COVID-19: A message from our CEO.Read message
Cybersecurity

CyberFlood Data Breach Assessment: Evasion Techniques - Validating Enterprise Security with Real World Hacker Behavior

By:

Blog - CyberFlood Data Breach Assessment: Evasion Techniques - Validating Enterprise Security with Real World Hacker Behavior

Malicious attackers are not necessarily all experts in malware manipulation, PowerShell, or other tools trying to constantly come up with new and innovative ways of exploiting enterprise infrastructures. One of the most effective ways, from their point of view, is just using brute force or quickly leveraging existing exploits while disguising them, therefore rendering security platforms and policies ineffective. Why reinvent the wheel when there is a wide range of evasion techniques that would allow malicious attackers to reuse existing attacks quickly and without much effort? The overarching approach for these malicious actors is to disguise the exploits at the point of delivery to avoid getting detected and prevented by the enterprise security solution. To hinder security platform’s ability to recognize and enforce mitigating policies to the attacks, encryption or evasion techniques can be applied to existing exploits, attacks and other malicious traffic.

Attack Evasion

An attacker can use encryption methods or any number of well-known evasion techniques to avoid getting detected by the platform that is assumed to have the protection policy. A few categories of evasion techniques are listed below:

  • FTP Obfuscation

  • HTML Obfuscation

  • HTTP Obfuscation

  • IP Fragmentation

  • TCP Segmentation

  • URL Obfuscation

  • Javascript Obfuscation

  • Binary Obfuscation

  • Timing (delay)

Each of these categories may include several techniques. For example, various methods can be considered as part of URL Obfuscation category:

  1. Escape encoding

  2. Microsoft encoding

  3. Premature URL encoding

  4. Long URLs

  5. Fake parameters

  6. Tab separation

  7. Casing

  8. Windows delimiter

  9. Path character transformation and expansions

Failure to recognize any of the specific evasion techniques would make the entire class of attacks exploitable against devices that were presumed to provide protection. Furthermore, it is possible to combine evasion techniques across or within each category, which is a very simple thing to do with significant rewards for malicious attackers. For example, a known Chrome Cross Site Scripting attack can be disguised with time delay and URL obfuscation (escape encoding). While this exploit may be mitigated without the evasion applied, with the combined evasion it may get past security counter measures.

Cross Site Scripting

CyberFlood Data Breach Assessment (CF DBA) Evasion Techniques

CyberFlood Data Breach Assessment (CF DBA) is emulation-based solution that proactively provides in-depth, continuous and automated assessment of an enterprise’s security posture. It expands on proven CyberFlood capabilities with continuously updated threat intelligence feeds to generate realistic traffic for latest attacks & exploits. It provides near zero-day malware threats as well as real world application traffic (business and non-business types), allowing thorough assessment of enterprise security postures. CF DBA emulates a wide range of hyper realistic hacker behavior, including encrypted attacks and evasion techniques. Configured exploits and attacks in CF DBA can be augmented with various evasion techniques at the global level or on per attack vector basis. Evasions will challenge systems under test through added pressure for validation compared to undisguised attacks and content.

CyberFlood Evasion Techniques
Data Breach Assessment

Evasion techniques are a powerful set of methodologies hackers use to break through security barriers. By adding assessment strategies inclusive of using the same evasion techniques as hackers, you can stay one step ahead of the bad guys.

Learn more about how Spirent CyberFlood Data Breach Assessment can help in validating enterprise network infrastructure security postures.

Have a question for spirent ?
Get in touch with an expert
Tags: Security
Reza Saadat
Reza Saadat

senior technical marketing engineer, application and security group

Reza Saadat is a Senior Technical Marketing Engineer at Spirent in the Applications and Security group, with over 25 years of experience in computers and data communication technologies. At Spirent, Reza works with the Product Management, Engineering and Sales teams to bring to market new, cutting-edge applications and security testing solutions for network equipment manufacturers, enterprises, and service providers. His in-depth industry, market and software development knowledge as well as collaborative design and development skills have resulted in the creation of numerous  hardware and software solutions, which have been successfully released at companies such as IBM Corp, Cisco Systems and many more.