ICSA Labs’ Role in the Stonesoft-Discovered Advanced Evasion Techniques
October 18, 2010
By Jack Walsh

CERT-FI recently announced that Stonesoft found new evasion techniques in its research and development facilities in Helsinki, Finland (statement available here).  The researchers there found the Advanced Evasion Techniques (AETs), as Stonesoft calls them, while they were investigating ways to improve their StoneGate IPS and its ability to protect against the well-known set of evasion techniques made popular in the 1998 paper written by Thomas Ptacek and Timothy Newsham, “Insertion, Evasion, and Denial of Service: Eluding Network Intrusion Detection.”

It strikes me how so many discoveries occur while not really trying to find them. 

Of course, once the Stonesoft researchers found some new tricks in the realm of evasions and evasion techniques it got them thinking about what else was possible.  And pretty soon they had uncovered a whole slew of new AETs.  In its press release issued today about the discoveries, Stonesoft’s COO, Juha Kivikoski referred to the AET discoveries as the, “tip of the iceberg.”  Time will tell if that is true.  It certainly wouldn’t surprise me if these discoveries were just the beginning of something larger.

In a white paper due out soon that I recently co-authored with Stonesoft’s CTO, Mika Jalava, on the same subject (mine was just a small role in the paper) Mika concludes that the reason there aren’t more known AETs is because folks really haven’t been looking very hard.  Security researchers from network security vendors have been spending more time just trying to protect against the unending stream of attacks aimed at the ever-growing number of remotely-exploitable, enterprise vulnerabilities.  

The primary reason why we wrote the white paper together is because ICSA Labs was given an opportunity to play a role in the Stonesoft evasions discovery.  As an independent, unbiased third-party testing organization with more than 20 years experience in the testing business, we sometimes get calls asking us to confirm the findings of organizations.  And so it was with the Stonesoft AET discoveries.  David Koconis, who leads our vulnerability research team here at ICSA Labs, was among those able to confirm that the AETs when coupled with attacks really do evade many well-known commercial IPS systems.

Stonesoft did not make the evasion code available to anyone to reproduce the attacks.  Even we had to set up a VPN tunnel back to Stonesoft headquarters to launch attacks veiled with the discovered evasions through IPS systems and aimed at vulnerable systems at our end.  In that way we were able to ultimately verify and confirm that these evasions really work as Stonesoft said. Kudos to Stonesoft on an exciting discovery, as well as for the responsible way in which it was handled.

 

Comments

Post new comment

  • Web page addresses and e-mail addresses turn into links automatically.
  • Lines and paragraphs break automatically.
  • Allowed HTML tags: <a> <em> <strong> <cite> <code> <ul> <ol> <li> <dl> <dt> <dd>

More information about formatting options

CAPTCHA
This question is for testing whether you are a human visitor to prevent automated spam submissions.
Image CAPTCHA
Enter the characters shown in the image.