2. Contents
Summary – the Evader story
AETs – what are they?
AETs – what the experts say
Current security devices fail on AETs
The risk from AETs
Evader – what is it?
Evader – who is it for?
Evader – how does it work?
What if you are not AET-ready?
AET-ready solutions
3. The Evader story
Stonesoft has been researching advanced evasions since 2007. In the
early days, Stonesoft found that all security products, including
Stonesoft’s own, failed to detect AET-borne cyber attack. Stonesoft
created anti-evasion technology, including full stack, multilayer
normalization, and stream-based data inspection and detection, to protect
organizations from AETs.
Stonesoft has been regularly reporting AETs to CERT since 2010.
Stonesoft’s lab tests for about two million evasion combinations
everyday. Published tests and competitor products are claiming 100%
protection but are only testing for exploit fingerprints – and AET
detection cannot be simply patched by software update. Stonesoft
shows regular open tests (e.g. Black Hat) to demonstrate the failure of
well-known vendors’ products to defend against AETs.
But vendors and published appliance tests still claim 100% threat
protection! Now Evader – the ready-made evasion test lab – is available
for free. All organizations can use Evader to conclusively real-world test
their own security against AETs – and find out the truth.
4. What are AETs and why do they exist?
Advanced Evasion
Techniques
5. Advanced Evasion Techniques
(AETs)
o What are they?
o Any hacking technique/method used to
implement network based attacks in order to
evade and bypass security detection
o What makes them advanced?
o Combinations of evasions working
simultaneously on multiple protocol layers
o Combinations of evasions that can change
during the attack
o Carefully designed to evade inspection
6. 5 FACTS WE KNOW ABOUT
The AET threat
Should we do
something?
1) Increasing threat research,
testing and understanding by
the security community
2) Used by nation states and
advanced cyber criminals in
targeted and persistent cyber
attacks
3) Enables the recycling of any
exploit (known or unknown)
4) The majority of current security
devices are incapable of
detecting and stopping AETs
5) They leave no trace. This
creates the illusion of security
7. For the record
“Advanced Evasion Techniques can evade many network security systems.
We were able to validate Stonesoft’s research and believe that these
Advanced Evasion Techniques can result in lost corporate assets with
potentially serious consequences for breached organizations.”
– Jack Walsh, Program Manager
Meanwhile,
“If the network security system misses any type of evasion it means a
hacker can use an entire class of exploits to circumvent security products, other
rendering them virtually useless. Advanced Evasion Techniques increase the
potential of evasion success against the IPS, which creates a serious concern
for today’s networks.”
network
– Rick Moy, President
security
“Recent research indicates that Advanced Evasion Techniques are a real and
credible – not to mention growing – threat against the network security
infrastructure that protects governments, commerce and information-
vendors
sharing worldwide. Network security vendors need to devote the research
and resources to finding a solution.”
have kept
– Bob Walder, Research Director
radio
“We believe AETs pose a serious threat to network security and have
already seen evidence of hackers using them in the wild. It is also very silence!
promising to see that Stonesoft is taking the threat posed by evasions
seriously as they have been overlooked by many in the past.”
-Andrew Blyth, Professor of Glamorgan University
8. Vertical Inspection of the data traffic
Packet, segment or pseudo -packet based inspection process
Maximum Inspection Space
Data Traffic
Application
Protocol layers 3
(Streams)
2
TCP level
Segments,
pseudo packets
1
IP level
Packets
Limited Protocol Partial or No Evasion Removal Detect and Block Exploits
1 decoding and 2 Majority of the traffic is left 3 Unreliable or impossible exploit
inspection capability without evasion removal and detection when evasion are not
to gain speed. inspected with limited context removed on all layers.
information available.
9. Horizontal
Data stream based, full Stack normalization and inspection process
Data Traffic
…Continuous Inspection Space…
Application
Protocol level
(Streams) 1 2 3 4
TCP level
Segments, 1
pseudo packets
IP level
Packets 1
Normalize traffic Advanced Evasion Detect exploits from the Alert and report
on all protocol removal process fully evasion free data 4 Evasion attacks
1 2 3
layers as a makes the traffic stream. through
continious process. evasion free and management
exploits detectable. system
10. There is a difference!
Stonesoft Other vendors
11. Consider the risk
1) Vulnerability to AETs makes an easy
target for sophisticated hackers
2) The cost of being hacked is always higher
than protection (the business case)
3) The cost of network breach can include
loss of brand value, reputation, business
relationships, as well as financial loss
4) You can be totally unaware of successful
AET-borne attacks
5) And, sorry to say this, but as we speak you
are probably vulnerable*
*Current NGFW/IPS/IDS technologies are
ineffective against Advanced Evasion
Techniques because of a fundamental design flaw
12. “There are two
types of CISO,
those that
have been
attacked, and
those who
don’t know
they’ve been
attacked”
13. How do you know if you are protected from AETs?
TEST WITH
EVADER
14. Launch controlled AET
attacks at your own
defenses
The world’s first downloadable software-based
AET testing environment
Not a hacking tool or penetration test – Evader
tests if a known exploit can be delivered using
AETs through your current security devices to a
target host
Designed to test NGFW, IPS and UTM network
security appliances from McAfee, SourceFire,
Checkpoint, HP/Tipping Point, Cisco, Palo Alto
Networks, Juniper, Fortinet, Stonesoft and many
more
Free to download, easy to run, and even a little
fun to use!
15. Evader benefits security
specialists and C-level
Information security professionals – discover the real-world truth behind
device capabilities
CIOs – re-assess risk strategy and consider network resilience as a
component of the corporate – and operational – risk profile
CEOs and COOs – take into account the effects of security breaches on
brand, reputation and business relationships, as well as profits
Researchers, academics, commentators and competitors – help save
businesses from devastating AET attacks
And hackers can learn that the security industry has the tools to fight
back against the most advanced threats
16. Evader – for all organizations that
are potential targets for cyber
attacks
Governments SCADA and ICS All
and defense networks organizations
with digital
assets
Transport and Finance and Telecoms and
logistics banking media
19. Let’s end the industry’s
illusion of security
Ask your Ask your While-U-wait
vendor why vendor get protected
you are not when they NOW with the
safe from will be Stonesoft
AETs AET-ready EPS
Stonesoft’s own tests with other vendors’ current NGFW, IPS
and UTM devices – following full-device configuration –
have had very poor results. Unfortunately you can expect
the same.
22. All Stonesoft solutions detect
and prevent AET cyber attacks
Stonesoft Security Engine
Fully integrated, adaptive, high manageability, world-leading network security –
respond to business and environment changes without taking CAPEX or OPEX hits.
Transformable to any next generation security product without license changes.
Flexible and fully featured – choose from SMB to military-grade protection.
Free future updates, upgrades and performance improvements. Full AET protection.
Stonesoft IPS
High performance Next Gen IPS, upgradable to the full Security Engine via license
upgrade.
Free updates. Full AET protection.
Stonesoft EPS
Cost-effective AET “infrastructure patch”, upgradable to the full Security Engine or
Next Gen IPS via license upgrades
Free updates. Full AET protection.