Some time ago we reported that Spencer Mott, the chief information security officer (CISO) at Electronic Arts (EA) had raised concerns about the risks posed by Advanced Persistent Threats (APTs) and Advanced Evasion Techniques (AETs).While APTs are a well-known concept, AETs are not so common. However, that doesn’t make them any less dangerous - on the contrary. That is why we’ve contacted Max Nyman, the senior marketing manager of global marketing at Stonesoft, and asked him to provide some details on these types of threats.
Softpedia: Please introduce yourself for our readers.
Max Nyman: I’m Senior Marketing Manager, Global Marketing of Finnish high class network security company The Stonesoft Corporation.
Stonesoft delivers software-based, dynamic network security solutions that secure information flow and simplify security management. The company’s product portfolio includes the industry’s first transformable Security Engine, next-generation firewalls and intrusion prevention systems, and SSL VPN solutions.
At the core lies Stonesoft’s Management Center that unifies the management of entire networks (for more information, visit www.stonesoft.com or twitter.com/Hack_the_Lab).
Softpedia: Not many people are familiar with the AET concept. Please explain in a few words exactly what AETs are.
Max Nyman: Let’s be clear that Advanced Evasion Techniques are not exploits. Advanced Evasion Techniques are stealth transportation methods that can disguise even the most well-known exploits and make them completely unrecognizable – and therefore unblocked – by even the most sophisticated intrusion prevention systems (IPS), or next-generation firewalls (NGFW).
AETs make it possible to deliver known malicious code without detection – they leave no trace. Specific techniques might include combining several known evasion methods to create a new technique, changing the combination of evasions during an attack, and evading inspection through multi-layered delivery and sophisticated design.
Softpedia: Why are AETs so dangerous?
Max Nyman: It’s an access all areas pass. Organizations large and small, from enterprises up to major industrial players and governmental organizations are all vulnerable to hackers using advanced evasion techniques. The sad reality is that there’re only few current security solutions which can prevent AETs.
Don’t get me wrong, some early forms of simple evasions are widely known in the security industry and most NGFWs and IPSs are designed to protect against those specific exploit fingerprint patterns.
It only gets tricky with advanced evasion techniques which are combinations, or even combinations of combinations, of hundreds of different evasions, creating billions of potential delivery methods that can trick and bypass current security devices.
Current exploit-based approaches that rely on packet-oriented pattern matching are vulnerable and pose a concrete risk and long-term security liability.
AETs seem to be for cyber criminals a “business decision”. Without Advanced Evasion Techniques you get caught or your expensive zero-day exploit will get exposed – one might say that returns for the “investment” are much better with AETs, and one gets the anticipated results with smaller “costs”.
Ok, it’s currently true that AETs are rather sophisticated and might require extensive resources – time and money – to prepare. And therefore AETs are currently more likely to be deployed in (zero-day) attacks on high value targets than smaller random targets with known exploits.
You can get almost anybody with AETs, but AETs should be at least on the radar of those assessing security risk in critical systems architecture, such as industrial control systems, as well as multinationals, governments and the financial sector.
Softpedia: Could you highlight the differences between AETs and APTs?
Max Nyman: I’m very glad you asked this as these are potentially misunderstood.
An APT is an Advanced Persistent Threat: the capability and intent to attack a particular target. An APT might be driven by an individual, group or organization – this is the motivation to target a specific network or networks.
AETs are Advanced Evasion Techniques: the methods that enable the stealth delivery of cyber-attacks.
So, to summarize: those with the intent (APT) quite often have a multifaceted strategy that relies on an advanced and stealthy method (AET) to deliver an exploit – even previously known malware – to breach the target’s network security.
Softpedia: Could you provide an example of an attack in which hackers utilized AETs?
Max Nyman: There are only very few network security devices available which detect AETs. There are classified high-level examples of AET usage in the wild, but I can only say that in over 30 % of all attacks 2011 the hacking method was unknown…
Softpedia: Please share some tips to IT security departments when it comes to protecting a network against AETs.
Max Nyman: I am honestly worried about the current situation. Right now our lab’s extensive AET research shows that only Stonesoft IPSs or NGIPSs can protect your systems against advanced evasion techniques.
We hear some new claims from security vendors of full protection and coverage against advanced evasions, but unfortunately our AET lab tests tell a different story. Our lab has been researching AETs since 2007 and we have shared our findings with the industry.
We also regularly perform lab tests of our own and different vendors’ current security products, and we have still not found another vendor’s (but Stonesoft’s) network security product that provides proper protection against AETs. We hope to continue to raise awareness in the industry, with our competitors, analysts and certification bodies so that we can all meet this massive threat.
Softpedia: How can Stonesoft help an organization defend its networks against such threats?
Max Nyman: Raising awareness is one thing but on a practical level we arrange AntiEvasion Readiness Tests, in conjunction with an objective third party, so that enterprises and organizations can test their current network defenses against AETs. Of course, the best way we can help is with our products.
Our dynamic software-based security products (NGFWs and NGIPSs) provide best in class security while maintaining high throughput performance and highly efficient management – and delivering cost benefits.