Tips for protecting against advanced evasion techniques
By challenging the rules of traditional evasion techniques and combining multiple evasions, AETs are currently unable to be detected by existing network security systems.
Ted Julian, principal analyst at Yankee Group comments: “Today’s professional attackers are more sophisticated and focused than ever before. They go through great pains to avoid detection by legacy security solutions and processes. There is no quick fix, but progressive security professionals and security vendors constantly search for new techniques to improve defensive capabilities.”
Organizations should follow the six tips listed below to increase their level of protection:
1. Increase your knowledge. AETs differ from traditional evasions in many ways, and it is important to understand that they are not attacks, but delivery methods to carry payloads to the vulnerable target without being detected by firewall and IPS devices.
2. Analyze the risks. Audit your critical infrastructure and analyze the most significant assets of your organization, how and where they are currently stored, and whether the information is backed up. Prioritize and make sure your critical assets and public services have the best possible protection against AETs.
3. Re-evaluate your patch management. When possible, patching vulnerable systems provides ultimate protection against network attacks, regardless of whether they have been delivered by AETs. Evasions may help the attacker bypass IPS or next generation firewalls (NGFW), but they cannot actually attack a patched system. However, because patch testing and deployment takes time under even the best circumstances, additional IPS and security measures must be taken.
4. Re-evaluate your existing intrusion prevention solution. Evaluate the capabilities of your existing IPS and NGFW to protect your network against AETs. How effective is it against evasions today? Does it enable you to react quickly to attacks or easily update against newly-discovered threats?
5. Deploy a centralized approach to network security device management. Centralized management plays a crucial role in protecting against AETs. It allows organizations to automate AET updates and schedule software upgrades remotely, thus making sure they always deploy the best possible protection against AETs.
6. Test anti-evasion capabilities of your security devices in a “real” environment by using your own policies and configurations. Many security vendors know how to survive simulated and recorded evasions when these are well predefined and stable in lab environment. However, when facing live and dynamic evasion disguised exploits, these systems go blind and are incapable of protecting your data assets. If you really want to know the level of your current protection against AETs, field testing is required.