Blended network attacks evade defences, says firm
Attacks that blend techniques to evade detection are slipping past network defences, according to security company Stonesoft.
Individual evasion techniques such as packet fragmentation and IP header spoofing are currently detected by network defence tools, Stonesoft chief executive Ilkka Hiidenheimo told ZDNet UK on Monday.
When these evasion techniques are combined, attackers can execute code on unprotected target systems, said Hiidenheimo.
"A simple combination can pass by major security appliances," said Hiidenheimo.
The large number of possible combinations of evasion techniques make it difficult for vendors to counteract this form of attack, said the Stonesoft chief.
The attack has been verified by the US Computer Emergency Response Team (CERT), the Finnish CERT, and security testing company ISCA, said Stonesoft UK general manager Ash Patel.
ICSA Labs, an independent security testing division of Verizon Business, told ZDNet UK on Tuesday that organisations that did not have security defences beyond intrusion prevention and detection systems could be compromised.
"In terms of layered security, evasion techniques aim to bypass network-based security devices," said Jack Walsh, ICSA Labs' network IPS and anti-spam program manager. "A criminal or other bad actor knows that they have to get past these network protection devices -- including intrusion prevention systems, firewalls, et cetera."
"Naturally in a layered security environment, the organisation would hopefully also have protection on the end point systems and servers that are the targets of criminal's attacks," said Walsh. "Also, hopefully, those end systems have been patched because the organisation has an effective patch management system in place. However, not all organisations do. Other organisations may be unable to patch vulnerable systems because software running on those systems may then be incompatible with other systems' software. And of course there continues to be unprotected yet published vulnerabilities which could be exploited as well. In such cases even a great patch management system is of little value. In that case one hopes that they have effective endpoint protection. But if the new evasions are coupled with relatively new exploits or attacks that are difficult for endpoint systems to detect then even endpoint protection may be insufficient. So, depending on what sorts of layered protection an organisation has in place, the new crop of evasions that Stonesoft found may very well be an issue; therefore organisations need to be concerned and take notice."
Sophos senior technology consultant Graham Cluley told ZDNet UK on Monday that organisations with fully patched endpoint security should not be overly concerned about penetration of network defences.
"It's not time to run to the bunkers and hide if you've got solid security in place on the laptop and desktop," said Cluley. "There have always been ways to evade intrusion detection systems."