Researchers at the University of South Wales recently demonstrated that intrusion prevention systems (IPSes) do a poor job of detecting attacks that utilize advanced evasion techniques. What was your reaction to their research? How should enterprises sniff out such attacks if they can't rely on IPSes?
Ask the Expert
Have questions about network security for expert Brad Casey? Send them via email today! (All questions are anonymous)
After reading the research conducted by the University of South Wales, I must admit that I am unimpressed. According to the executive summary, the tests conducted against some of the more mainstream IPSs involved exploiting known vulnerabilities for which patches, updates or other mitigations currently exist, and, to be frank, I fail to see how this relates to the advanced evasion techniques that currently exist. If you run an exploit against an unpatched system, all you're really proving is that the system is unpatched.
With regard to how enterprise networks should respond to potential advanced persistent threats (APTs), often times attacks consist of dividing malicious code over the course of several packets. An IPS is typically configured to examine each packet individually, therefore each packet carrying the divided code is considered benign in and of itself. Yet when the totality of the malicious code successfully traverses the IPS, it reconstructs itself, and, depending on the sophistication of the host-based malware detection system in place, proceeds to execute. That said, in many cases the next step in an APT-style attack may involve additional network activity that the IPS would detect, particularly data exfiltration, so the IPS still serves an important function in the "cyber kill chain."
For now, the best APT mitigation strategy centers on host-based defenses. This is primarily because, in the case of APTs, the malicious code is not understood until it is reconstructed. Therefore, any host-based malware detection system must be configured to not allow any new application to execute until it has been properly vetted by the malware detection system. Fortunately, most existing antivirus applications on the market operate this way.
This was first published in October 2013