Speaking at the ESRM conference in London, Olli-Pekka Niemi, director of research at Forcepoint, said that the conversation around advanced evasion techniques (AET) needs to continue “as they work.”
Revealed as part of research carried out by Stonesoft in 2013, who were acquired to form Forcepoint, Niemi said that as malware has sandboxing evasion techniques and botnets have evasion capabilities and use protocols to avoid detection, these remain “major and real threats, and are deployed with exploits.”
Niemi added: “All things are vulnerable: in the Internet of Things, chips are everywhere. Everything is connected and security is not in the best interest and at cost, and companies are providing security but not for washing machines.” He also said that vulnerabilities exist in client-side software such as browsers and plug-ins, while users rely on security devices to provide protection and server side vulnerabilities.
“Attacks are combined with evasion techniques: the attacker then adds the evasion so that exploits work again”, he said.
He claimed that some evasions can be “noisy and very visible”, but they are still successful, particularly when there is no trace of the attack within your logs.
“Everyone should care about evasions as they still work, and technology is unable to see the attack,” he said.
In a demonstration, Niemi showed how Stonesoft technology was able to detect and block attacks using AETs, mainly as they used the Evader tool which was originally launched in 2012 as a free tool, and he confirmed that it will be relaunched later this year.
He claimed that users should care about this as evasions are used in attacks, and he said that this was particularly bad for hardware-based vendors as they are less flexible than those with software-based products.
Niemi told Infosecurity that AETs had not really changed since 2013 to now, but he argued that evasions are not taken so seriously and still work. “That is the reason why we develop the Evader tool, so that we can do very aggressive testing on our own product, and make sure when we make a change to the product, so the product cannot get worse”, he said.