Storm in an AETcup?Posted 9 January 2012 by John Grundy
Fear, uncertainty, and doubt – commonly known in tech circles as ‘the FUD factor’ – have long been a favourite marketing tactic for security players. Anti-virus, Anti-spam, Firewalls, Intrusion Detection (IDS) and Intrusion Prevention (IPS) systems – all these and more have enjoyed their fair share of scaremongering campaigns over the years.
This being the case, when one security solutions provider “discovers” and starts talking up a “new” super threat, some commentators – most especially other security vendors – often tend towards cynicism.
As one pundit caustically observed, the general attitude in such cases is perhaps akin to the Elmer Fudd factor: They suspect that “There’s something scwewy going on awound here” and want to “kill the wabbit” (sic.) before it kills them.
So has it been with the emergence of Advanced Evasion Techniques or AETs; a term originated by Finnish network security specialists Stonesoft last year to describe what it says is a potentially infinite “new line of cyber attack providing hackers with a master key to access vulnerable systems.”
Essentially a ‘wrapper’ in which hackers can ‘disguise’ viruses, botnets and other threats, the AET allows hacking agents – new and old – to bypass many of the market-leading IPS appliances and pass into a system or network completely undetected and without trace (a phenomenon witnessed by iQ at first hand at the this year’s InfoSec in Earls Court.)
This should in itself be sufficient to give many a network security officer the jitters. But the real issue, suggests Ash Patel, Stonesoft Country Manager for the UK & Ireland, is that there currently exists no “one step” solution or fix to combat such techniques and “no vendor able to fully protect against them” – in turn meaning that “no data is completely safe and all systems are vulnerable to attack.”
AETs, he says, may even help clear up some of the so far unexplained recent high-profile hacks and breaches. And either way, incidents such as the hacking of Sony’s PlayStation network, (which exposed 77 million users) offer compelling evidence that cybercriminals are becoming increasingly focused, persistent, and resourceful and that businesses therefore need vigilance and diligence to match.
“Questions need to be raised when organisations such as the French Ministry and Citibank are hacked; they are protected by solutions that claim 100% security but hackers were still able to gain entry… How?”
It’s a decent point. Organisations with dedicated security resources protecting their networks against multiple incident scenarios have nevertheless been breached; one common denominator of almost every high-profile victim of recent attacks were what were supposed to be top-drawer network security infrastructures.
“After years of warnings, it can’t be solely that such large, well-resourced organisations don’t have the right security products or strategies in place. We have to assume that hackers are finding new ways around existing defences.”
The sector’s more sceptical commentators remain determinedly unconvinced; variously dismissing AETs as old news; as an exaggeration; as “the emperor’s new clothes”; and even as something “invented by Stonesoft to try and create a new term and a Gartner Quadrant of 1 vendor”. Others are looking to adopt a more balanced stance however.
Mike Paquette, CSO at Corero (formerly Top Layer Security) for instance. He notes that while more than 90% of the vulnerabilities discovered in browsers, productivity apps and so on each year are remotely exploitable (allowing attacks to be mounted against vulnerable systems simply by sending specially crafted packets or transactions over the network), IT security staff have known this for years, and routinely deploy firewalls, IDS and IPS systems to detect and block (such) attempts.
However, he says, the number of existing firewalls and IDS/IPS products that can now be circumvented by AETs “suggests that for many organisations, the level of protection they have against network-borne security threats might be less than previously thought.” The AET does present a real threat then?
“These techniques are real in the sense that they have been reduced to practice, and in the sense that it is possible to demonstrate whether a given security device can identify and block attacks that utilise them”, says Paquette. The level of actual risk associated with AE techniques is harder to assess, however.
“If and when malware ‘kits’ are enhanced to utilise these techniques, the risk for organisations that cannot detect and block them will increase… leading to known ill effects such as data leakage, botnet participation, and other cybercrime problems.”
Overall, he says, although there is certainly a degree of “competitive differentiation hyperbole in play here”, AET is an issue that rises above the FUD so frequently used in security marketing. As such, he sees the defence against AETs as likely to become a standard question asked by security professional to security vendor before the purchase of firewalls, and IDS and IPS appliances.
Eddy Willems, Security Evangelist with security player G Data takes a similar view. “From my perspective AETs are much the same or similar to obfuscation techniques (a hacking trend that first emerged five or six years ago) only targeted specifically at the network.“
While particular players may be branding these techniques using terminology like Advanced Evasion Techniques or AET, some of the stuff they’re discussing has really been around for perhaps as much as 20 years or more; things we’ve actually known about for quite a while. In that sense AETs probably aren’t really anything new, so much as an evolution of something older.
“However, what they’re probably looking to focus on and talk about here – which is probably the important factor – are the more advanced forms of these techniques that are now emerging, and how hackers are now using different combinations of such techniques to attack their targets.”
“Obfuscation, AET – it doesn’t matter what you call it. Where much more advanced techniques are emerging that’s not a good thing and these are threats of which we do need to be wary.”
This is exactly the point, say Stonesoft: AETs are just one of the growing number of threat vectors that should be raising “a red flag” and prompting organisations to re-evaluate their risk management and security architectures and strategies.
“The threat landscape has changed permanently”, warns Stonesoft CEO Ilkka Hiidenheimo. “The design principles used to protect organisations’ digital assets need to be re-evaluated… (and) leaving responsibility only on the shoulders of IT management is a clear sign of poor governance.”
For Patel’s part it’s a question of Stonesoft being disproved. “We’re up there to be shot at and I only hope that this will encourage further debate and research from other parties.”
Wabbit season or Duck season? One way or the other, it’s probably sensible to keep pwenty of buwetts handy.
Jon Smith January 5, 2012