Webinar on identifying, preventing and securing against the unidentifiable attacks
1 like601 views
The document outlines a webinar presented by Steven Turner and Alan Cottom, focusing on identifying, preventing, and securing against advanced evasion techniques (AETs) in cyber attacks. It details the nature of AETs, which allow attackers to evade detection by security systems, and emphasizes the need for comprehensive security solutions that can address these threats. The presentation includes a demonstration of Stonesoft's security solutions, showcasing their efficacy in detecting and mitigating AETs.
![AETs in action
AET Test Environment
Untrusted Network Security Device(s) Protected Network
[Exploit with AETs]
Predator Target
[AET Attack] [Vulnerable]
Tool Host
Gartner Magic
Quadrant
IPS/IDS/NGFW
Solutions](https://image.slidesharecdn.com/stonesoftandintergencewebinar-120813073325-phpapp01/85/Webinar-on-identifying-preventing-and-securing-against-the-unidentifiable-attacks-11-320.jpg)
Webinar on identifying, preventing and securing against the unidentifiable attacks
- 1. Identify, prevent and secure against the unidentifiable attacks Presented by: Dr Steven Turner, VP of Optimisation, Intergence Alan Cottom, CISSP, Solutions Architect, Stonesoft
- 2. Optimising your connected world. Thank you for joining our webinar • Please note • During this webinar, we will be using Audio Broadcast. The small box in the right hand corner will need to remain open throughout • To chat to the host • click on the speech bubble in the top right hand corner, then type in the text box • To submit a question • click on the question mark in the top right hand corner and open the Q&A box • Experiencing technical difficulties? • please email news@intergence.com or speak to us directly through the chat bar
- 3. Optimising your connected world. Agenda The webinar has three parts Alan Cottom; Advanced Evasion Techniques; are you protected? Steve Turner; Hyperglance live demo Q&A section
- 4. Advanced Evasion Techniques (AET) Are you protected? Alan Cottom – Solutions Architect, Stonesoft
- 5. Physical & Virtual Security Appliances
- 6. Evasion (definition) Evasion techniques are a means to disguise and/or modify cyber attacks to avoid detection and blocking by information security systems. Evasions enable advanced and hostile cyber criminals to deliver any malicious content, exploit or attack to a vulnerable system without detection, that would normally be detected and stopped. Security systems are rendered ineffective against such evasion techniques. (In the same way a stealth fighter can attack without detection by radar and other defensive systems)
- 7. Evasion timeline • First papers appeared detailing attacks against or ways to bypass network intrusion detection. 1997-98 • Possibility to combine evasions suggested 2004 • 12 (or so) known “traditional” evasion methods • Stonesoft R&D begin research 2007
- 8. Evasion timeline • Stonesoft share findings on new evasion threat • Stonesoft deliver 23 STACKABLE AETs to CERT 2010 • February – Stonesoft deliver 124 new AETs • October – Stonesoft deliver further 160 new AETs 2011 • Approx. 2^300 Advanced Evasion Techniques Today
- 9. Advanced Evasion Techniques (AET) What are they? Any technique used to implement network based attacks in order to evade and bypass security detection What makes them advanced? Combination of evasions working simultaneously on multiple protocol layers Combination of evasions that can change during the attack Carefully designed to evade inspection Typically, AETs are used as part of Advanced Persistent Threats (APT) APT = Motivation – i.e. we want to target you or your organisation AET = Method – i.e. the way in which we will attempt to gain entry
- 10. Surely my current IPS/IDS/NGFW can stop them? Stonesoft have run tests against all of the highest ranked security devices from the Gartner Magic Quadrant It is possible to effortlessly evade most market-leading security solutions by using one or more advanced evasion techniques (AETs). All products are running the latest versions and updates. StoneGate products were originally vulnerable but now include comprehensive protection against AETs as standard.
- 11. AETs in action AET Test Environment Untrusted Network Security Device(s) Protected Network [Exploit with AETs] Predator Target [AET Attack] [Vulnerable] Tool Host Gartner Magic Quadrant IPS/IDS/NGFW Solutions
- 12. AETs in action… AET Demonstration
- 13. Protection Against AETs Multi-layer Traffic Normalization • StoneGate IPS decodes and normalizes traffic for inspection on all protocol layers. • Fingerprints detect exploits in the normalized data stream. Dynamic Protection • StoneGate IPS software upgrades update the Layered Normalization on all protocol layers. • When new Anti-Evasion updates are available, the StoneGate Management Center can upgrade IPS engines remotely.
- 14. Vertical Inspection of the data traffic Packet, segment or pseudo -packet based inspection process Maximum Inspection Space Data Traffic Application Protocol layers 3 (Streams) 2 TCP level Segments, pseudo packets 1 IP level Packets Limited Protocol Partial or No Evasion Removal Detect and Block Exploits 1 decoding and inspection 2 Majority of the traffic is left without 3 Unreliable or impossible exploit detection capability to gain speed. evasion removal and inspected with when evasion are not removed on all layers. limited context information available.
- 15. Horizontal Data stream based, full Stack normalization and inspection process Data Traffic …Continuous Inspection Space… Application Protocol level (Streams) 1 2 3 4 TCP level Segments, 1 pseudo packets IP level Packets 1 Normalize traffic on all Advanced Evasion Detect exploits from the fully Alert and report 4 Evasion attacks 1 protocol layers as a 2 removal process makes the 3 evasion free data stream. continious process. traffic evasion free and through management exploits detectable. system
- 16. Stonesoft AET Differentiators Stonesoft FW / IPS Description Full-stack visibility Stonesoft decodes and normalizes traffic on all protocol layers Normalization based evasion removal Normalization process remove the evasions before the data stream inspection Horizontal data stream-based inspection Vulnerability based fingerprints detect exploits in the normalized data stream Inhouse evasion research and tools Evasion-proof product quality assured with automated evasion fuzzing tests (PREDATOR) Built-in evasion recognition and logging Anomaly and evasion information included into threat context Dynamic updates & upgrades Antievasion technology automatically updated to Next- Generation IPS and Firewall engines
- 17. AERT - Advanced Evasion Readiness Test
- 18. AETs - Comment “Advanced Evasion “If the network security “Recent research indicates Techniques can evade system misses any type of that Advanced Evasion many network security evasion it means a hacker Techniques are real and systems. We were able to can use an entire class of credible – not to mention validate Stonesoft’s exploits to circumvent growing –a growing threat research and believe that security products, against the network security these Advanced Evasion rendering them virtually infrastructure that protects Techniques can result in useless. Advanced Evasion governments, commerce and lost corporate assets with Techniques increase the information-sharing potentially serious potential of evasion success worldwide. Network security consequences for breached against the IPS, which vendors need to devote the organizations.” creates a serious concern research and resources to for today’s networks.” finding a solution.“ – Jack Walsh, Program Manager – Rick Moy, President – Bob Walder, Research Director
- 20. Optimising your connected world. DEMONSTRATION
- 21. Optimising your connected world. Q&A Any Questions?
- 22. Optimising your connected world. Thank You for attending! If you require more information or would like to book a one to one demo : contact us at +44 (0)845 226 4167 or drop us an email at contact@intergence.com Or come along to our Executive Seminars across the UK! Visit our website for more information!
Editor's Notes
- #2: Thank you very much ladies and gentlemen for joining us today. My name is Robert Smith from Intergence Systems and I am delighted to welcome Stace Hipperson from Real-Status, who will present later in the Webinar. Hyperglancever 1.3 is the subject our webinar today.<click>
- #3: Just some housekeeping to start with:During this webinar, we will be using Audio Broadcast. The small box in the right hand corner will need to remain open throughoutTo chat to the hostclick on the speech bubble in the top right hand corner, then type in the text boxTo submit a questionclick on the question mark in the top right hand corner and open the Q&A boxIf you are Experiencing technical difficultiesplease email news@intergence.com or speak to us directly through the chat bar<click>
- #4: <click>We have a simple agenda today. It is split up in to 3 parts<click>I will be presenting a brief background on Intergence and some background on why Hyperglance was created<click>I will then hand over to Stace Hipperson who will be demonstrating ver 1.3 of Hyperglance<click>And finally there will be an interactive question and answer section<click>
- #15: Application Protocol layers (http, SMB, Netbios etc.)
- #16: IPSMBIt is possible to segment SMB write data (e.g. MSRPC) into arbitrary sized segments. It is also possible to multiplex SMB writes to different named pipes or files within a single TCP connection.Stonesoftapproach:SMB protocol decoding and validation performedMSRPCMSRPC support both little and big endian encoding of data. Little endian is normally used but implementations accept also big endian, which can be used as evasion in some cases. Stonesoftapproach:Fragmented RPC messages can be used as an obfuscation method to hide attacks. Stonesoft IPS defragments fragmented MSRPC requests. To apply the right fingerprints, Stonesoft IPS follows the protocol execution and provides the fingerprinting system the necessary service information (object UUID, opnum field, endianness) in addition to the request payload data. It also explicitly follows some evasion techniques, like changing the endiannessin the middle of a connection.
- #21: I would now like to pass you over to Stace Hipperson, CTO of Real-Status
- #23: <click>