Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Network Security

AETs: The Ultimate Stealth Attack?

Advanced Evasion Techniques (AETs) – Dynamic and Constantly Evolving Network Threats

Advanced Evasion Techniques (AETs) – Dynamic and Constantly Evolving Network Threats

There seems to be some confusion regarding what advanced evasion techniques (AETs) are and are not. A recent survey shows that 70 percent of CIOs and security managers claimed knowledge of AETs, but fewer than half could correctly define them. What’s worse, some IT practitioners question the very existence of AETs—a troubling and dangerous mindset, especially for anyone in charge of securing IT systems. These misunderstandings and lack of awareness serve to keep AETs under organizational security radars.

Let’s start by dispelling the fiction. AETs are NOT urban legends or conspiracy theories invented by security vendors. They’re real, and they are used on a global scale by criminals and state-sponsored hackers to inflict real damage on corporations and governmental agencies.

Separating Fact from Fiction: AETs Defined

Advanced evasion techniques disguise malicious payloads by splitting them into smaller pieces and then delivering the pieces simultaneously, or at varying times, across multiple or rarely used network protocols. Once inside networks, the pieces reassemble to unleash malware that, for example, might quietly exfiltrate sensitive or valuable information over weeks, months, or even years.

Diagram of how Advanced Evasion Techniques work

Using a real example, the Conficker worm, which emerged in late 2008, was one of the first malware attacks to leverage advanced evasion techniques. Conficker exploits a particular vulnerability in the network service of Windows operating systems. Attackers use their knowledge of TCP/IP packet-handling procedures to fragment malware into numerous smaller packets, going against the common practice of using as few packets as possible to improve efficiencies. Next, they space the delivery of packets beyond the typical network security devices’ memory refresh rates, enabling the worm’s components to pass through up-to-date security devices for later reassembly within the organization.

Why Isn’t the News Full of AET-based Breaches?

I’m asked this question all the time: “If advanced evasion techniques are such a big deal, why aren’t they prime-time news like Stuxnet or BlackPOS?”

Advertisement. Scroll to continue reading.

There are two key points to keep in mind here. First, AETs are not actually malware. Rather, they are clever attack methods used to deliver malware directly through perimeter security defenses. AETs are designed specifically to evade detection by most firewalls, intrusion detection systems (IDS), intrusion prevention systems (IPS), and even routers that perform deep packet inspection. Given the thousands of ways for attackers to split malicious payloads, along with the hundreds of potential delivery methods, it’s estimated that there are currently more than 800 million viable AET combinations. Since every AET permutation has the potential to create a unique attack signature, scanning network traffic for all known attack signatures is simply impractical.

Second, the evolving threat landscape and culture of hackers is another major change. AETs aren’t created by the hacker hobbyists of the past who were often trying to outdo each other by causing maximum damage and getting massive publicity. Today’s cyber criminals are typically well-resourced, highly motivated attackers who are often accomplished software engineers working for cybercrime syndicates. They use AETs to penetrate network defenses and accomplish their missions undetected. Finally, most products in the industry are susceptible to AETs, and therefore vendors are reluctant to discuss this attack vector.

Security is a Journey, not a Destination

Given the estimated 800 million possible evasive combinations, AET-based attacks will always be a moving target. However, there are steps you can take today to protect your organization against AETs:

Identify and prioritize your critical assets. Which of your assets are hackers most likely to target, and how might they attack them? An audit of critical infrastructure and strategic assets is a good starting point. Leverage AET test tools to get an understanding of your organization’s susceptibility.

Protect your organization. Once you’ve located and defined the paths to all of your critical assets, ensure that all traffic along these routes is inspected with an advanced next-generation firewall, or IPS, that is capable of fully normalizing all network traffic prior to signature-based inspection in order to defeat AETs.

Don’t compromise security for performance. AETs exploit shortcuts and weaknesses in traffic inspection processes, especially incomplete or non-existent traffic normalization capabilities. Insist on network security devices that inspect all layers of the TCP/IP model and have sufficient power to inspect the full data-stream, rather than short traffic segments or pseudo-packets. Also, if you have deployed a NGFW in favor of a stand-alone, best of breed IPS, make sure you have not disabled security capabilities in favor of higher network performance. Otherwise you might as well give hackers a master key to your network. Ensure that protections are in place and functioning properly. If your network security devices are slowing your network, or can’t keep up with security processing demands, it’s time to upgrade.

Deploy and use intelligent, centralized management. AETs are dynamic and constantly evolving. Looking at just one piece of the security puzzle or deploying point solutions is no longer effective. You must ensure centralized management and monitoring of all network security devices, regardless of vendor or device type, to quickly pinpoint and remediate attacks. Additionally, security devices must be able to share information on the latest attacks with other devices and threat databases, both locally and globally, across the entire network.

Written By

Click to comment

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join the session as we discuss the challenges and best practices for cybersecurity leaders managing cloud identities.

Register

SecurityWeek’s Ransomware Resilience and Recovery Summit helps businesses to plan, prepare, and recover from a ransomware incident.

Register

Expert Insights

Related Content

Identity & Access

Zero trust is not a replacement for identity and access management (IAM), but is the extension of IAM principles from people to everyone and...

Cybersecurity Funding

Network security provider Corsa Security last week announced that it has raised $10 million from Roadmap Capital. To date, the company has raised $50...

Network Security

Attack surface management is nothing short of a complete methodology for providing effective cybersecurity. It doesn’t seek to protect everything, but concentrates on areas...

Application Security

Virtualization technology giant VMware on Tuesday shipped urgent updates to fix a trio of security problems in multiple software products, including a virtual machine...

Identity & Access

Hackers rarely hack in anymore. They log in using stolen, weak, default, or otherwise compromised credentials. That’s why it’s so critical to break the...

Application Security

Fortinet on Monday issued an emergency patch to cover a severe vulnerability in its FortiOS SSL-VPN product, warning that hackers have already exploited the...

Cyberwarfare

Websites of German airports, administration bodies and banks were hit by DDoS attacks attributed to Russian hacker group Killnet

Network Security

A zero-day vulnerability named HTTP/2 Rapid Reset has been exploited to launch some of the largest DDoS attacks in history.