Thursday, June 16, 2011

Advanced Evasion Techniques - Stonesoft and ICSA

I attended SC Congress Canada 2011 on Tuesday and Wednesday this week, and perhaps the most interesting talk I attended was Stonesoft and ICSA's Advanced Evasion Techniques.

Stonesoft discovered that with certain evasion techniques (particularly when combined in particular combinations) they could sneak common exploits past many (including their own, at the time) IDS/IPS systems. They built a tool to repeat these tests on a variety of systems, and proved that with the right know how, and the right tool set (including a custom TCP/IP stack) attackers could sneak past our best defenses. Packet captures were sent to ICSA along with info so they could try to reproduce these results in their own labs. They did!

This is real and they foresee a not -too distant future where things like botnet kits will have this as a checkbox feature.




These evasion techniques are not attacks on their own, but rather a sneaky way to get whatever attack you want to use past the network monitoring and policing systems to the target host.
It's not about the bad-guy asking "How can I hack in?", but "How can I hack in without being seen?"




Check out the research paper, and packet captures if you are really techie, at http://www.antievasion.com/

No comments: