Is your network protected against AET's or are you a sitting duck?
Don't you think it’s strange that serious hacking attacks are being reported in the press more frequently? In the last few months we've had breaches at RSA an international security vendor, the Sony Playstation network and now Lockheed Martin. Surely these technology driven companies should have all the armament to protect their expensive data rich networks?
Unfortunately cybercriminals are becoming more advanced and merely having a firewall and some antivirus is not enough in today’s age, although a vital first layer of defence! There is also a new growing, but not yet prevalent group of network attacks that blind side most traditional security systems including most Intrusion Prevention Solutions. AETs (Advanced Evasion Techniques) they are not a new type of threat per se, but rather a new way to deliver existing threats. If we put this in to the physical world snare they are like stealth bombers, the bombs they carry are the same but the delivery means can't be easily detected making the effectiveness of attacking the target greater.
Stonesoft the vendor that identified AET's has announced it has tracked 124 new threats, and has detailed them to CERT, the Computer Emergency Response Team.
The worrying fact is that many vendors solutions don't protect against AET's, even many of the Next Generation Firewalls and Intrusion Prevention Systems from leading vendors can't detect them. Sure Evasion Techniques have been around for a long time and many vendors claim their products thwart them, which they do, but not Advanced Evasion Techniques which ups the risk.
Matt McKinley, U.S. director of product management for Stonesoft says it’s important to understand that AETs themselves are not a threat; rather, AETs serve as a way to deliver malware into an enterprise while bypassing sophisticated defences such as IPS, IDS, or NGFW (next-generation firewalls). Because AETs are designed to deliver malware without detection, this makes them “one of the most serious security threats facing enterprise network security today,” he adds. Dealing with single exploits, McKinley says, is relatively easy because security vendors can build fingerprint- and signature-based protection quickly. This is not the case with AETs.
How do you improve your protection against AET’S?
There are a number of things that you can do to lower your risk of being vulnerable to AET's these are.
1. Improve you understanding of what AET's are, they differ from traditional evasions by using multiple methods of stealth, they are not attacks, but delivery systems to launch payloads at targets that may be vulnerable without being detected by Firewalls (Including next generation firewalls) and most IPS solutions. The below links will help:
| SC Magazine Article on Advanced Evasion Techniques | ICSA Labs on AET's |
| Gartner Advanced Evasion Techniques | Info Security Magazine AET's disclosed to CERT |
2. Identify, what your risks may be, are you a data rich organisation, have sensitive information stored on your systems, handle financial transactions? If the answer is yes to any of those your chance of attack should be gauged. Analyse your network for vulnerable and critical systems, check what data they contain and what would be the impact of a data leak or a denial of service on those systems. Look how the data is stored and what your back up routines are and whether this needs to be changed.
3. Check any Intrusion Prevention Solution you use, ask questions of the vendor to how they detect Advanced Evasion Techniques and analyse whether they are talking about Evasion Techniques which are much easier to detect than AET's. Ask if they have the capability of detecting the 124 AET's Stonesoft passed to CERT and if they gloss over the threat IPS is an insurance policy and vital protection should not be lacking.
3. Examine your patch management, Patching vulnerable systems provides the best protection against network attacks, regardless of whether they have been delivered by AETs. Evasions may help the attacker bypass IPS or next generation firewalls, but they cannot actually attack a patched system. However, because patch testing and deployment takes time under even the best circumstances, additional IPS and security measures must be taken.
4. Know if you have been attacked, deploy server security that can check the state of the server to know if an attack has been launched and alert you that you have been compromised.
5. Test the capabilities of your security solutions against AET's, there are a number of penetration testing companies that are using AET's in their vulnerability scanning that can help you decide if you have the appropriate security to be able to withstand an attack and where your vulnerabilities lie.
How Can Cygnia Help You Combat the AET risk?
Cygnia can help you mittigate your risk of being hacked by an AET. The solutions we offer to combat AET's are:
Advice. Provide you advice and guidance on AET's and what the threats are and where you may be vulnerable
Vulnerability tests. From penetration companies that include AET's in their repertoire of scans. These are a good way to assess your vulnerability level should you be hacked.
Intrusion Prevention Solutions. Provide you an inexpensive perimeter IPS solution that protect against a good spread of AET's.
Patch Management and Anti Virus. Help you with your patch management and Anti Virus to ensure you servers have the best protection available.
File Integrity Scanning Software. Help you deploy a file integrity monitoring solution to warn you if anything changes on your servers.