The discovery of AETs was already announced in October 2010. Since then, StoneSoft has not ceased its research in this area, which has led to the discovery of 124 new threats and, to this day, continues its research work in the R&D laboratories.
Many vendors claim to have taken action since CERT-FI's official warnings about the first 23 discovered AETs. However, StoneSoft's research confirms that AETs are still able to penetrate many of these systems undetected. In many cases, minor modifications to the AET structure—for example, changing the size and segmentation of a byte—allow them to evade detection. This demonstrates that most vendors provide only temporary, and inflexible, solutions to the growing AET problem, rather than addressing the underlying architectural flaws that enable these threats to infiltrate.
“Those who claim to have 100% protection against AETs don't fully grasp the magnitude of the problem, nor do they conduct sufficient research. The discoveries made so far are just the tip of the iceberg,” says Joona Airamo, Director of Security Systems at StoneSoft.
Traditional and advanced evasion techniques have become a growing concern for the entire security vendor community. The NSS Labs IPS Security Test from the fourth quarter of last year identified evasions based on IP fragmentation and TCP stream segmentation as a significant threat, to the point that if a hacker can evade detection through packet fragmentation or TCP stream segmentation, the intrusion prevention system will be completely vulnerable to any attack.
“The failure to detect a evasion means a hacker can use a wide range of tools to bypass a security system,” said Rick Moy, president of NSS Labs. “The combination of certain evasions increases the likelihood of success for hackers and raises the risk for companies.”
There is no single solution that completely eliminates AETs, but organizations can mitigate risks and minimize their vulnerability by taking appropriate measures. A key measure is using security devices capable of operating at all protocol layers for each network connection. Centralized management is crucial, as it allows for continuous updates and evolution of the network security architecture. However, digital fingerprints and signatures are ineffective against the dynamic and constantly evolving nature of AETs.
Bob Walder, research director at Gartner, who discussed AETs in his November 2010 report titled “Advanced Evasion Techniques (AETs): Weapons of Mass Destruction or Mere Speculation?”, stated: “Evasion techniques are not new, but they still pose a significant threat to the network security infrastructures that protect governments, commerce, and information sharing worldwide. Recent research has brought this issue back into focus, and network security vendors must dedicate considerable resources and research to finding a solution.”.
