Report Examines the Role and Cost of Advanced Evasion Techniques in Recent High Profile Data Breaches
A new report released by McAfee aims to address the controversy and confusion surrounding Advanced Evasion Techniques (AETs), and the role that they play in Advanced Persistent Threats (APTs).
AETs are methods of disguise used to discreetly penetrate networks and deliver malicious payloads, McAfee explains, noting that with AETs, an attacker can split apart an exploit into pieces, bypass a firewall or IPS appliance, and once inside the network, reassemble the code to unleash malware and continue an APT attack.
McAfee and research firm Vanson Bourne surveyed 800 CIOs and security managers from around the world to better understand how hackers are using AETs in advanced attacks.
“While AETs are not a secret among the hacking community—where they are well known and have been in widespread use for several years—there are misunderstandings, misinterpretation, and ineffective safeguards in use by the security experts charged with blocking AETs,” McAfee said in its report.
According to McAfee, there are an estimated 800 million known AETs, and the prevalence of these techniques has spiked since 2010 with millions of combinations and modifications of network based AETs having been identified to date.
In the survey, more than one in five CIOs admitted that their network was breached (22 percent), and nearly 40 percent of those breached believe that AETs played a key role.
According to the report, nearly 40 percent of survey respondents said they do not believe their organization has methods to detect and track AETs. Furthermore, nearly two thirds said that the biggest challenge when trying to implement technology against AETs is convincing the board they are a real and serious threat.
Finnish firewall maker Stonesoft, which McAfee acquired in May 2013 for $389 million in cash, has been beating the drum about AETs for years.
“Because of the debate about the very existence of AETs, hackers continue to use these techniques successfully to exfiltrate information,” the report said. “This confusion allows hackers to further invest in increasingly sophisticated attacks, while staying “under the radar” even longer, resulting in damaging and costly data breaches. The longer the industry continues to debate the existence of AETs, the longer businesses will be vulnerable to them.”
“Many organizations are so intent of identifying new malware that they are falling asleep at the wheel toward advanced evasion techniques that can enable malware to circumvent their security defenses,” said Jon Oltsik, senior principal analyst, Enterprise Strategy Group. “AETs pose a great threat because most security solutions can’t detect or stop them. Security professionals and executive managers need to wake up as this is a real and growing threat.”
According to McAfee, AETs are under-reported and not well understood because in some paid tests, vendors are given the chance to correct for them. As such, McAfee says, only the specific techniques identified are corrected for, and not the broader techniques that are rapidly updated and adapted by criminal organizations.
“Hackers already know about advanced evasion techniques and are using them on a daily basis,” said Pat Calhoun, general manager of network security at McAfee. “What we’re hoping to do is educate businesses so they can know what to look for, and understand what’s needed to defend against them.”
Knowing the role that AETs play in an APT attack is critical protecting an organization, McAfee said.
“Understanding the difference between APTs and AETs, and being able to visualize the threat landscape, will help mitigate the risk to the network and the company,” the report concluded.
A full copy of the report in PDF format is available online.
Managing Editor, SecurityWeek.Previous Columns by Mike Lennon:McAfee Says CIOs in The Dark on Advanced Evasion TechniquesYahoo Says Now Encrypting Traffic Between Datacenters, More Encryption ComingGood Technology Completes Acquisition of BoxToneResponding to Lawsuit, Trustwave Says Did Not Monitor Targets NetworkFirms Settle With FTC Over Failure to Use SSL Validation in Mobile Apps
Tags: Network Security