1 00:00:06,290 --> 00:00:08,620 - [Instructor] There are many types of evasion techniques 2 00:00:08,620 --> 00:00:10,760 used by attackers nowadays, 3 00:00:10,760 --> 00:00:13,301 that they use to avoid being detected 4 00:00:13,301 --> 00:00:16,730 by technologies and security products. 5 00:00:16,730 --> 00:00:20,660 Here I'm actually gonna cover some of the most popular ones. 6 00:00:20,660 --> 00:00:24,900 So starting, the first one is the use of encryption. 7 00:00:24,900 --> 00:00:27,120 And there are many use cases 8 00:00:27,120 --> 00:00:30,150 where an attacker will actually breach a network 9 00:00:30,150 --> 00:00:33,850 and then launch some type of form of VPN session 10 00:00:33,850 --> 00:00:35,110 to encrypt the data. 11 00:00:35,110 --> 00:00:38,270 Or encrypt the data that he's actually stealing. 12 00:00:38,270 --> 00:00:41,040 Not only in transit but also at rest 13 00:00:41,040 --> 00:00:45,190 so that will avoid being inspected or detected 14 00:00:45,190 --> 00:00:47,870 by any security device like IPS 15 00:00:47,870 --> 00:00:52,870 or other types of data loss prevention systems and so on. 16 00:00:53,960 --> 00:00:58,960 They also use encryption for encrypting the communication 17 00:00:59,290 --> 00:01:03,370 from a compromised system to a command and control system 18 00:01:03,370 --> 00:01:08,090 so that he or she can actually use that connection 19 00:01:08,090 --> 00:01:10,500 to manipulate and send instructions 20 00:01:10,500 --> 00:01:12,513 to actually that compromised system. 21 00:01:13,425 --> 00:01:15,400 Another type of evasion techniques, 22 00:01:15,400 --> 00:01:18,350 is the use of resource exhaustion attacks, 23 00:01:18,350 --> 00:01:20,210 so the denial of service attacks, 24 00:01:20,210 --> 00:01:25,210 that can be used to evade detections and simply distract, 25 00:01:26,070 --> 00:01:28,550 of course the administrator 26 00:01:28,550 --> 00:01:32,670 and then of course, launch a more sophisticated attack 27 00:01:32,670 --> 00:01:37,040 to potentially steal data and extra trade information. 28 00:01:37,040 --> 00:01:39,930 A simple definition of a resource exhaustion 29 00:01:39,930 --> 00:01:43,290 is actually consuming the resources necessary 30 00:01:43,290 --> 00:01:44,880 to perform an action. 31 00:01:44,880 --> 00:01:46,680 And in some cases actually, 32 00:01:46,680 --> 00:01:50,830 it can be launched against a security technology 33 00:01:50,830 --> 00:01:53,690 or a security product like an IPS device. 34 00:01:53,690 --> 00:01:56,390 So if you can actually consume the resources 35 00:01:56,390 --> 00:01:57,713 from that device, perhaps, 36 00:01:59,853 --> 00:02:03,100 you can launch a successful attack, 37 00:02:03,100 --> 00:02:05,820 other than just a denial service attack of course. 38 00:02:05,820 --> 00:02:09,850 Now, another novation techniques is traffic fragmentation. 39 00:02:09,850 --> 00:02:12,460 So network technologies expect traffic 40 00:02:12,460 --> 00:02:17,460 to move in a certain way, known as the DCPIP suite. 41 00:02:17,630 --> 00:02:19,900 So understanding how this works 42 00:02:19,900 --> 00:02:23,370 can help identify when something is actually operating 43 00:02:23,370 --> 00:02:25,300 in an unusual behavior. 44 00:02:25,300 --> 00:02:28,430 So fragmenting traffic is actually a method 45 00:02:28,430 --> 00:02:32,790 to avoid detection by breaking up a single internet protocol 46 00:02:32,790 --> 00:02:37,790 or IP data gram into multiple smaller size packets. 47 00:02:38,940 --> 00:02:40,280 And the actual goal 48 00:02:40,280 --> 00:02:45,200 is to abuse the fragmentation protocol within IP 49 00:02:45,200 --> 00:02:47,270 and then creating a situation 50 00:02:47,270 --> 00:02:50,613 where the attackers intended traffic is actually ignored. 51 00:02:52,160 --> 00:02:56,120 Or let through as trusted traffic 52 00:02:56,120 --> 00:02:58,870 by a firewall or an IPS device 53 00:02:59,810 --> 00:03:01,530 or any other security product. 54 00:03:01,530 --> 00:03:03,370 So the good news is actually 55 00:03:03,370 --> 00:03:05,610 that most modern intrusion detection 56 00:03:05,610 --> 00:03:07,530 and intrusion prevention systems 57 00:03:07,530 --> 00:03:09,200 are aware of this type of attacks, 58 00:03:09,200 --> 00:03:11,920 and actually can prevent it fairly easily. 59 00:03:11,920 --> 00:03:16,920 IPS products should be able to properly reassemble packets 60 00:03:17,790 --> 00:03:19,380 to evaluate them 61 00:03:19,380 --> 00:03:22,850 and to see if actually they're malicious or not. 62 00:03:22,850 --> 00:03:24,920 So this actually includes understanding 63 00:03:24,920 --> 00:03:28,070 the proper order of these packets. 64 00:03:28,070 --> 00:03:30,740 Unfortunately attackers actually have various techniques 65 00:03:30,740 --> 00:03:31,990 that they can actually use 66 00:03:31,990 --> 00:03:36,990 to confuse an IPS solutions during the reassembly process. 67 00:03:37,590 --> 00:03:40,960 An example of this is actually using a TCP segmentation 68 00:03:40,960 --> 00:03:42,640 and reordering attack 69 00:03:42,640 --> 00:03:45,440 designed to confuse the actual detection tool. 70 00:03:45,440 --> 00:03:48,150 And they do that by actually sending traffic 71 00:03:48,150 --> 00:03:50,330 in a non inspected method, 72 00:03:50,330 --> 00:03:53,840 which actually hopes that it can properly reassemble 73 00:03:53,840 --> 00:03:56,950 the traffic and identify it being as malicious 74 00:03:56,950 --> 00:03:58,950 in some cases. 75 00:03:58,950 --> 00:04:03,460 security devices that cannot perform traffic reassembly 76 00:04:03,460 --> 00:04:06,250 will automatically fail to prevent this type of attacks. 77 00:04:06,250 --> 00:04:09,010 So some security devices actually will fail 78 00:04:09,010 --> 00:04:12,960 when the attacker reorders or fragments the traffic 79 00:04:12,960 --> 00:04:17,570 with enough tweaks in order to accomplish this bypass. 80 00:04:17,570 --> 00:04:20,920 Now, another type of evasion techniques 81 00:04:20,920 --> 00:04:24,060 is a protocol level misinterpretation. 82 00:04:24,060 --> 00:04:26,240 So a protocol as you know 83 00:04:26,240 --> 00:04:28,610 is a set of rules or data structures 84 00:04:28,610 --> 00:04:32,270 that actually governs how computers or the network devices 85 00:04:32,270 --> 00:04:35,030 actually exchange information over a network. 86 00:04:35,030 --> 00:04:37,850 So a protocol actually can be manipulated 87 00:04:37,850 --> 00:04:39,860 to confuse security devices 88 00:04:39,860 --> 00:04:42,350 from properly evaluating traffic. 89 00:04:42,350 --> 00:04:45,790 And this is done because many devices and applications 90 00:04:45,790 --> 00:04:47,810 expect network communications 91 00:04:47,810 --> 00:04:50,040 to follow the industry defined rules 92 00:04:50,040 --> 00:04:51,630 when the protocol is actually used. 93 00:04:51,630 --> 00:04:56,310 So the key understanding on how the protocols should work 94 00:04:56,310 --> 00:04:58,050 and attempting to see if the developer 95 00:04:58,050 --> 00:05:03,050 of the receiving system, define defenses such as limitations 96 00:05:04,490 --> 00:05:05,993 to what is actually accepted, 97 00:05:06,890 --> 00:05:09,880 a method to actually validate what is actually received 98 00:05:09,880 --> 00:05:11,850 and many others. 99 00:05:11,850 --> 00:05:13,290 Now, the second key piece 100 00:05:13,290 --> 00:05:16,340 is actually identifying what happens 101 00:05:16,340 --> 00:05:19,090 when a receiving system encounters 102 00:05:19,950 --> 00:05:24,950 something that doesn't understand seeing or inspecting. 103 00:05:27,740 --> 00:05:30,510 And that of course, can cause a failure 104 00:05:30,510 --> 00:05:34,370 and failures will cause traffic to be ignored 105 00:05:34,370 --> 00:05:37,370 or be dropped or delayed, 106 00:05:37,370 --> 00:05:41,170 which can all be used to an attacker's advantage 107 00:05:41,170 --> 00:05:44,520 to then, of course, evade being detected 108 00:05:44,520 --> 00:05:49,520 and also allow for him or she to actually steal information 109 00:05:50,520 --> 00:05:53,503 from the corporate network. 110 00:05:53,503 --> 00:05:57,401 Another type of attack that is used for evasion 111 00:05:57,401 --> 00:05:59,200 is timing attacks. 112 00:05:59,200 --> 00:06:01,620 So in cryptography actually a timing attack 113 00:06:01,620 --> 00:06:03,310 is a site channel attack, 114 00:06:03,310 --> 00:06:05,890 which the attacker actually attempts 115 00:06:05,890 --> 00:06:08,340 to compromise a cryptosystem. 116 00:06:08,340 --> 00:06:10,340 And he does that by analyzing the time 117 00:06:10,340 --> 00:06:11,750 that is actually taken 118 00:06:11,750 --> 00:06:13,923 to execute the cryptographic algorithms. 119 00:06:15,280 --> 00:06:17,289 And they're very opportunistic attacks. 120 00:06:17,289 --> 00:06:21,450 So every logical operation in a computer 121 00:06:21,450 --> 00:06:23,360 takes actually time to execute. 122 00:06:23,360 --> 00:06:26,680 And the time can actually be different 123 00:06:26,680 --> 00:06:31,470 based on the input and different type of measurements, 124 00:06:31,470 --> 00:06:35,133 or different type of environmental factors. 125 00:06:36,140 --> 00:06:39,920 So if an attacker actually can work backwards to the input, 126 00:06:39,920 --> 00:06:42,810 and predict and be able to actually do again, 127 00:06:42,810 --> 00:06:47,700 just like the word says, very timely measures, 128 00:06:47,700 --> 00:06:52,700 it actually can cause an evasion in a lot of situations. 129 00:06:55,560 --> 00:06:59,050 How much such information actually can help attackers 130 00:06:59,050 --> 00:07:03,730 depend on the many variables that actually are present. 131 00:07:04,840 --> 00:07:07,980 So that includes the crypto system design, 132 00:07:07,980 --> 00:07:11,110 the CPU actually running the system, 133 00:07:11,110 --> 00:07:15,860 algorithms used, sorted implementation details, 134 00:07:15,860 --> 00:07:19,640 the other type of countermeasures that may be in place. 135 00:07:19,640 --> 00:07:24,640 Also the accuracy of the timing measurements and so on. 136 00:07:25,730 --> 00:07:28,940 So timing attacks are actually often overlooked 137 00:07:28,940 --> 00:07:30,390 in the design phase 138 00:07:30,390 --> 00:07:33,940 because they're so dependent on the actual implementation. 139 00:07:33,940 --> 00:07:35,430 So again, timing attacks 140 00:07:35,430 --> 00:07:39,380 are yet another form of evasion techniques 141 00:07:39,380 --> 00:07:43,053 actually used by attackers to avoid being detected.