Because advanced evasion techniques can evade the detection capabilities of many firewalls, they are an especially dangerous weapon in the attackers' arsenal.
The nefarious types looking to compromise network security are getting craftier, employing tools such as advanced evasion techniques (AETs), which obfuscate malicious code by slicing and dicing it into bits and pieces that arrive by different paths. Ultimately, the code re-assembles on an endpoint, where it can wreck havoc.
AETs are quite successful for the most part, evading the technologies deployed by next generation firewalls (NGFWs) that are used to detect malware. What’s more, AETs are often the first shot fired in a battle that supports the spread of advanced persistent threats (APTs), which ultimately target intellectual property and financial resources. In other words, AETs enable drive-by attacks that can go unnoticed until long after the damage is done.
Defending against AETs is no simple task because their obfuscation techniques are sophisticated enough to bypass the detection capabilities of many firewalls. Given this, the first question that comes to mind becomes: "How can I tell if my firewall can withstand an AET attack."
Security vendor McAfee (now a part of Intel Security) offers a free tool that testa for AET resistance. The company claims that most firewalls are only capable of blocking less than 10 percent of known AETs and the majority of malicious code delivered using AETs slips by unnoticed. (See my review of McAfee’s NGFW in Enterprise Networking Planet.)
The free tool, referred to as Evader, allows administrators to build numerous test scenarios that simulate AETs and then see how those attacks can bypass a firewall. Naturally, Evader is designed to help McAfee sell their NGFWs and demonstrates that the company’s own NGFWs are resistant to AETs.
Nevertheless, despite this self-promoting aspect, Evader is a powerful tool for educating security administrators about the danger of AETs and what they need to know to block those threats. Evader should be part of any security administrator's bandoleer of security testing products and it comes with a price -- free -- that is always agreeable.
Frank Ohlhorst is an award-winning technology journalist, professional speaker and IT business consultant. He has written for leading technology publications including ComputerWorld, TechTarget, PCWorld, ExtremeTech and Tom's Hardware, and business publications including Entrepreneur, Forbes and BNET. Ohlhorst was also the executive technology editor for Ziff Davis Enterprise's eWeek and the former director of the CRN Test Center.