Stonesoft published a press release today (available here) citing another 124 advanced evasion techniques (AETs). The company again delivered the packet captures for each of the AETs that they uncovered to CERT-FI. Additionally, ICSA Labs also has one of our senior technical analysts examining them.
It is interesting that so many vendors quickly dismissed the initial set of 23 evasion techniques. In fact some scoffed at the idea that a less well-known vendor (so far) like Stonesoft could have made such a finding. What a ridiculous position to take. Then security experts and pretenders alike – without even seeing the pcaps – began commenting that there is nothing new here. Some analysts later chimed in and began expressing their own reservations about whether or not these were all new. Focus shifted from “Wake up! Security products are not providing the requisite protection that enterprises expect and need!” to “This is a lot of blah, blah, blah plus good old marketing at work.”
Even so, Stonesoft kept trying to tell folks that there would be more to come and that products really weren’t doing too good a job even with the 20 something vulnerabilities initially sent to CERT-FI. We at ICSA Labs echoed the sentiment. At one point Stonesoft reminded all of us in the security community that the couple dozen pcaps released in late 2010 may be just the “tip of the iceberg.” I can recall that at the time, even I questioned the iceberg metaphor. But now Stonesoft has released another 124 evasion technique packet captures. It appears that perhaps Stonesoft did choose the correct expression for its prediction about what was to come in terms of AETs.
One final thought: You don’t often see the kind of technical depth in a press release, but Stonesoft stated the following in today’s press release, “Many vendors claimed to have ‘fixed’ the product vulnerabilities disclosed in CERT-FI’s initial advisories on the 23 AETs discovered last fall. However, real-life testing in Stonesoft’s research lab confirms that AETs are still able to penetrate many of these systems without detection. In other cases, simple microscopic changes to an AET – such as changing byte size and segmentation offset – allow them to bypass the product’s detection capabilities.”
We have seen the same thing in the sample set of products that ICSA Labs tested with these evasion techniques. I hope that security vendors will continue (or begin in some cases) to take more significant action to combat these and other evasion techniques to better protect the enterprises that depend in part on these devices for network security.