Researchers Warn of Newly Discovered Cyber-Threat

Researchers find that ‘advanced evasion techniques’ are a new class of cyber-threat that can break through most intrusion prevention systems.

by / October 25, 2010

A newly discovered Internet threat can compromise networks by combining attacks into something that’s too advanced for most intrusion prevention systems (IPS) to prepare for.

Researchers at Stonesoft, a network security vendor, have proclaimed that these advanced evasion techniques (AET), can bypass most of today’s products — 99 percent of them, according to one news source.

“We discovered that there’s a whole new set of techniques that can also be used in addition to the dozen or so well-known ones that have been cited in previous research,” said Mark Boltz, a senior solutions architect at Stonesoft. “If you then combine different techniques together — either any of the new ones [alone] or any of the new ones with any of the old ones — you make all of them more effective at bypassing just about any kind of IPS technology.”

The researchers discovered that these types of techniques could exist by doing research at a lab in Helsinki. Stonesoft reported the discovery and sent samples to Finland’s Computer Emergency Readiness Team (CERT-FI). The discovery was validated by ICSA Labs, a security product testing and certification lab in the U.S. According to Jack Walsh, intrusion detection and prevention program manager of ICSA Labs, his organization was contacted at the end of August, which began the demonstration and verification process between Stonesoft and ICSA. Stonesoft issued an announcement about the AETs last week.

Boltz and Walsh said they’ve found no evidence of AETs being used in real-world cyber-attacks. “We don’t have any direct evidence that these techniques are being used actively in the wild, so to speak,” Boltz said.

With the warning out, they hope that organizations will observe and audit their systems more diligently.

“I would just say that enterprises should ask their vendors: their firewall vendors, IPS vendors, IDS [intrusion detection system] vendors or endpoint protection security vendors,” Walsh said. “I would ask them, ‘We heard about these new evasions. What are you doing to make sure that you are looking into it?’ and ‘Are you going to get this stuff remediated?’ and ‘How long will it be before this is taken care of?’”

Hilton Collins

Hilton Collins is a former staff writer for Government Technology and Emergency Management magazines.

Platforms & Programs