Amritam Putatunda
Technical Product Manager
Blog

Top 5 Cyber Deceptions You Need to Know—Increase Your Attack Cache With Unique BreakingPoint Evasions

September 20, 2016 by Amritam Putatunda

The art of deception has been used by humans and animals for thousands of years, and evolution has only made those deceptions more sophisticated. Deception can come in many forms, but its primary purpose is to propagate the belief in things that are not true. Deception has always been a key feature of smart cyber-criminals as well, so security teams need simple ways to validate network systems against deceptions called “evasions”.

Top5-1

The Octopus is so synonymous to deception that there’s a political thriller dedicated to its name, aptly called “Octopus Deception”

The major advantage of cyber deceptions or evasions is that one evasion technique can be applied to several malwares or groups of malwares. This lets hackers use a few common and highly successful evasion techniques on new or older malwares. The popular exploit kits also provide distributions of evasions and guidance on what evasions may be more effective for which malwares. In the wild, we have come across examples of older successful malwares using newer evasions techniques to escape detections.

How to run Breaking Point Evasions

The BreakingPoint security component has an editable evasion profile that allows users to choose from 100+ evasion options. Most of the options are self-explanatory, but additional details about them can be found in your BreakingPoint user guide. The profiles, once created, can be saved and re-used for use with other strike variants.

Top5-2

BreakingPoint evasion profile is available in the Security and SecurityNP component

5 top evasion types to select from: Although every evasion is important, we selected a few that clearly stand out due to their popularity and viciousness.

1. Transport Protocol for Malware: Hackers generally try different means of transport. Apart from HTTP or SMTP that are most commonly used, they can also employ other transport mechanism like FTP, POP3, IMAP, or any popular social media or file transfer apps. Several network intrusion prevention systems (IPS) or intrusion detection systems (IDS) are excellent in catching attacks passing through HTTP or SMTP, however the moment we change the applications, the same attacks get through undetected. The TransportProtocol Evasion profile provides the flexibility to change the protocol/application that would be used to send the malwares.

Top5-3

BreakingPoint options to select different transport protocols for malwares

2. Encryption: Talk about your own weapons turned against you. Encryption was designed to protect your data from the bad guys and as Ixia CMO Marie Hattar discusses in this blog, the bad guys are using it to hide malwares in plain daylight. Looking through encrypted packets can be a difficult, processor intensive endeavor, causing severe performance issues that generally lead organizations to disable deep packet inspection (DPI) of SSL communications. Hackers leverage this weakness by using encrypted communications to deliver well-known malwares. BreakingPoint has a whole section dedicated to SSL evasion, where users can test security robustness by sending attacks over encryption.

Top5-4

Encrypting malwares with different ciphers and key sizes

3. Encoding: Encapsulation/encoding had several useful purposes like compressing a large file, changing the formats, and encoding the traffic. Most detections are based out of signature/hash matches, however anything that plays with those hashes can actually stop the signature detection from working. Similar to SSL, malware too has several encoding options in evasion. The encoding of any Malwares will mean that the security devices now have to have the proper decoding functions to extract and detect the payloads.

Top5-5

Encoding options for the Malwares

4. Fragmentation/Segmentation Evasions: The good old fragmentation evasion is still relevant because of its effectiveness against any old or new attack types. These evasions simply break the attacks into multiple smaller packets and transfer them to the victim in the same or different orders. If the network infrastructure doesn’t have the ability to re-order/reassemble the packets then absolutely any malware/exploits can pass through that network.

Top5-6

Evasions applied at Ethernet- and IP-level to break and re-order packets

5. Data Obfuscations—Hiding in Plain Sight: Now, most of the evasions can be categorized to be attempts to obfuscate, but I am taking only HTTP for this example, as several HTTP exploits are obfuscated with one or multiple techniques. As is with other protocols, BreakingPoint dedicates a huge list of evasions to HTTP. A significant set of exploits and malwares are delivered through HTTP and with these evasions, you can test and harden the detection/block abilities of the security infrastructure.

Top5-7

Http evasions that can be applied to both client- and server-side exploits

Every day there is a continuous stream of newer attacks that appear in the cyber world, and catching them has become a fundamental task of security infrastructures. Ensuring your security can catch the deception techniques is a requirement for security best practices. BreakingPoint stands alone among its competition in offering an Evasion feature to allow users a simple way to increase the viciousness and variety of attacks to fully vet security infrastructures. So what are you waiting for? Re-run all your existing Strikepacks with the various evasions that we listed above and see how many your device can detect.