques can result in lost corporate assets with
    potentially serious consequences for breached organizations.”
                                                – Jack Walsh, Program Manager
                                                                                    Meanwhile,
    “If the network security system misses any type of evasion it means a
    hacker can use an entire class of exploits to circumvent security products,        other
    rendering them virtually useless. Advanced Evasion Techniques increase the
    potential of evasion success against the IPS, which creates a serious concern
    for today’s networks.”
                                                                                     network
                                                            – Rick Moy, President
                                                                                     security
    “Recent research indicates that Advanced Evasion Techniques are a real and
    credible – not to mention growing – threat against the network security
    infrastructure that protects governments, commerce and information-
                                                                                     vendors
    sharing worldwide. Network security vendors need to devote the research
    and resources to finding a solution.”
                                                                                    have kept
                                               – Bob Walder, Research Director
                                                                                      radio
    “We believe AETs pose a serious threat to network security and have
    already seen evidence of hackers using them in the wild. It is also very         silence!
    promising to see that Stonesoft is taking the threat posed by evasions
    seriously as they have been overlooked by many in the past.”
                             -Andrew Blyth, Professor of Glamorgan University
Vertical Inspection of the data traffic
Packet, segment or pseudo -packet based inspection process


                     Maximum Inspection Space

Data Traffic


Application
Protocol layers                   3
(Streams)



                                  2

TCP level
Segments,
pseudo packets
                                  1


IP level
Packets



      Limited Protocol                Partial or No Evasion Removal         Detect and Block Exploits
1     decoding and            2       Majority of the traffic is left   3   Unreliable or impossible exploit
      inspection capability           without evasion removal and           detection when evasion are not
      to gain speed.                  inspected with limited context        removed on all layers.
                                      information available.
Horizontal
Data stream based, full Stack normalization and inspection process




Data Traffic
                                                       …Continuous Inspection Space…



Application
Protocol level
(Streams)                           1                     2                   3                    4



TCP level
Segments,                           1
pseudo packets




IP level
Packets                              1

      Normalize traffic         Advanced Evasion                  Detect exploits from the       Alert and report
      on all protocol           removal process                   fully evasion free data    4   Evasion attacks
1                           2                                 3
      layers as a               makes the traffic                 stream.                        through
      continious process.       evasion free and                                                 management
                                exploits detectable.                                             system
There is a difference!
Stonesoft    Other vendors
Consider the risk
1)   Vulnerability to AETs makes an easy
     target for sophisticated hackers
2)   The cost of being hacked is always higher
     than protection (the business case)
3)   The cost of network breach can include
     loss of brand value, reputation, business
     relationships, as well as financial loss
4)   You can be totally unaware of successful
     AET-borne attacks
5)   And, sorry to say this, but as we speak you
     are probably vulnerable*

     *Current NGFW/IPS/IDS technologies are
     ineffective against Advanced Evasion
     Techniques because of a fundamental design flaw
“There are two
types of CISO,
those that
have been
attacked, and
those who
don’t know
they’ve been
attacked”
How do you know if you are protected from AETs?

TEST WITH
EVADER
Launch controlled AET
attacks at your own
defenses
 The world’s first downloadable software-based
 AET testing environment
 Not a hacking tool or penetration test – Evader
 tests if a known exploit can be delivered using
 AETs through your current security devices to a
 target host
 Designed to test NGFW, IPS and UTM network
 security appliances from McAfee, SourceFire,
 Checkpoint, HP/Tipping Point, Cisco, Palo Alto
 Networks, Juniper, Fortinet, Stonesoft and many
 more
 Free to download, easy to run, and even a little
 fun to use!
Evader benefits security
specialists and C-level
 Information security professionals – discover the real-world truth behind
 device capabilities
 CIOs – re-assess risk strategy and consider network resilience as a
 component of the corporate – and operational – risk profile
 CEOs and COOs – take into account the effects of security breaches on
 brand, reputation and business relationships, as well as profits
 Researchers, academics, commentators and competitors – help save
 businesses from devastating AET attacks
 And hackers can learn that the security industry has the tools to fight
 back against the most advanced threats
Evader – for all organizations that
are potential targets for cyber
attacks


Governments     SCADA and ICS   All
and defense     networks        organizations
                                with digital
                                assets


Transport and   Finance and     Telecoms and
logistics       banking         media
When to test with Evader
ATTACK SUCCEEDED: OPEN SHELL

What next if you
are not protected?
Let’s end the industry’s
illusion of security
     Ask your            Ask your        While-U-wait
    vendor why            vendor         get protected
    you are not         when they        NOW with the
     safe from            will be          Stonesoft
       AETs             AET-ready             EPS


Stonesoft’s own tests with other vendors’ current NGFW, IPS
 and UTM devices – following full-device configuration –
have had very poor results. Unfortunately you can expect
                         the same.
Anti evasion and evader - klaus majewski
The Stonesoft EPS as an
“Infrastructure Patch”




                    EPS
All Stonesoft solutions detect
and prevent AET cyber attacks
Stonesoft Security Engine
   Fully integrated, adaptive, high manageability, world-leading network security –
   respond to business and environment changes without taking CAPEX or OPEX hits.
   Transformable to any next generation security product without license changes.
   Flexible and fully featured – choose from SMB to military-grade protection.
   Free future updates, upgrades and performance improvements. Full AET protection.

Stonesoft IPS
   High performance Next Gen IPS, upgradable to the full Security Engine via license
   upgrade.
   Free updates. Full AET protection.

Stonesoft EPS
   Cost-effective AET “infrastructure patch”, upgradable to the full Security Engine or
   Next Gen IPS via license upgrades
   Free updates. Full AET protection.
A Stonesoft Innovation
evader.stonesoft.com

Mais conteúdo relacionado

Mais procurados

Detecting Evasive Malware in Sandbox
Detecting Evasive Malware in SandboxDetecting Evasive Malware in Sandbox
Detecting Evasive Malware in SandboxRahul Mohandas
 
Crowd-Sourced Threat Intelligence
Crowd-Sourced Threat IntelligenceCrowd-Sourced Threat Intelligence
Crowd-Sourced Threat IntelligenceAlienVault
 
Information Security Awareness
Information Security AwarenessInformation Security Awareness
Information Security AwarenessDigit Oktavianto
 
The Future of Automated Malware Generation
The Future of Automated Malware GenerationThe Future of Automated Malware Generation
The Future of Automated Malware GenerationStephan Chenette
 
Malware Dectection Using Machine learning
Malware Dectection Using Machine learningMalware Dectection Using Machine learning
Malware Dectection Using Machine learningShubham Dubey
 
Malware Detection Using Machine Learning Techniques
Malware Detection Using Machine Learning TechniquesMalware Detection Using Machine Learning Techniques
Malware Detection Using Machine Learning TechniquesArshadRaja786
 
Malware detection-using-machine-learning
Malware detection-using-machine-learningMalware detection-using-machine-learning
Malware detection-using-machine-learningSecurity Bootcamp
 
Anti malware solution using Machine Learning
Anti malware solution using Machine LearningAnti malware solution using Machine Learning
Anti malware solution using Machine LearningAkash Sarode
 
IDSECCONF 2020 : A Tale Story of Building and Maturing Threat Hunting Program
IDSECCONF 2020 :  A Tale Story of Building and Maturing Threat Hunting ProgramIDSECCONF 2020 :  A Tale Story of Building and Maturing Threat Hunting Program
IDSECCONF 2020 : A Tale Story of Building and Maturing Threat Hunting ProgramDigit Oktavianto
 
Introduction to the advanced persistent threat and hactivism
Introduction to the advanced persistent threat and hactivismIntroduction to the advanced persistent threat and hactivism
Introduction to the advanced persistent threat and hactivismGlobal Micro Solutions
 
Learn Ethical Hacking in 10 Hours | Ethical Hacking Full Course | Edureka
Learn Ethical Hacking in 10 Hours | Ethical Hacking Full Course | EdurekaLearn Ethical Hacking in 10 Hours | Ethical Hacking Full Course | Edureka
Learn Ethical Hacking in 10 Hours | Ethical Hacking Full Course | EdurekaEdureka!
 
Getting Started With Hacking Android & iOS Apps? Tools, Techniques and resources
Getting Started With Hacking Android & iOS Apps? Tools, Techniques and resourcesGetting Started With Hacking Android & iOS Apps? Tools, Techniques and resources
Getting Started With Hacking Android & iOS Apps? Tools, Techniques and resourcesOWASP Delhi
 
Adversarial machine learning for av software
Adversarial machine learning for av softwareAdversarial machine learning for av software
Adversarial machine learning for av softwarejunseok seo
 
B-Sides Seattle 2012 Offensive Defense
B-Sides Seattle 2012 Offensive DefenseB-Sides Seattle 2012 Offensive Defense
B-Sides Seattle 2012 Offensive DefenseStephan Chenette
 
Evade and bypass AV with MSF
Evade and bypass AV with MSFEvade and bypass AV with MSF
Evade and bypass AV with MSFAbdul Adil
 
To use the concept of Data Mining and machine learning concept for Cyber secu...
To use the concept of Data Mining and machine learning concept for Cyber secu...To use the concept of Data Mining and machine learning concept for Cyber secu...
To use the concept of Data Mining and machine learning concept for Cyber secu...Nishant Mehta
 
Threat hunting in cyber world
Threat hunting in cyber worldThreat hunting in cyber world
Threat hunting in cyber worldAkash Sarode
 
Penetration Testing Execution Phases
Penetration Testing Execution Phases Penetration Testing Execution Phases
Penetration Testing Execution Phases Nasir Bhutta
 

Mais procurados (20)

Detecting Evasive Malware in Sandbox
Detecting Evasive Malware in SandboxDetecting Evasive Malware in Sandbox
Detecting Evasive Malware in Sandbox
 
Crowd-Sourced Threat Intelligence
Crowd-Sourced Threat IntelligenceCrowd-Sourced Threat Intelligence
Crowd-Sourced Threat Intelligence
 
Malware detection
Malware detectionMalware detection
Malware detection
 
Information Security Awareness
Information Security AwarenessInformation Security Awareness
Information Security Awareness
 
The Future of Automated Malware Generation
The Future of Automated Malware GenerationThe Future of Automated Malware Generation
The Future of Automated Malware Generation
 
Malware Dectection Using Machine learning
Malware Dectection Using Machine learningMalware Dectection Using Machine learning
Malware Dectection Using Machine learning
 
Malware Detection Using Machine Learning Techniques
Malware Detection Using Machine Learning TechniquesMalware Detection Using Machine Learning Techniques
Malware Detection Using Machine Learning Techniques
 
Malware detection-using-machine-learning
Malware detection-using-machine-learningMalware detection-using-machine-learning
Malware detection-using-machine-learning
 
Anti malware solution using Machine Learning
Anti malware solution using Machine LearningAnti malware solution using Machine Learning
Anti malware solution using Machine Learning
 
IDSECCONF 2020 : A Tale Story of Building and Maturing Threat Hunting Program
IDSECCONF 2020 :  A Tale Story of Building and Maturing Threat Hunting ProgramIDSECCONF 2020 :  A Tale Story of Building and Maturing Threat Hunting Program
IDSECCONF 2020 : A Tale Story of Building and Maturing Threat Hunting Program
 
Introduction to the advanced persistent threat and hactivism
Introduction to the advanced persistent threat and hactivismIntroduction to the advanced persistent threat and hactivism
Introduction to the advanced persistent threat and hactivism
 
Learn Ethical Hacking in 10 Hours | Ethical Hacking Full Course | Edureka
Learn Ethical Hacking in 10 Hours | Ethical Hacking Full Course | EdurekaLearn Ethical Hacking in 10 Hours | Ethical Hacking Full Course | Edureka
Learn Ethical Hacking in 10 Hours | Ethical Hacking Full Course | Edureka
 
Honeypot Essentials
Honeypot EssentialsHoneypot Essentials
Honeypot Essentials
 
Getting Started With Hacking Android & iOS Apps? Tools, Techniques and resources
Getting Started With Hacking Android & iOS Apps? Tools, Techniques and resourcesGetting Started With Hacking Android & iOS Apps? Tools, Techniques and resources
Getting Started With Hacking Android & iOS Apps? Tools, Techniques and resources
 
Adversarial machine learning for av software
Adversarial machine learning for av softwareAdversarial machine learning for av software
Adversarial machine learning for av software
 
B-Sides Seattle 2012 Offensive Defense
B-Sides Seattle 2012 Offensive DefenseB-Sides Seattle 2012 Offensive Defense
B-Sides Seattle 2012 Offensive Defense
 
Evade and bypass AV with MSF
Evade and bypass AV with MSFEvade and bypass AV with MSF
Evade and bypass AV with MSF
 
To use the concept of Data Mining and machine learning concept for Cyber secu...
To use the concept of Data Mining and machine learning concept for Cyber secu...To use the concept of Data Mining and machine learning concept for Cyber secu...
To use the concept of Data Mining and machine learning concept for Cyber secu...
 
Threat hunting in cyber world
Threat hunting in cyber worldThreat hunting in cyber world
Threat hunting in cyber world
 
Penetration Testing Execution Phases
Penetration Testing Execution Phases Penetration Testing Execution Phases
Penetration Testing Execution Phases
 

Destaque

Tech Throwdown: Secure Containerization vs Whitelisting
Tech Throwdown: Secure Containerization vs WhitelistingTech Throwdown: Secure Containerization vs Whitelisting
Tech Throwdown: Secure Containerization vs WhitelistingInvincea, Inc.
 
Viruses on mobile platforms why we don't/don't we have viruses on android_
Viruses on mobile platforms  why we don't/don't we have viruses on android_Viruses on mobile platforms  why we don't/don't we have viruses on android_
Viruses on mobile platforms why we don't/don't we have viruses on android_Jimmy Shah
 
Attacking IPv6 Implementation Using Fragmentation
Attacking IPv6 Implementation Using FragmentationAttacking IPv6 Implementation Using Fragmentation
Attacking IPv6 Implementation Using Fragmentationmichelemanzotti
 
Radware DefensePipe: Cloud-Based Attack Mitigation Solution
Radware DefensePipe:  Cloud-Based Attack Mitigation SolutionRadware DefensePipe:  Cloud-Based Attack Mitigation Solution
Radware DefensePipe: Cloud-Based Attack Mitigation SolutionRadware
 
XSS Primer - Noob to Pro in 1 hour
XSS Primer - Noob to Pro in 1 hourXSS Primer - Noob to Pro in 1 hour
XSS Primer - Noob to Pro in 1 hoursnoopythesecuritydog
 
Advanced Persistent Threats (APTs) - Information Security Management
Advanced Persistent Threats (APTs) - Information Security ManagementAdvanced Persistent Threats (APTs) - Information Security Management
Advanced Persistent Threats (APTs) - Information Security ManagementMayur Nanotkar
 
2600 av evasion_deuce
2600 av evasion_deuce2600 av evasion_deuce
2600 av evasion_deuceDb Cooper
 
The Art of AV Evasion - Or Lack Thereof
The Art of AV Evasion - Or Lack ThereofThe Art of AV Evasion - Or Lack Thereof
The Art of AV Evasion - Or Lack ThereofCTruncer
 
Ever Present Persistence - Established Footholds Seen in the Wild
Ever Present Persistence - Established Footholds Seen in the WildEver Present Persistence - Established Footholds Seen in the Wild
Ever Present Persistence - Established Footholds Seen in the WildCTruncer
 
FortiGate Firewall HOW-TO - DMZ
FortiGate Firewall HOW-TO - DMZFortiGate Firewall HOW-TO - DMZ
FortiGate Firewall HOW-TO - DMZIPMAX s.r.l.
 
Change Management PPT Slides
Change Management PPT SlidesChange Management PPT Slides
Change Management PPT SlidesYodhia Antariksa
 

Destaque (16)

Tech Throwdown: Secure Containerization vs Whitelisting
Tech Throwdown: Secure Containerization vs WhitelistingTech Throwdown: Secure Containerization vs Whitelisting
Tech Throwdown: Secure Containerization vs Whitelisting
 
Viruses on mobile platforms why we don't/don't we have viruses on android_
Viruses on mobile platforms  why we don't/don't we have viruses on android_Viruses on mobile platforms  why we don't/don't we have viruses on android_
Viruses on mobile platforms why we don't/don't we have viruses on android_
 
Attacking IPv6 Implementation Using Fragmentation
Attacking IPv6 Implementation Using FragmentationAttacking IPv6 Implementation Using Fragmentation
Attacking IPv6 Implementation Using Fragmentation
 
Radware DefensePipe: Cloud-Based Attack Mitigation Solution
Radware DefensePipe:  Cloud-Based Attack Mitigation SolutionRadware DefensePipe:  Cloud-Based Attack Mitigation Solution
Radware DefensePipe: Cloud-Based Attack Mitigation Solution
 
XSS Primer - Noob to Pro in 1 hour
XSS Primer - Noob to Pro in 1 hourXSS Primer - Noob to Pro in 1 hour
XSS Primer - Noob to Pro in 1 hour
 
Advanced Persistent Threats (APTs) - Information Security Management
Advanced Persistent Threats (APTs) - Information Security ManagementAdvanced Persistent Threats (APTs) - Information Security Management
Advanced Persistent Threats (APTs) - Information Security Management
 
THE VEIL FRAMEWORK
THE  VEIL FRAMEWORKTHE  VEIL FRAMEWORK
THE VEIL FRAMEWORK
 
Veil Evasion and Client Side Attacks
Veil Evasion and Client Side AttacksVeil Evasion and Client Side Attacks
Veil Evasion and Client Side Attacks
 
Polygon filling
Polygon fillingPolygon filling
Polygon filling
 
2600 av evasion_deuce
2600 av evasion_deuce2600 av evasion_deuce
2600 av evasion_deuce
 
Fortinet sandboxing
Fortinet sandboxingFortinet sandboxing
Fortinet sandboxing
 
The Art of AV Evasion - Or Lack Thereof
The Art of AV Evasion - Or Lack ThereofThe Art of AV Evasion - Or Lack Thereof
The Art of AV Evasion - Or Lack Thereof
 
Ever Present Persistence - Established Footholds Seen in the Wild
Ever Present Persistence - Established Footholds Seen in the WildEver Present Persistence - Established Footholds Seen in the Wild
Ever Present Persistence - Established Footholds Seen in the Wild
 
Fortigate Training
Fortigate TrainingFortigate Training
Fortigate Training
 
FortiGate Firewall HOW-TO - DMZ
FortiGate Firewall HOW-TO - DMZFortiGate Firewall HOW-TO - DMZ
FortiGate Firewall HOW-TO - DMZ
 
Change Management PPT Slides
Change Management PPT SlidesChange Management PPT Slides
Change Management PPT Slides
 

Semelhante a Anti evasion and evader - klaus majewski

Webinar on identifying, preventing and securing against the unidentifiable at...
Webinar on identifying, preventing and securing against the unidentifiable at...Webinar on identifying, preventing and securing against the unidentifiable at...
Webinar on identifying, preventing and securing against the unidentifiable at...Intergence Ltd.
 
Is3110 Lab 5 Essay
Is3110 Lab 5 EssayIs3110 Lab 5 Essay
Is3110 Lab 5 EssayTammy Davis
 
01_Metasploit - The Elixir of Network Security
01_Metasploit - The Elixir of Network Security01_Metasploit - The Elixir of Network Security
01_Metasploit - The Elixir of Network SecurityHarish Chaudhary
 
SoleraNetworks
SoleraNetworksSoleraNetworks
SoleraNetworksJoe Levy
 
Dismantling intrusion prevention_systems
Dismantling intrusion prevention_systemsDismantling intrusion prevention_systems
Dismantling intrusion prevention_systemsOlli-Pekka Niemi
 
Junos Pulse Mobile Security Suite Launch
Junos Pulse Mobile Security Suite LaunchJunos Pulse Mobile Security Suite Launch
Junos Pulse Mobile Security Suite LaunchJuniper Networks
 
A CASE STUDY ON VARIOUS NETWORK SECURITY TOOLS
A CASE STUDY ON VARIOUS NETWORK SECURITY TOOLSA CASE STUDY ON VARIOUS NETWORK SECURITY TOOLS
A CASE STUDY ON VARIOUS NETWORK SECURITY TOOLSKatie Robinson
 
TIG / Infocyte: Proactive Cybersecurity for State and Local Government
TIG / Infocyte: Proactive Cybersecurity for State and Local GovernmentTIG / Infocyte: Proactive Cybersecurity for State and Local Government
TIG / Infocyte: Proactive Cybersecurity for State and Local GovernmentInfocyte
 
Passive monitoring to build Situational Awareness
Passive monitoring to build Situational AwarenessPassive monitoring to build Situational Awareness
Passive monitoring to build Situational AwarenessDavid Sweigert
 
Certified Ethical Hacking
Certified Ethical HackingCertified Ethical Hacking
Certified Ethical HackingJennifer Wood
 
Infa 610 Final Exam Solutions
Infa 610 Final Exam SolutionsInfa 610 Final Exam Solutions
Infa 610 Final Exam SolutionsChelsea Porter
 
Cyber warfare introduction
Cyber warfare introductionCyber warfare introduction
Cyber warfare introductionjagadeesh katla
 
2011-A_Novel_Approach_to_Troubleshoot_Security_Attacks_in_Local_Area_Networks...
2011-A_Novel_Approach_to_Troubleshoot_Security_Attacks_in_Local_Area_Networks...2011-A_Novel_Approach_to_Troubleshoot_Security_Attacks_in_Local_Area_Networks...
2011-A_Novel_Approach_to_Troubleshoot_Security_Attacks_in_Local_Area_Networks...Mrunalini Koritala
 
The Security Of Information Security
The Security Of Information SecurityThe Security Of Information Security
The Security Of Information SecurityRachel Phillips
 

Semelhante a Anti evasion and evader - klaus majewski (20)

Webinar on identifying, preventing and securing against the unidentifiable at...
Webinar on identifying, preventing and securing against the unidentifiable at...Webinar on identifying, preventing and securing against the unidentifiable at...
Webinar on identifying, preventing and securing against the unidentifiable at...
 
Is3110 Lab 5 Essay
Is3110 Lab 5 EssayIs3110 Lab 5 Essay
Is3110 Lab 5 Essay
 
01_Metasploit - The Elixir of Network Security
01_Metasploit - The Elixir of Network Security01_Metasploit - The Elixir of Network Security
01_Metasploit - The Elixir of Network Security
 
50120140501013
5012014050101350120140501013
50120140501013
 
NetWitness
NetWitnessNetWitness
NetWitness
 
SoleraNetworks
SoleraNetworksSoleraNetworks
SoleraNetworks
 
Dismantling intrusion prevention_systems
Dismantling intrusion prevention_systemsDismantling intrusion prevention_systems
Dismantling intrusion prevention_systems
 
Junos Pulse Mobile Security Suite Launch
Junos Pulse Mobile Security Suite LaunchJunos Pulse Mobile Security Suite Launch
Junos Pulse Mobile Security Suite Launch
 
A CASE STUDY ON VARIOUS NETWORK SECURITY TOOLS
A CASE STUDY ON VARIOUS NETWORK SECURITY TOOLSA CASE STUDY ON VARIOUS NETWORK SECURITY TOOLS
A CASE STUDY ON VARIOUS NETWORK SECURITY TOOLS
 
TIG / Infocyte: Proactive Cybersecurity for State and Local Government
TIG / Infocyte: Proactive Cybersecurity for State and Local GovernmentTIG / Infocyte: Proactive Cybersecurity for State and Local Government
TIG / Infocyte: Proactive Cybersecurity for State and Local Government
 
Passive monitoring to build Situational Awareness
Passive monitoring to build Situational AwarenessPassive monitoring to build Situational Awareness
Passive monitoring to build Situational Awareness
 
Certified Ethical Hacking
Certified Ethical HackingCertified Ethical Hacking
Certified Ethical Hacking
 
Infa 610 Final Exam Solutions
Infa 610 Final Exam SolutionsInfa 610 Final Exam Solutions
Infa 610 Final Exam Solutions
 
Cyber warfare introduction
Cyber warfare introductionCyber warfare introduction
Cyber warfare introduction
 
Euro mGov Securing Mobile Services
Euro mGov Securing Mobile ServicesEuro mGov Securing Mobile Services
Euro mGov Securing Mobile Services
 
Layered approach
Layered approachLayered approach
Layered approach
 
2011-A_Novel_Approach_to_Troubleshoot_Security_Attacks_in_Local_Area_Networks...
2011-A_Novel_Approach_to_Troubleshoot_Security_Attacks_in_Local_Area_Networks...2011-A_Novel_Approach_to_Troubleshoot_Security_Attacks_in_Local_Area_Networks...
2011-A_Novel_Approach_to_Troubleshoot_Security_Attacks_in_Local_Area_Networks...
 
Ijnsa050214
Ijnsa050214Ijnsa050214
Ijnsa050214
 
4777.team c.final
4777.team c.final4777.team c.final
4777.team c.final
 
The Security Of Information Security
The Security Of Information SecurityThe Security Of Information Security
The Security Of Information Security
 

Anti evasion and evader - klaus majewski

  • 2. Contents Summary – the Evader story AETs – what are they? AETs – what the experts say Current security devices fail on AETs The risk from AETs Evader – what is it? Evader – who is it for? Evader – how does it work? What if you are not AET-ready? AET-ready solutions
  • 3. The Evader story Stonesoft has been researching advanced evasions since 2007. In the early days, Stonesoft found that all security products, including Stonesoft’s own, failed to detect AET-borne cyber attack. Stonesoft created anti-evasion technology, including full stack, multilayer normalization, and stream-based data inspection and detection, to protect organizations from AETs. Stonesoft has been regularly reporting AETs to CERT since 2010. Stonesoft’s lab tests for about two million evasion combinations everyday. Published tests and competitor products are claiming 100% protection but are only testing for exploit fingerprints – and AET detection cannot be simply patched by software update. Stonesoft shows regular open tests (e.g. Black Hat) to demonstrate the failure of well-known vendors’ products to defend against AETs. But vendors and published appliance tests still claim 100% threat protection! Now Evader – the ready-made evasion test lab – is available for free. All organizations can use Evader to conclusively real-world test their own security against AETs – and find out the truth.
  • 4. What are AETs and why do they exist? Advanced Evasion Techniques
  • 5. Advanced Evasion Techniques (AETs) o What are they? o Any hacking technique/method used to implement network based attacks in order to evade and bypass security detection o What makes them advanced? o Combinations of evasions working simultaneously on multiple protocol layers o Combinations of evasions that can change during the attack o Carefully designed to evade inspection
  • 6. 5 FACTS WE KNOW ABOUT The AET threat Should we do something? 1) Increasing threat research, testing and understanding by the security community 2) Used by nation states and advanced cyber criminals in targeted and persistent cyber attacks 3) Enables the recycling of any exploit (known or unknown) 4) The majority of current security devices are incapable of detecting and stopping AETs 5) They leave no trace. This creates the illusion of security
  • 7. For the record “Advanced Evasion Techniques can evade many network security systems. We were able to validate Stonesoft’s research and believe that these Advanced Evasion Techniques can result in lost corporate assets with potentially serious consequences for breached organizations.” – Jack Walsh, Program Manager Meanwhile, “If the network security system misses any type of evasion it means a hacker can use an entire class of exploits to circumvent security products, other rendering them virtually useless. Advanced Evasion Techniques increase the potential of evasion success against the IPS, which creates a serious concern for today’s networks.” network – Rick Moy, President security “Recent research indicates that Advanced Evasion Techniques are a real and credible – not to mention growing – threat against the network security infrastructure that protects governments, commerce and information- vendors sharing worldwide. Network security vendors need to devote the research and resources to finding a solution.” have kept – Bob Walder, Research Director radio “We believe AETs pose a serious threat to network security and have already seen evidence of hackers using them in the wild. It is also very silence! promising to see that Stonesoft is taking the threat posed by evasions seriously as they have been overlooked by many in the past.” -Andrew Blyth, Professor of Glamorgan University
  • 8. Vertical Inspection of the data traffic Packet, segment or pseudo -packet based inspection process Maximum Inspection Space Data Traffic Application Protocol layers 3 (Streams) 2 TCP level Segments, pseudo packets 1 IP level Packets Limited Protocol Partial or No Evasion Removal Detect and Block Exploits 1 decoding and 2 Majority of the traffic is left 3 Unreliable or impossible exploit inspection capability without evasion removal and detection when evasion are not to gain speed. inspected with limited context removed on all layers. information available.
  • 9. Horizontal Data stream based, full Stack normalization and inspection process Data Traffic …Continuous Inspection Space… Application Protocol level (Streams) 1 2 3 4 TCP level Segments, 1 pseudo packets IP level Packets 1 Normalize traffic Advanced Evasion Detect exploits from the Alert and report on all protocol removal process fully evasion free data 4 Evasion attacks 1 2 3 layers as a makes the traffic stream. through continious process. evasion free and management exploits detectable. system
  • 10. There is a difference! Stonesoft Other vendors
  • 11. Consider the risk 1) Vulnerability to AETs makes an easy target for sophisticated hackers 2) The cost of being hacked is always higher than protection (the business case) 3) The cost of network breach can include loss of brand value, reputation, business relationships, as well as financial loss 4) You can be totally unaware of successful AET-borne attacks 5) And, sorry to say this, but as we speak you are probably vulnerable* *Current NGFW/IPS/IDS technologies are ineffective against Advanced Evasion Techniques because of a fundamental design flaw
  • 12. “There are two types of CISO, those that have been attacked, and those who don’t know they’ve been attacked”
  • 13. How do you know if you are protected from AETs? TEST WITH EVADER
  • 14. Launch controlled AET attacks at your own defenses The world’s first downloadable software-based AET testing environment Not a hacking tool or penetration test – Evader tests if a known exploit can be delivered using AETs through your current security devices to a target host Designed to test NGFW, IPS and UTM network security appliances from McAfee, SourceFire, Checkpoint, HP/Tipping Point, Cisco, Palo Alto Networks, Juniper, Fortinet, Stonesoft and many more Free to download, easy to run, and even a little fun to use!
  • 15. Evader benefits security specialists and C-level Information security professionals – discover the real-world truth behind device capabilities CIOs – re-assess risk strategy and consider network resilience as a component of the corporate – and operational – risk profile CEOs and COOs – take into account the effects of security breaches on brand, reputation and business relationships, as well as profits Researchers, academics, commentators and competitors – help save businesses from devastating AET attacks And hackers can learn that the security industry has the tools to fight back against the most advanced threats
  • 16. Evader – for all organizations that are potential targets for cyber attacks Governments SCADA and ICS All and defense networks organizations with digital assets Transport and Finance and Telecoms and logistics banking media
  • 17. When to test with Evader
  • 18. ATTACK SUCCEEDED: OPEN SHELL What next if you are not protected?
  • 19. Let’s end the industry’s illusion of security Ask your Ask your While-U-wait vendor why vendor get protected you are not when they NOW with the safe from will be Stonesoft AETs AET-ready EPS Stonesoft’s own tests with other vendors’ current NGFW, IPS and UTM devices – following full-device configuration – have had very poor results. Unfortunately you can expect the same.
  • 21. The Stonesoft EPS as an “Infrastructure Patch” EPS
  • 22. All Stonesoft solutions detect and prevent AET cyber attacks Stonesoft Security Engine Fully integrated, adaptive, high manageability, world-leading network security – respond to business and environment changes without taking CAPEX or OPEX hits. Transformable to any next generation security product without license changes. Flexible and fully featured – choose from SMB to military-grade protection. Free future updates, upgrades and performance improvements. Full AET protection. Stonesoft IPS High performance Next Gen IPS, upgradable to the full Security Engine via license upgrade. Free updates. Full AET protection. Stonesoft EPS Cost-effective AET “infrastructure patch”, upgradable to the full Security Engine or Next Gen IPS via license upgrades Free updates. Full AET protection.