CyberThreat Assessments with Real World Hacker Behavior - Evasion Techniques

Malicious attackers are not necessarily all experts in malware manipulation, PowerShell, or other tools trying to constantly come up with new and innovative ways of exploiting vulnerabilities in enterprise infrastructures and applications. A very powerful means of maneuvering around security controls is quickly leveraging existing exploits while disguising them, therefore rendering security platforms and policies ineffective. Why reinvent the wheel when there is a wide range of evasion techniques that would allow malicious attackers to create variations of existing attacks quickly and without much effort?

The overarching approach for these malicious actors is to disguise the exploits at the point of delivery to avoid getting detected and prevented by the enterprise security controls. Hindering a security platform’s ability to recognize and enforce mitigating policies to the attacks, encryption or evasion techniques can be applied to existing exploits, attacks and other malicious traffic.

An attacker can use encryption methods or any number of well-known evasion techniques to avoid getting detected by the platform that is assumed to have the protection policy. A few categories of evasion techniques are listed below:

• Encryption

• FTP Obfuscation

• HTML Obfuscation

• HTTP Obfuscation

• SMTP Obfuscation

• TLS Obfuscation

• IP Fragmentation

• TCP Segmentation

• URL Obfuscation

• Javascript Obfuscation

• Binary Obfuscation

• Timing (delay)

Each of these categories may include a number of techniques. For example, a number of methods can be considered as part of URL Obfuscation category:

1. Escape encoding

2. Microsoft encoding

3. Premature URL encoding

4. Long URLs

5. Fake parameters

6. Tab separation

7. Casing

8. Windows delimiter

9. Path character transformation and expansions

Failure to recognize any of the specific evasion techniques would make the entire class of attacks exploitable against devices that were presumed to provide protection. Furthermore, it is possible to combine relevant evasion techniques across or within each category, which is a very simple thing to do with significant rewards for malicious attackers. For example, a known Chrome Cross Site Scripting attack can be disguised with time delay and URL obfuscation (escape encoding). While this exploit may be mitigated without the evasion applied, with the combined evasion it may get past security counter measures.

CyberFlood CyberThreat Assessment (CF CTA) Evasion Techniques

CyberFlood is emulation-based solution that proactively provides in-depth assessment of network performance, scalability, and cyber security. Its CyberThreat Assessment (CTA) includes real-world attacks, malware, applications, and evasion techniques as well as industry security frameworks and sensitive data exfiltration scenarios with complete logical network topology in lab and sandbox settings. It includes continuously updated threat intelligence feeds to generate realistic traffic for latest attacks & exploits. It provides near zero-day malware threats as well as real world application traffic (business and non-business types), allowing thorough assessment of organization’s security postures.

CyberFlood emulates a wide range of hyper realistic hacker behavior, including encrypted attacks and evasion techniques. Configured exploits and attacks in CyberFlood can be augmented with various evasion techniques at the global level or on per attack vector basis. Evasions will challenge systems under test through added pressure for validation compared to undisguised attacks and content.

Evasion techniques are a powerful tools hackers use to break through security barriers. By adding assessment strategies inclusive of using the same evasion techniques as hackers, you can stay one step ahead of the bad guys.

Learn how Spirent CyberFlood CyberThreat Assessment can help in assessing the strength of your organization’s pre-production security posture.