harden security devices against increasingly sophisticated evasions
DESCRIPTION
separate the professional hacker from the vandal. Evasion techniques are used to bypass security measures on EVERY type of device, at EVERY layer. Are you 100% confident your IPS, firewall and other security devices will stand up to these increasingly sophisticated evasions? Join BreakingPoint security researchers for this free webcast and receive a comprehensive briefing on Strike Evasions. Learn how to act with precision to detect evasions with little impact on latency. Get up-to-the-minute details on the latest evasions seen in the wild, the proper ways to test for evasion resistance, and BreakingPoint's five keys for protecting your network against cyber criminals.TRANSCRIPT
![Page 1: Harden Security Devices Against Increasingly Sophisticated Evasions](https://reader034.vdocument.in/reader034/viewer/2022051818/5495b07bac7959412e8b4e62/html5/thumbnails/1.jpg)
Harden Security Devices Against Increasingly Sophisticated Evasions
BreakingPoint Webcast Wednesday
December 16, 2009
![Page 2: Harden Security Devices Against Increasingly Sophisticated Evasions](https://reader034.vdocument.in/reader034/viewer/2022051818/5495b07bac7959412e8b4e62/html5/thumbnails/2.jpg)
www.breakingpointlabs.com2
Introductions/Agenda
• BreakingPoint speakers:– Dennis Cox, CTO– Todd Manning, Protocol & Security Researcher– Dustin D. Trammell, Protocol & Security Researcher
• Quick Glance Agenda:– Evasions Overview– Evasions in Layer 3, 4, 5, 7 and more– Latest evasion techniques– How to validate you are protected– BreakingPoint Five Keys
![Page 3: Harden Security Devices Against Increasingly Sophisticated Evasions](https://reader034.vdocument.in/reader034/viewer/2022051818/5495b07bac7959412e8b4e62/html5/thumbnails/3.jpg)
www.breakingpointlabs.com3
Evasion Technique Introduction
• What Is An Evasion?– Legitimate Permutation of Data
• Data remains valid• Data looks different
– Attempt at bypassing detection or filters• Data representation not recognized or understood by the
monitoring entity• Cause the monitor to revert to a less scrutinizing state• Transport of data in a state that is not observable by the
monitor
![Page 4: Harden Security Devices Against Increasingly Sophisticated Evasions](https://reader034.vdocument.in/reader034/viewer/2022051818/5495b07bac7959412e8b4e62/html5/thumbnails/4.jpg)
www.breakingpointlabs.com4
Where are Evasions Used?
• Everywhere!– Layer 3: IP– Layer 4: TCP– Layer 5: DCERPC, SunRPC, SIP– Layer 7: HTTP, SMTP, POP3, FTP– Content: HTML, OLE, Command-lines (Windows &
UNIX), Exploit Shellcode
![Page 5: Harden Security Devices Against Increasingly Sophisticated Evasions](https://reader034.vdocument.in/reader034/viewer/2022051818/5495b07bac7959412e8b4e62/html5/thumbnails/5.jpg)
www.breakingpointlabs.com5
Layer 3: IP Evasions
• FragEvasion– IP Fragmentation– Four IP fragmentation methods available:
• Overlapping end fragments, favoring either old or new data• Overlapping all fragments, favoring either old or new data
• FragOrder– Change the order in which fragments are sent– Three behavior options:
• Normal order• Reverse order• Randomize order
![Page 6: Harden Security Devices Against Increasingly Sophisticated Evasions](https://reader034.vdocument.in/reader034/viewer/2022051818/5495b07bac7959412e8b4e62/html5/thumbnails/6.jpg)
www.breakingpointlabs.com6
Layer 4: TCP Evasions
• SegmentOrder– Change the order in which segments are sent– Three behavior options:
• Normal order• Reverse order• Randomize order
• SkipHandShake– Skip the three-way handshake for all connections
![Page 7: Harden Security Devices Against Increasingly Sophisticated Evasions](https://reader034.vdocument.in/reader034/viewer/2022051818/5495b07bac7959412e8b4e62/html5/thumbnails/7.jpg)
www.breakingpointlabs.com7
Layer 5: SIP Evasions
• CompactHeaders– Use compact header names instead of full-length header names– Example: “From: <user>” -> “f: <user>”
• PadHeadersLineBreak– Pad headers with line breaks– Example: ‘Authorization: Digest username=“user”, realm=“home”’
-> ‘Authorization: Digest \r\nusername=“user”, \r\nrealm=“home”’
• PadHeadersWhitespace– Pad headers with whitespace elements– Example: “From: <user>” -> “From:\t\t<user> “
• RandomizeCase– Randomize the case of data which is case insensitive– Example: “From: <user>” -> “fROm: <UsEr>”
![Page 8: Harden Security Devices Against Increasingly Sophisticated Evasions](https://reader034.vdocument.in/reader034/viewer/2022051818/5495b07bac7959412e8b4e62/html5/thumbnails/8.jpg)
www.breakingpointlabs.com8
Layer 7: Common Evasions
• PadCommandWhiteSpace– SMTP, POP3, FTP, Commands (Windows, UNIX)– Inserts arbitrary whitespace between commands and their
arguments– Examples:
• SMTP: “HELO example.com” -> “HELO\t\t \t example.com”• FTP: “USER username” -> “USER \t \t\t username”• Commands: “rm -rf /” -> “rm\t \t –rf\t \t\t/”
• PadPathSlashes– Commands (Windows, UNIX)– Uses slashes to pad command path names– Examples:
• Commands: “/bin/cat /etc/passwd” -> “/////bin///cat /etc////passwd”
![Page 9: Harden Security Devices Against Increasingly Sophisticated Evasions](https://reader034.vdocument.in/reader034/viewer/2022051818/5495b07bac7959412e8b4e62/html5/thumbnails/9.jpg)
www.breakingpointlabs.com9
Layer 7: HTTP Evasions
• Too many to list them all here…• DirectorySelfReference
– Convert all directories to self-referenced relative directories– Example: “GET /path/to/myfile.txt” -> “GET /./path/./to/./myfile.txt”
• EncodeHexRandom– Encode random parts of the URI in hex– Example: “GET /index.html” -> “GET /ind%65x.%68tml”
• ServerChunkedTransfer– Use “chunked” transfer-encoding to split up the server response
• ServerCompression– Use gzip to encode the server response
• EncodeUnicodeRandom– Encode random parts of the URI in wide Unicode (UTF-16)
![Page 10: Harden Security Devices Against Increasingly Sophisticated Evasions](https://reader034.vdocument.in/reader034/viewer/2022051818/5495b07bac7959412e8b4e62/html5/thumbnails/10.jpg)
www.breakingpointlabs.com10
Content Evasions
• HTML Evasions: HTMLUnicodeEncoding• Encodes HTML in the selected flavor of Unicode:
– UTF_7: 7-bit– UTF_8: 8-bit– UTF_16BE: 16-bit big-endian– UTF_16LE: 16-bit little-endian– UTF_32BE: 32-bit big-endian– UTF_32LE: 32-bit little-endian
• Shellcode Evasions: RandomNops• Uses random nop-equivalent sequences instead of actual No-Op
instructions• Example (ia32):
– “\x90\x90\x90\x90\x90\x90\x90\x90”– becomes– “\x16\x2f\x5d\x55\x91\x06\x44\x0e”
![Page 11: Harden Security Devices Against Increasingly Sophisticated Evasions](https://reader034.vdocument.in/reader034/viewer/2022051818/5495b07bac7959412e8b4e62/html5/thumbnails/11.jpg)
www.breakingpointlabs.com11
The Latest Evasion Techniques
• Latest and greatest• 2010 Forecast?
![Page 12: Harden Security Devices Against Increasingly Sophisticated Evasions](https://reader034.vdocument.in/reader034/viewer/2022051818/5495b07bac7959412e8b4e62/html5/thumbnails/12.jpg)
www.breakingpointlabs.com12
Do Evasions Cause Damage?
![Page 13: Harden Security Devices Against Increasingly Sophisticated Evasions](https://reader034.vdocument.in/reader034/viewer/2022051818/5495b07bac7959412e8b4e62/html5/thumbnails/13.jpg)
www.breakingpointlabs.com13
How To Validate You Are Protected
• Forward Thinking• Test, Test, Test• Be Realistic• Be Random• Be Consistent
![Page 14: Harden Security Devices Against Increasingly Sophisticated Evasions](https://reader034.vdocument.in/reader034/viewer/2022051818/5495b07bac7959412e8b4e62/html5/thumbnails/14.jpg)
Properly Testing Using Evasions
![Page 15: Harden Security Devices Against Increasingly Sophisticated Evasions](https://reader034.vdocument.in/reader034/viewer/2022051818/5495b07bac7959412e8b4e62/html5/thumbnails/15.jpg)
www.breakingpointlabs.com15
Enabling Evasions for BreakingPoint
• BreakingPoint Methods– Attack Manager:
• Attack Group Options - Affects only the attack group selected
– Security Test Component:• Parameters Tab, Attack Profile setting - Affects the entire test• Overrides Tab - Affects the entire test
• Order of precedence– Overrides– Group Options– Attack Profile
![Page 16: Harden Security Devices Against Increasingly Sophisticated Evasions](https://reader034.vdocument.in/reader034/viewer/2022051818/5495b07bac7959412e8b4e62/html5/thumbnails/16.jpg)
www.breakingpointlabs.com16
The Five Keys BreakingPoint Provides
1. 80+ evasion techniques
2. Dedicated security team
3. New evasion techniques
4. Apply across 4,300+ attacks
5. Multi-layered evasions
![Page 17: Harden Security Devices Against Increasingly Sophisticated Evasions](https://reader034.vdocument.in/reader034/viewer/2022051818/5495b07bac7959412e8b4e62/html5/thumbnails/17.jpg)
www.breakingpointlabs.com17
Q&A
Thank You!