One Place Where Evasions Couldn’t Hide – Evader at Black Hat 2017
July in Las Vegas isn’t the best time to be outside, but it is a good time to hear about the latest offensive and defensive moves in the security industry. So once again, we headed into the desert for Black Hat 2017 where Opi spent time in sessions and then joined Jim presenting in Forcepoint’s exhibit booth. One of the big trends that Opi noticed was the move towards security fabrics, with more emphasis on holistic solutions rather than point products. We think this will be crucial; it’s part of how Forcepoint will be “protecting the human point” (but more on that another time).
Forcepoint did presentations every 15 minutes or so on a variety of topics, including two pertaining to network security “Why Evasions Are More Dangerous Than Ever” and “Top 3 Myths about Modern Firewalls – Debunked.” Almost all of the presentations in our booth had standing room only (representing several dozen people), including ours.
Advanced evasion techniques seemed to be of particular interest to our attendees. These are the ways that attackers manipulate the traffic they send to hide exploits and malware from network defenses. For example, a payload that is destined for a known vulnerability on a Windows laptop could be broken into pieces and sent out of order:
If the firewall in the middle isn’t designed to defeat evasions, it won’t see the exploit or the malware payload that would get delivered. (Of course, one of the key design elements of Forcepoint’s NGFW is its ability to block millions of types of evasions.)
Why Evasions are Suddenly Even More Relevant
Evasions have become more important than ever. Recent attacks like WannaCry and Petya reflect a new approach being taken by cybercriminals. Rather than just relying on social engineering like phishing emails or drive-by downloads from compromised websites, modern attackers are resurrecting older vulnerability (such as the SMB bug that became infamous this spring) ways of getting into networks and propagating. In addition, they’re combining multiple techniques. Evasions, which are now part of common exploit toolkits, boost the effectiveness of attacks and can help keep them undetected longer, protecting the “investment” the cybercriminals have made in developing their attacks.
That’s Where Evader by Forcepoint Comes In
To help people understand whether their network security devices are solid or full of evasive holes, we used Black Hat 2017 to begin demonstrating our latest version of Evader. This technology (it’s not a product and we don’t charge for it) provides a ready-made test lab for subjecting network devices to a wide variety of evasion techniques.
Evader’s not for pentesting or launching arbitrary attacks, but makes it immediately clear when attacks get through. You simply select which vendor’s device you wish to test (we have a variety of them set up in a lab with security settings on them turn up to their maximum level of protection):
Then select the type of evasions and attack you want to use:
Finally, click “Execute” and watch the target screen (which is running in a virtual machine). Depending upon the attack that was selected, within seconds a successful evasion will cause a window (like a calculator or shell) to appear on the target or the target to blue-screen.
Evasions are what caused so many vendors in this year’s NSS Labs NGFW Test to fall out of the RECOMMENDED quadrant. NSS has begun ramping up their use of evasions to provide visibility to an issue that many vendors seem to otherwise sweep under the rug. We’re glad to see them doing it – with attackers combining techniques and using vulnerabilities to spread, evasions leave a huge gap that has to be filled.
For more information about Evader, or to get your own live demonstration, please visit the Evader website.
