Evasion techniques are a way to circumvent intrusion prevention systems (IPS) or any other security device whose function is to perform network traffic monitoring tasks. As such, evasion techniques have been known for some time.
However, when Advanced Evasion Techniques—a new threat category that existing security networks are unable to detect—were discovered, StoneSoft quickly sent all available information, along with the first 23 techniques, to the CERT-FI Security Emergency Response Team; this information was later made public. StoneSoft has also recently shared 124 newly discovered techniques with CERT-FI. And yet, this is just the tip of the iceberg.
Organizational security officers are advised to follow the following six tips to increase their level of protection against TSAs:
1. Increase your knowledge of Advanced Evasion Techniques (AETs). These differ from traditional evasions in many ways, and it's important to understand that they are not attacks in the traditional sense, but rather delivery methods for carrying payloads to vulnerable targets without being detected by firewalls or IPS devices. Therefore, there is no foolproof defense against them. The only way to minimize the risk of being targeted is by using a security solution or network capable of normalizing traffic across multiple layers, as well as an intelligent security platform that is constantly updated against AETs.
2- Analyze the risks. It is essential to audit the company's critical infrastructure and analyze the most significant assets, how and where they are typically stored, and whether the information is backed up. Prioritize and begin by ensuring that your critical assets and utilities have the best protection policy against AETs (Automated External Threats).
3. Re-evaluate your system update policy. Whenever possible, patching vulnerable systems provides fundamental protection against network attacks, negating the risk of being attacked using such techniques. Evasions can only help an attacker bypass Intrusion Prevention Systems (IPS) or next-generation firewalls (NGFWs), but they do not contribute to an attack against a patched system.
However, it must be understood that testing and implementing patches takes time even under the best of circumstances, and therefore the recommendations for adequate IPS protection detailed below also apply.
4. Re-evaluate your Intrusion Prevention System. Assess your current IPS and NGFW against their ability to protect your network against evasions. Be critical, proactive, and explore alternative options. Keep in mind that evasions have changed the security landscape. It's a fact that if a security device can't properly identify evasions, it's practically useless, regardless of its block rate or the number of certifications or awards it has won.
5. Re-evaluate your security management. Centralized management plays a crucial role in protecting against AETs. It allows you to automate AET updates and schedule software updates remotely and effortlessly, ensuring you always have the highest level of protection against AETs.
6. Test the anti-evasion capabilities of your security devices in your own environment, using your policies and configurations. Many security vendors know how to overcome simulated and pre-configured evasions when these are stable and well-defined under laboratory conditions. However, when faced with camouflaged and dynamic evasions, their solutions break down, become blind, and prove incapable of protecting your data assets. If you truly want to know the level of your current protection against AETs, you need an audit in this area.
