Friday, October 22, 2010

Some Facts About Advanced Evasion Techniques

Chances are you've heard the recent "news" about Advanced Evasion Techniques (AETs) from Finnish IPS vendor Stonesoft. Originally announced in an October 4 press release, the good folks at Stonesoft reported the IDS/IPS evasion techniques mentioned in their release to CERT-FI, which promptly issued a public statement. CERT-FI also gave Sourcefire full details on the evasion techniques, allowing us to evaluate their impact on Snort and the Sourcefire 3D system.

Per our standard vulnerability handling guidelines, Sourcefire is awaiting CERT-FI's release of details to the public - currently planned for November 23 - before discussing the technical nitty-gritty with the world at large. Having conducted in-house testing with the data provided to CERT-FI by Stonesoft, we've found that Snort handles all of the reported AETs nicely, and absent any evidence that large-scale attacks using these techniques are underway, we're toeing the responsible disclosure line and giving other vendors a chance to assess and update their products as necessary.

Stonesoft, meanwhile, apparently decided to shift gears out of responsible disclosure mode. While their first release generated some local press in Finland, the issue was largely under the international radar, as you would expect for an unverified set of evasions that were currently under investigation by the vendors in question. This past Monday, they issued a second press release. Put out in conjunction with a press release from ICSA Labs which purported to confirm Stonesoft's AET findings, the issue suddenly sprung to international prominence, with a number of articles heralding the end of IDS/IPS systems' ability to detect even the most mundane attacks. At the same time as this second release, Stonesoft also erected www.antievasion.com, a site full of pretty graphics and hype about AETs.

The mere existence of this site and the issuance of the second release, of course, is not enough to call them out as having moved away from responsible disclosure; it's the messages contained in those publications that's what does it. In their second press release, Stonesoft included a section titled "Best Defense Against AETs", which suggested the use of "flexible, software-based security systems ... such as the Stonesoft StoneGate network security solution", as opposed to the "static hardware-based solutions" that "most organizations today" use. This clear ploy to drive sales uses an extremely thinly veiled half-truth to sow FUD: while all of the major IDS/IPS vendors (Sourcefire, McAfee, TippingPoint, IBM/ISS, etc.) offer custom hardware platforms as part of their solution, the underlying engines of all of those systems are software-driven, and are updated on a regular basis (typically multiple times per week, if you count detection updates). To suggest, as Stonesoft's first release did, that AETs of any sort will require "extensive renewal of [organizations'] security systems" is to skate on very thin factual ice.

Half-truths like this are one thing; the outright lies on their Anti-Evasion web site are another. In the FAQ published there, they claim that "Stonesoft offers the most complete protection against AETs available on the market today". This claim comes despite one of the few well-established facts surrounding the AET mess: Stonesoft failed the evasions portion of the NSS Labs test in 2009. Sorry, you don't get to claim that you're the experts on IDS/IPS evasion if your product isn't up to the task of dealing with well-known, publicly available evasions used in the NSS test.

Just so you don't think we're throwing stones in a glass house, let me take a moment to point out Sourcefire's track record of dealing with IDS/IPS evasion. Not only were we one of three vendors to pass the 2009 NSS Labs evasions test; we have a long track record of publishing expert research in the field. Snort team lead Steve Sturges and (former) VRT senior researcher Judy Novak published an oft-cited paper entitled "Target-Based TCP Timestamp Stream Reassembly" in 2007; Ms. Novak also released "Target-Based Fragmentation Reassembly" in 2005. Brian Caswell, who literally worked in Sourcefire founder Marty Roesch's living room in the original days of Sourcefire, collaborated with H.D. Moore of Metasploit fame on the 2006 paper "Thermoptic Camouflage: Total IDS Evasion". The primary author of Snort's http_inspect module, Dan Roelker, wrote "HTTP IDS Evasions Revisited" way back in 2003. Sourcefire employees and Snort contributors have long been among the world's leading experts in IDS/IPS evasions.

Of course, anyone with a well-developed sense of cynicism - i.e. the entire network security industry - is likely to take anything Sourcefire says about Stonesoft with a grain of salt. After all, why believe one industry player's version of things over another? To that end, I'd like to finish up this post by pointing you to a very interesting article released Wednesday by Bob Walder - founder and former CEO of NSS Labs - about the AET issue. Having reviewed Stonesoft's AETs, he concludes that they are a re-hashing of well-known evasion techniques that have been standard in the IDS/IPS industry for the last 7+ years. While Mr. Walder is also toeing the responsible disclosure line, in that he gives no specifics, his credibility as an independent evaluator of network security products is rock-solid, and should carry a lot more weight than anything Sourcefire says.

No comments:

Post a Comment