Stonesoft researchers evade enterprise IPS network protection

Finnish security firm Stonesoft claims to have developed 163 new attack methods that can evade network intrusion detection and prevention systems (IPS) over multiple communication protocols including IPv4, IPv6, TCP and HTTP.

The company calls these methods advanced evasion techniques (AETs), a term it coined last year when it released a similar set of samples.

Stonesoft's new AETs consist of 54 unique evasions and 109 combinations that have been confirmed to bypass the signatures of multiple IPS products currently available on the market.

Intrusion detection and prevention systems consist of software applications commonly running on dedicated hardware, that monitor network traffic with the purpose of detecting malicious activity and blocking it. Similar to antivirus products which use malware definitions to block threats, IPS solutions use attack signatures to detect network intrusion attempts.

It's been known for a long time that signature-based implementations can be defeated by determined attackers, which is the why modern antivirus products provide multiple layers of protection.

However, intrusion prevention systems are less flexible and cannot compensate for detection evasion as easily as anti-malware solutions. In fact, Stonesoft claims that many vendors haven't even addressed the AETs its researchers identified last year.

"Network security vendors have now had more than a year to provide their customers protection against AETs, but unfortunately we still have not seen much success in this area," said Stonesoft's founder and CEO, Ilkka Hiidenheimo.

"Very few vendors have truly understood the magnitude of the problem, while some are struggling to provide some kind of protection. Most of the vendors who acknowledge the problem are incapable of building a working solution, instead they are keeping themselves busy doing temporary and inflexible fixes. The rest just ignore the issue and do nothing," he added.

A basic detection evasion technique is to modify an attack to work over a different protocol or to implement it using a different programming language. Most IPS products are smart enough to catch onto such rudimentary attempts. However, Stonesoft's AETs combine multiple techniques into new attack vectors that look completely unknown to existing solutions.

The company submitted its new set of AET samples to the Finnish national computer security incident response team (CERT-FI) in order to coordinate patching processes with the affected vendors. Whether this effort will have better results than last year's remains to be seen.

However, it's worth keeping in mind that AETs are about delivering payloads and nothing stops the payload itself from being blocked by a security solution running at the system level.