Prof. John Walker FBCS CISM CRISC CITP ITPC FRSA | Course Facilitator
8th October, 2019
Delivering agile cyber-defense is now a must, with the recognition that something, somewhere must change if we are to win the cyber-security race. No matter what we deploy, and how we operate those commercially procured systems and applications, one fact is certain – we will encounter a Persistent Threat on an every-day basis. It may be possible that such encountered threats are passive, awaiting their time to go malevolent at the right moment; or, are active and are already on a mission to avoid detection whilst delivering payload. It is now time to act, and look at Cyber-Security in a new way, with the mindset that we have been or will be breached.
It was circa 2010/11 when I was approached by a Helsinki-based company – Stonesoft. Stonesoft wanted to discuss a new angled threat vector which they referred to as the AET (Advanced Evasion Technique). I agreed to meet with them at the InfoSecurity show in London, and approached the conversation with more than a little skepticism. Could this be yet another InfoSec over-hyped terminology? Surrounded with the usual InfoSecurity run-of-mill, mundane talk of the day, which in that year was PCI-DSS and Penetration Testing, it would be at least refreshing to learn about something new. With doubt in my mind, the conversation progressed, and I was introduced to this new hypothesis of AET. As the conversation proceeded with my introduction to AET, the theoretical value started to gain traction, and I found myself being pulled into what I had considered a concept. Particularly towards the fact that it was possibly a new threat vector with significant implications of insecurity.
The basics of the AET utilizes evasion techniques to disguise and/or modify cyber-attacks through network connections, and to thus avoid detection by deployed systems which are supposedly delivering protection to the corporate valued assets. The objective here is to achieve the successful delivery of hidden malicious content (payload), and the onward exploitation of a vulnerable target host, such as, network security devices that are designed to conduct real-time, deep-packet inspection of the network traﬃc. If rendered ineﬀective it can result in:
- Critical digital assets left unprotected
- A false sense of security born out of dependencies on supposed secure, up to date commercial network defenses
- Organizations left not meeting their regulatory compliancy requirements
- A higher success rate of encountered network attacks
- A shift in the Threat Landscape supporting opportunities of high reward (financial, strategic, political or technical) for the ‘advanced’ tech-savvy cyber-criminals
At the time of the AET threat first being made public, the Verizon 2010 Business Data Breach Investigations Report stated that approximately 20% of incidents where malware had been discovered, had an unknown component for the infection vector. This moves us from the road of Zero Days, to a state in 2019 that has seen a significant leap forward in growth, combined with an increase in cross-platform threats. It may be thus reasonable to conclude that, what was seen as a new threat in 2010/11, is now a threat vector with a close similarity to the Elephant in the Room!
The basis of the AET was simply to manipulate the IP Stack in such a way that the encountering IPS/IDS, or firewalling technology would be confused by what its interface was seeing in the profile of a malformed stack, and thus, in theory, would take one of, or a combination of, five actions:
4. Write to the Log
5. Not write to the Log
At the time of the AET being made public, there were 180+ stackable and combinable evasions being researched in testing framework. Meaning that these built up to a potential set of attack vectors, which were concluded to be impossible to counter against all combinations, without some form of an automated evasion testing framework, without which, vendors were denied the opportunities to develop adequate anti-evasion capabilities and network defenses. A situation that gets worse when applied under IPv6, which oﬀers a vastly expanded combination of a malevolent cyber-universe, described by Stonesoft’s Harri Haanpää as:
“Evasion techniques are a means to disguise and/or modify cyber-attacks to avoid detection and blocking by information security systems. They typically make use of rarely used protocol properties in unusual combinations and deliberate protocol violations. Such obfuscations may confuse the detection capabilities of intrusion prevention/detection systems.”
At the time of the early work into the AET, Jack Walsh Program Manager (ICSA labs) concluded that “Advanced Evasion Techniques can evade many network security systems”. He went on to comment, “We were able to validate Stonesoft’s research and believe that these Advanced Evasion Techniques can result in lost corporate assets with potentially serious consequences for breached organizations.” To add to the weight behind what was then, and to a large extent, still an ignored threat, Bob Walder, Research Director at Gartner commented, “Recent research indicates that Advanced Evasion Techniques are real and credible – not to mention growing – a growing threat against the network security infrastructure that protects governments, commerce and information-sharing worldwide. Network security vendors need to devote the research and resources to finding a solution”. Yet at that time, and even today, the threats are still largely ignored, or should I say tolerated.
However, up to this point in time, I was only listening to the theoretical description of the threat of this new ‘AET’ conversation, but I was interested enough to agree to work alongside Stonesoft and visit their labs in Helsinki to see the pragmatic side of the conversation. At the site, within their lab conditions, the highly skilled Stonesoft Team demonstrated testing against a variety of the latest release, up-to-date firewalling products for their exposure to the AET threat. The discoveries were astonishing, with results for all tested devices of:
- Bypass of the perimeter device to reach a supposedly protected asset
- Logs not being updated, or annotated with the wrong information
Upon returning from my visit, I was convinced that the new age AET threat was real, and along with Stonesoft wrote a paper on the subject. However, that paper and the research of Stonesoft was challenged, with one of the most vocal being from McAfee who denounced the research outright. Interestingly enough, notwithstanding their public opinion on the AET, McAfee acquired Stonesoft for $389 million in 2013. I can only conclude that the paper and research they denounced must have struck a note, which enticed them to put their hands in their pockets of denial!
On the associated subject of the APT (Active Persistent Threat), we can see the emergence of the AET into a new combined landscape of network dangers. Dangers I have observed first hand inflicting breaches and compromises on protected end-points, resulting in the bypass of firewalls, IDS, and IPS alike. However, it is here where we start to see the strain of ignored system updates taking their toll. For example, the continued use of out of patch operating systems, like the seventeen year old Windows XP, which saw the massive and successful WannaCry attack on the NHS, and cost taxpayers £92 million, and resulted in the cancellation of over 19,000 appointments – some of which had real-world, life inflicting consequences. It is also still possible to see the old approach where Internal systems are not maintained with an adequate security profile, on the premise that they are hidden from the external interface that points to the dangers of the outside world, and thus are not accommodated by Anti Malware Protection, or as I encountered at an Oil and Gas company, any form of logging set against systems/folders storing critical data assets.
In such cases as these, the AET and the combination of the APT are ideal partners, with the AET serving up the means by which to avoid detection and to deliver its payload (the APT), with the APT taking on the profile of, say, the Conficker agent, which is a great little bit of malware to create a shell condition on its vulnerable targeted system – and from there if the attacker is lucky enough, they will find other routine on-system tools such as the Windows Management Instrumentation Command line (WMIC (wmic.exe)), which oﬀers a multitude of intelligence gathering and compromise opportunities. Then there is the much forgotten dangers from the world of DNS, which can leave a great big black-hole open in the style of a Cuckoo’s Egg attack.
Having started oﬀ circa 2010, we now move into the year 2019 in which we still see the risks and attack vectors of the AET and APT at an all-time-high, and this against a backdrop of a higher than ever spend on security, alongside the associated growth of complexities of a cyber-dependent, always connected business and social society. The time is here where we need to ask the right questions about our level of deployed defenses, starting with those shown in the below image:
|1. Security Level Evaluation/audits of existing security devices||
Do evasions pose a threat to us (or not)?
Have we evaluated security risks correctly, and are we managing these risks?
|2. New Product Evaluation for investment decisions||
Which product oﬀers highest protection against evasions?
How can I verify vendor claims?
|3. Redesigning network security||
Is our security level high enough?
Where to place or relocate IPS/deep packet inspection devices? And what kind?
So, where are we today? Evidenced by the long list of breached and compromised originations who have invested small fortunes and placed their ultimate trust in commercial devices and staﬀ to defend their technology-kingdoms. One may only conclude that the case to argue that Persistent Threats and Evasions are not seeing any demise soon, and the question must be asked on what is going wrong? Is it that:
- The reliance on the over-priced commercial promise, Silver Bullet security device, with over-expectation of the actual capabilities to defend the network is flawed?
- We have gone down the long-path of Tick-Box Compliance led security approach so far, we have parted company with the bit-and-bobs of technical security skills?
- The Skills Gap issue in the Cyber Space is now hitting its mark with an adverse eﬀect?
- Under-maintained, over exposed assets residing on the network adds to the conundrum of insecurity?
- Or finally, as with the combination of an AET with the APT, is it that the aforementioned all have their own part to play in a world that will assure the Persistent Threats will continue to evolve and bite!
Looking back over the years from 2010 right up to 2019, what is so very interesting is that the only thing that has changed is that the situation of insecurity has become far worse in a world in which Persistent Threats are ever present, and being leveraged by a range of adversarial actors. From those with quick-win monetary gain in mind, to the state-sponsored activities of the geopolitical aggressors, not to mention the groups of commercially motivated serious and organized crime gangs. Thus, delivering agile cyber-defense is now a must, with the recognition that something, somewhere must change if we are to win the cyber-security race. No matter what we deploy, and how we operate those commercially procured systems and applications, one fact is certain – we will encounter a Persistent Threat on an every-day basis in some form. It may be possible that such encountered threats are passive, awaiting their time to go malevolent at the right moment; or, are active and are already on a mission to avoid detection whilst delivering payload. It is now time to act, and look at Cyber-Security in a new way, with the mindset that we have been or will be breached.
We must start to evolve the mindset of deployed states of readiness that are associated with the recognition that the proactive defenses may be flawed, and take up a robust posture on the reactive side of ‘Response’ to underpin structured engagements and recovery from the most adverse of anticipated known-unknown conditions of the Persistent Threat. Above all, we must deploy our infrastructures from the ground up in a well formed, well documented and potentially segmented way to take into account that the Persistent Threats will be seeking to leverage and exploit any one of many combinations of exposure opportunities to deliver their show-stopping payload!
About the Author
John is a leading expert in the field of Cyber-Security. With over 30 years of international experience, he is a World Class Info-Crime, Cyber Security Researcher who has worked within the Covert Worlds of CESG, GCHQ, ‘TK’ Sky Technology, with the Security Services. He has delivered over 90 Global Presentations, and has originated over 100 Papers, & Articles on Cyber-Security.
He is actively involved with supporting the countering of eCrime, eFraud, and on-line Child Abuse, an ENISA CEI Listed Expert and an Editorial Member of the Cyber Security Research Institute (CRSI).
John is a Fellow of the British Computer Society (BCS), Fellow of the Royal Society of the Arts (RSA), Board Advisor to the Digital Trust and Writer for SC Magazine UK. He was the Originator of DarkWeb Threat Intelligence, CSIRT, Attack Remediation and Cyber Training Service/Platform, Accreditation Assessor and Academic Practitioner and Accredited Advisor to the Chartered Society of Forensic Sciences in the area of Digital/Cyber Forensics.
John is also a practicing Expert Witness in the area of IT, and the originator, and author of a CPD/MSc Module covering Digital Forensics, and Investigations.
Professor John Walker is a Visiting Professor at the School of Computing and Informatics, Nottingham Trent University (NTU), Visiting Professor/Lecturer at the University of Slavonia, CEO of HEXFORENSICS LTD, and Independent Consultant in the arena of IT Security and Forensics, and Security Analytics.