Webinar on identifying, preventing and securing against the unidentifiable attacks


Published on

In this webinar we look at how the majority of today’s networks are vulnerable to a set of advanced attacks which can go undetected by many security systems. Advanced Evasion Techniques exist which can pass through firewalls and intrusion prevention systems, allowing an attacker to deliver a malicious payload to a vulnerable device, undetected.
Stonesoft’s Alan Cottom will demonstrate a live attack on an IPS-protected system using their Predator tool and how this attack can be blocked via the Stonesoft security suite of products.
Intergence will be demonstrating their cutting edge 3D visualisation tool Hyperglance which integrates with a number of network management and security systems including the Stonesoft products. Hyperglance will be used to visualise the IT infrastructure and identify where systems are vulnerable and pinpoint real time attacks, allowing administrators to take immediate action to secure their network.

Published in: Technology
  • Be the first to comment

  • Be the first to like this

No Downloads
Total views
On SlideShare
From Embeds
Number of Embeds
Embeds 0
No embeds

No notes for slide
  • Thank you very much ladies and gentlemen for joining us today. My name is Robert Smith from Intergence Systems and I am delighted to welcome Stace Hipperson from Real-Status, who will present later in the Webinar. Hyperglancever 1.3 is the subject our webinar today.<click>
  • Just some housekeeping to start with:During this webinar, we will be using Audio Broadcast. The small box in the right hand corner will need to remain open throughoutTo chat to the hostclick on the speech bubble in the top right hand corner, then type in the text boxTo submit a questionclick on the question mark in the top right hand corner and open the Q&A boxIf you are Experiencing technical difficultiesplease email news@intergence.com or speak to us directly through the chat bar<click>
  • <click>We have a simple agenda today. It is split up in to 3 parts<click>I will be presenting a brief background on Intergence and some background on why Hyperglance was created<click>I will then hand over to Stace Hipperson who will be demonstrating ver 1.3 of Hyperglance<click>And finally there will be an interactive question and answer section<click>
  • Application Protocol layers (http, SMB, Netbios etc.)
  • IPSMBIt is possible to segment SMB write data (e.g. MSRPC) into arbitrary sized segments. It is also possible to multiplex SMB writes to different named pipes or files within a single TCP connection.Stonesoftapproach:SMB protocol decoding and validation performedMSRPCMSRPC support both little and big endian encoding of data. Little endian is normally used but implementations accept also big endian, which can be used as evasion in some cases. Stonesoftapproach:Fragmented RPC messages can be used as an obfuscation method to hide attacks. Stonesoft IPS defragments fragmented MSRPC requests. To apply the right fingerprints, Stonesoft IPS follows the protocol execution and provides the fingerprinting system the necessary service information (object UUID, opnum field, endianness) in addition to the request payload data. It also explicitly follows some evasion techniques, like changing the endiannessin the middle of a connection.
  • I would now like to pass you over to Stace Hipperson, CTO of Real-Status
  • <click>
  • Webinar on identifying, preventing and securing against the unidentifiable attacks

    1. 1. Identify, prevent and secure against the unidentifiable attacksPresented by:Dr Steven Turner, VP of Optimisation, IntergenceAlan Cottom, CISSP, Solutions Architect, Stonesoft
    2. 2. Optimising your connected world.Thank you for joining our webinar• Please note • During this webinar, we will be using Audio Broadcast. The small box in the right hand corner will need to remain open throughout• To chat to the host • click on the speech bubble in the top right hand corner, then type in the text box• To submit a question • click on the question mark in the top right hand corner and open the Q&A box• Experiencing technical difficulties? • please email news@intergence.com or speak to us directly through the chat bar
    3. 3. Optimising your connected world.AgendaThe webinar has three partsAlan Cottom; Advanced Evasion Techniques; are youprotected?Steve Turner; Hyperglance live demoQ&A section
    4. 4. Advanced EvasionTechniques (AET)Are you protected?Alan Cottom – Solutions Architect, Stonesoft
    5. 5. Physical & Virtual Security Appliances
    6. 6. Evasion (definition) Evasion techniques are a means to disguise and/or modify cyber attacks to avoid detection and blocking by information security systems. Evasions enable advanced and hostile cyber criminals to deliver any malicious content, exploit or attack to a vulnerable system without detection, that would normally be detected and stopped. Security systems are rendered ineffective against such evasion techniques. (In the same way a stealth fighter can attack without detection by radar and other defensive systems)
    7. 7. Evasion timeline • First papers appeared detailing attacks against or ways to bypass network intrusion detection. 1997-98 • Possibility to combine evasions suggested 2004 • 12 (or so) known “traditional” evasion methods • Stonesoft R&D begin research 2007
    8. 8. Evasion timeline • Stonesoft share findings on new evasion threat • Stonesoft deliver 23 STACKABLE AETs to CERT 2010 • February – Stonesoft deliver 124 new AETs • October – Stonesoft deliver further 160 new AETs 2011 • Approx. 2^300 Advanced Evasion Techniques Today
    9. 9. Advanced Evasion Techniques (AET) What are they? Any technique used to implement network based attacks in order to evade and bypass security detection What makes them advanced? Combination of evasions working simultaneously on multiple protocol layers Combination of evasions that can change during the attack Carefully designed to evade inspection Typically, AETs are used as part of Advanced Persistent Threats (APT) APT = Motivation – i.e. we want to target you or your organisation AET = Method – i.e. the way in which we will attempt to gain entry
    10. 10. Surely my current IPS/IDS/NGFWcan stop them? Stonesoft have run tests against all of the highest ranked security devices from the Gartner Magic Quadrant It is possible to effortlessly evade most market-leading security solutions by using one or more advanced evasion techniques (AETs). All products are running the latest versions and updates. StoneGate products were originally vulnerable but now include comprehensive protection against AETs as standard.
    11. 11. AETs in action AET Test Environment Untrusted Network Security Device(s) Protected Network [Exploit with AETs] Predator Target [AET Attack] [Vulnerable] Tool Host Gartner Magic Quadrant IPS/IDS/NGFW Solutions
    12. 12. AETs in action… AET Demonstration
    13. 13. Protection Against AETsMulti-layer Traffic Normalization• StoneGate IPS decodes and normalizes traffic for inspection on all protocol layers.• Fingerprints detect exploits in the normalized data stream.Dynamic Protection• StoneGate IPS software upgrades update the Layered Normalization on all protocol layers.• When new Anti-Evasion updates are available, the StoneGate Management Center can upgrade IPS engines remotely.
    14. 14. Vertical Inspection of the data trafficPacket, segment or pseudo -packet based inspection process Maximum Inspection SpaceData TrafficApplicationProtocol layers 3(Streams) 2TCP levelSegments,pseudo packets 1 IP level Packets Limited Protocol Partial or No Evasion Removal Detect and Block Exploits1 decoding and inspection 2 Majority of the traffic is left without 3 Unreliable or impossible exploit detection capability to gain speed. evasion removal and inspected with when evasion are not removed on all layers. limited context information available.
    15. 15. HorizontalData stream based, full Stack normalization and inspection processData Traffic …Continuous Inspection Space…ApplicationProtocol level(Streams) 1 2 3 4TCP levelSegments, 1pseudo packets IP level Packets 1 Normalize traffic on all Advanced Evasion Detect exploits from the fully Alert and report 4 Evasion attacks1 protocol layers as a 2 removal process makes the 3 evasion free data stream. continious process. traffic evasion free and through management exploits detectable. system
    16. 16. Stonesoft AET DifferentiatorsStonesoft FW / IPS DescriptionFull-stack visibility Stonesoft decodes and normalizes traffic on all protocol layersNormalization based evasion removal Normalization process remove the evasions before the data stream inspectionHorizontal data stream-based inspection Vulnerability based fingerprints detect exploits in the normalized data streamInhouse evasion research and tools Evasion-proof product quality assured with automated evasion fuzzing tests (PREDATOR)Built-in evasion recognition and logging Anomaly and evasion information included into threat contextDynamic updates & upgrades Antievasion technology automatically updated to Next- Generation IPS and Firewall engines
    17. 17. AERT - Advanced Evasion Readiness Test
    18. 18. AETs - Comment“Advanced Evasion “If the network security “Recent research indicatesTechniques can evade system misses any type of that Advanced Evasionmany network security evasion it means a hacker Techniques are real andsystems. We were able to can use an entire class of credible – not to mentionvalidate Stonesoft’s exploits to circumvent growing –a growing threatresearch and believe that security products, against the network securitythese Advanced Evasion rendering them virtually infrastructure that protectsTechniques can result in useless. Advanced Evasion governments, commerce andlost corporate assets with Techniques increase the information-sharingpotentially serious potential of evasion success worldwide. Network securityconsequences for breached against the IPS, which vendors need to devote theorganizations.” creates a serious concern research and resources to for today’s networks.” finding a solution.“– Jack Walsh, ProgramManager – Rick Moy, President – Bob Walder, Research Director
    19. 19. alan.cottom@stonesoft.comwww.stonesoft.com
    20. 20. Optimising your connected world.DEMONSTRATION
    21. 21. Optimising your connected world.Q&A Any Questions?
    22. 22. Optimising your connected world.Thank You for attending!If you require more information or would like to booka one to one demo :contact us at +44 (0)845 226 4167or drop us an email at contact@intergence.comOr come along to our Executive Seminars across theUK! Visit our website for more information!