Stonesoft: six tips for protecting critical data against Advanced Evasion Techniques
March 2011 by Stonesoft
Stonesoft discovered Advanced Evasion Techniques (AETs) last year. Since then, it has been verified that the threat posed by AETs to organisation’s critical data capital and systems is constantly evolving and dynamic. Here Stonesoft shares six tips for organisations to protect their critical data assets and systems against Advanced Evasion Techniques.
Evasions are a way to bypass network intrusion prevention systems (IPS) or any security device that is supposed to do network traffic inspection. As such, evasion techniques have been known for a long time. However, when Stonesoft discovered the AETs - a new threat category that existing network security systems are not able to detect - the information and the first 23 samples were quickly delivered to the Computer Emergency Response Team CERT-FI and later announced to the public. Stonesoft has recently shared 124 newly discovered samples with CERT-FI. However, this was just the tip of the iceberg.
“As a rule, all services have their scheduled maintenance windows, and organisations use intrusion prevention systems to protect their critical data assets also between maintenance updates. These network threats and maintenance restrictions apply also to industrial SCADA networks, which were targeted by the Stuxnet worm in 2010. However, advanced evasion techniques are capable of bypassing this protection and delivering attacks without being detected by the security devices like IPS. This means that the vulnerabilities of the systems can be exploited at any time,” Tomi Kononow, StoneGate IPS Product Manager at Stonesoft explains. “To protect their critical data assets against AETs, organisations must be proactive, question their existing security solutions and look for alternative options to fight this new threat posed by Advanced Evasion Techniques. The playfield of network security has changed and the old methods do not apply any more.
Organisations should follow the six tips listed below to increase their level of protection against AETs:
Increase your knowledge: of Advanced Evasion Techniques. They differ from traditional evasions in many ways, and it is important to understand that they are not attacks as such, but delivery methods to carry payloads to the vulnerable target without being detected by firewall and IPS devices. Thus, there is no bullet proof solution against them. You can minimise the risk of getting exploited by using a network security solution that is capable of multi-layer traffic normalisation and an intelligent security platform that is continuously updated against AETs.
Analyse the risks: Audit your critical infrastructure and analyse the most significant assets of your organisation, how and where they are currently stored and whether the information is backed up. Prioritise. Start by making sure your critical assets and public services have the best possible protection against AETs.
Re-evaluate your patch management. When possible, patching the vulnerable systems gives the ultimate protection against the network attacks, regardless whether they have been boosted by the AETs. Evasions can only help the attacker to bypass the intrusion prevention systems (IPS) or next generation firewalls (NGFW), but they do not assist in an attack against a patched system. It is understandable, however, that the patch testing and deployment takes time even under the best circumstances and for this time the recommendations for proper IPS protection, as follows, apply.
Re-evaluate your intrusion prevention solution. Evaluate your existing intrusion prevention solution (IPS) and NGFW with respect to its capability to protect your network against AETs. Be critical, proactive and look for alternative options. Keep in mind that AETs have changed the security landscape permanently. It is a fact that if a security device is not capable of handling evasions, it is practically useless - no matter how good a block rate it has or many certifications or awards it has won.
Re-evaluate your security management. Centralised management plays a crucial role in protecting against AETs. It allows you to automate AET updates and schedule software upgrades remotely and effortlessly, thus making sure you always have the highest possible protection against AETs.
Test anti-evasion capabilities of your security devices in their own environment by using your own policies and configurations. Many security vendors know how to survive simulated and recorded evasions when these are well predefined and stable in lab environment. However, when facing live and dynamic evasion disguised exploits, these systems go blind and are incapable of protecting your data assets. If you really want to know the level of your current protection against AETs, field testing is required.