In this webinar we look at how the majority of today’s networks are vulnerable to a set of advanced attacks which can go undetected by many security systems. Advanced Evasion Techniques exist which can pass through firewalls and intrusion prevention systems, allowing an attacker to deliver a malicious payload to a vulnerable device, undetected.
Stonesoft’s Alan Cottom will demonstrate a live attack on an IPS-protected system using their Predator tool and how this attack can be blocked via the Stonesoft security suite of products.
Intergence will be demonstrating their cutting edge 3D visualisation tool Hyperglance which integrates with a number of network management and security systems including the Stonesoft products. Hyperglance will be used to visualise the IT infrastructure and identify where systems are vulnerable and pinpoint real time attacks, allowing administrators to take immediate action to secure their network.
Scanning the Internet for External Cloud Exposures via SSL Certs
Webinar on identifying, preventing and securing against the unidentifiable attacks
1. Identify, prevent and secure against
the unidentifiable attacks
Presented by:
Dr Steven Turner, VP of Optimisation, Intergence
Alan Cottom, CISSP, Solutions Architect, Stonesoft
2. Optimising your connected world.
Thank you for joining our webinar
• Please note
• During this webinar, we will be using Audio Broadcast. The small
box in the right hand corner will need to remain open throughout
• To chat to the host
• click on the speech bubble in the top right hand corner, then type
in the text box
• To submit a question
• click on the question mark in the top right hand corner and open the
Q&A box
• Experiencing technical difficulties?
• please email news@intergence.com or speak to us directly through
the chat bar
3. Optimising your connected world.
Agenda
The webinar has three parts
Alan Cottom; Advanced Evasion Techniques; are you
protected?
Steve Turner; Hyperglance live demo
Q&A section
6. Evasion (definition)
Evasion techniques are a means to disguise and/or
modify cyber attacks to avoid detection and blocking by
information security systems. Evasions enable advanced and
hostile cyber criminals to deliver any malicious content,
exploit or attack to a vulnerable system without
detection, that would normally be detected and stopped.
Security systems are rendered ineffective against such
evasion techniques. (In the same way a stealth fighter can attack without
detection by radar and other defensive systems)
7. Evasion timeline
• First papers appeared detailing attacks against or
ways to bypass network intrusion detection.
1997-98
• Possibility to combine evasions suggested
2004
• 12 (or so) known “traditional” evasion methods
• Stonesoft R&D begin research
2007
8. Evasion timeline
• Stonesoft share findings on new evasion threat
• Stonesoft deliver 23 STACKABLE AETs to CERT
2010
• February – Stonesoft deliver 124 new AETs
• October – Stonesoft deliver further 160 new AETs
2011
• Approx. 2^300 Advanced Evasion Techniques
Today
9. Advanced Evasion Techniques (AET)
What are they?
Any technique used to implement network based attacks in order to
evade and bypass security detection
What makes them advanced?
Combination of evasions working simultaneously on multiple protocol
layers
Combination of evasions that can change during the attack
Carefully designed to evade inspection
Typically, AETs are used as part of Advanced
Persistent Threats (APT)
APT = Motivation – i.e. we want to target you or your organisation
AET = Method – i.e. the way in which we will attempt to gain entry
10. Surely my current IPS/IDS/NGFW
can stop them?
Stonesoft have run tests against all of the highest ranked security devices
from the Gartner Magic Quadrant
It is possible to effortlessly evade most market-leading security solutions by
using one or more advanced evasion techniques (AETs).
All products are running the latest versions and updates.
StoneGate products were originally vulnerable but now include
comprehensive protection against AETs as standard.
11. AETs in action
AET Test Environment
Untrusted Network Security Device(s) Protected Network
[Exploit with AETs]
Predator Target
[AET Attack] [Vulnerable]
Tool Host
Gartner Magic
Quadrant
IPS/IDS/NGFW
Solutions
13. Protection Against AETs
Multi-layer Traffic Normalization
• StoneGate IPS decodes and normalizes traffic
for inspection on all protocol layers.
• Fingerprints detect exploits in the normalized
data stream.
Dynamic Protection
• StoneGate IPS software upgrades update the
Layered Normalization on all protocol layers.
• When new Anti-Evasion updates are available,
the StoneGate Management Center can
upgrade IPS engines remotely.
14. Vertical Inspection of the data traffic
Packet, segment or pseudo -packet based inspection process
Maximum Inspection Space
Data Traffic
Application
Protocol layers 3
(Streams)
2
TCP level
Segments,
pseudo packets
1
IP level
Packets
Limited Protocol Partial or No Evasion Removal Detect and Block Exploits
1 decoding and inspection 2 Majority of the traffic is left without 3 Unreliable or impossible exploit detection
capability to gain speed. evasion removal and inspected with when evasion are not removed on all layers.
limited context information available.
15. Horizontal
Data stream based, full Stack normalization and inspection process
Data Traffic
…Continuous Inspection Space…
Application
Protocol level
(Streams) 1 2 3 4
TCP level
Segments, 1
pseudo packets
IP level
Packets 1
Normalize traffic on all Advanced Evasion Detect exploits from the fully Alert and report
4 Evasion attacks
1 protocol layers as a 2 removal process makes the 3 evasion free data stream.
continious process. traffic evasion free and through management
exploits detectable. system
16. Stonesoft AET Differentiators
Stonesoft FW / IPS Description
Full-stack visibility Stonesoft decodes and normalizes traffic on all protocol layers
Normalization based evasion removal Normalization process remove the evasions before the data
stream inspection
Horizontal data stream-based inspection Vulnerability based fingerprints detect exploits in the
normalized data stream
Inhouse evasion research and tools Evasion-proof product quality assured with automated evasion
fuzzing tests (PREDATOR)
Built-in evasion recognition and logging Anomaly and evasion information included into threat context
Dynamic updates & upgrades Antievasion technology automatically updated to Next-
Generation IPS and Firewall engines
18. AETs - Comment
“Advanced Evasion “If the network security “Recent research indicates
Techniques can evade system misses any type of that Advanced Evasion
many network security evasion it means a hacker Techniques are real and
systems. We were able to can use an entire class of credible – not to mention
validate Stonesoft’s exploits to circumvent growing –a growing threat
research and believe that security products, against the network security
these Advanced Evasion rendering them virtually infrastructure that protects
Techniques can result in useless. Advanced Evasion governments, commerce and
lost corporate assets with Techniques increase the information-sharing
potentially serious potential of evasion success worldwide. Network security
consequences for breached against the IPS, which vendors need to devote the
organizations.” creates a serious concern research and resources to
for today’s networks.” finding a solution.“
– Jack Walsh, Program
Manager – Rick Moy, President – Bob Walder, Research
Director
22. Optimising your connected world.
Thank You for attending!
If you require more information or would like to book
a one to one demo :
contact us at +44 (0)845 226 4167
or drop us an email at contact@intergence.com
Or come along to our Executive Seminars across the
UK! Visit our website for more information!
Notas del editor
Thank you very much ladies and gentlemen for joining us today. My name is Robert Smith from Intergence Systems and I am delighted to welcome Stace Hipperson from Real-Status, who will present later in the Webinar. Hyperglancever 1.3 is the subject our webinar today.<click>
Just some housekeeping to start with:During this webinar, we will be using Audio Broadcast. The small box in the right hand corner will need to remain open throughoutTo chat to the hostclick on the speech bubble in the top right hand corner, then type in the text boxTo submit a questionclick on the question mark in the top right hand corner and open the Q&A boxIf you are Experiencing technical difficultiesplease email news@intergence.com or speak to us directly through the chat bar<click>
<click>We have a simple agenda today. It is split up in to 3 parts<click>I will be presenting a brief background on Intergence and some background on why Hyperglance was created<click>I will then hand over to Stace Hipperson who will be demonstrating ver 1.3 of Hyperglance<click>And finally there will be an interactive question and answer section<click>
IPSMBIt is possible to segment SMB write data (e.g. MSRPC) into arbitrary sized segments. It is also possible to multiplex SMB writes to different named pipes or files within a single TCP connection.Stonesoftapproach:SMB protocol decoding and validation performedMSRPCMSRPC support both little and big endian encoding of data. Little endian is normally used but implementations accept also big endian, which can be used as evasion in some cases. Stonesoftapproach:Fragmented RPC messages can be used as an obfuscation method to hide attacks. Stonesoft IPS defragments fragmented MSRPC requests. To apply the right fingerprints, Stonesoft IPS follows the protocol execution and provides the fingerprinting system the necessary service information (object UUID, opnum field, endianness) in addition to the request payload data. It also explicitly follows some evasion techniques, like changing the endiannessin the middle of a connection.
I would now like to pass you over to Stace Hipperson, CTO of Real-Status