The Game of Security Evasion
Evasion techniques have existed ever since attacks were created, that’s no secret. Simply put, cyber attackers know about security solutions and make some attempts to evade detection. Most commonly, we see this on endpoint desktops – malware that drop rootkits and kill host based security processes. Real security is about looking at the big picture, and not focusing on one point. This is precisely Fortinet’s position being in the field of UTM and NGFW. In the former example gateway AV has a large advantage to thwart such threats that are geared for endpoint evasion. However, there is no silver bullet in standalone – one should not solely rely on AV, or IPS, or any other one service for that matter because of these reasons. True security involves multiple layers of defense working together in harmony, right down from the vendor, to the administrator / SOC team and human element. This is our expertise.
As another example with AV, we frequently see AV bypass measures from malware authors against pretty much every vendor in the field. It’s how you handle it. For example, we have a dedicated in-house research team that studies the latest attack trends and builds appropriate technology (in the case of AV, our antivirus engine) to defend. It’s absolutely imperative to have such a dynamic team to effectively combat today’s threat landscape. We are lucky to have such a dedicated team across all services in-house.
There have been claims recently that some vendors may be vulnerable to IPS scanning in relation to the size of attack payload. We thought about this long ago. The default value we have set for IPS scanning is set to roughly 200KB, however it is configurable. You may set the value to 0 which means all lengths of IPS traffic will be scanned and no bypass would be ever be achieved. We believe the 200KB default value is reasonable since, in our experience, the vast majority of IPS based attacks (even file based) fall within this limit. NSS testing is a perfect example of this, where we can achieve high detection rates using the default value of 200KB. As mentioned, if you need to change this, it is easily configurable.
In the world of security, there is always a trade-off between performance and how thorough security is. A good example is the trade-off between flow and proxy AV. We approach this performance challenge quite effectively with ASIC acceleration, engine and signature optimization, and reasonable default configuration values relative to the real world. In the case of an attack that does bypass IPS measures, you want to think about other layers of defense you can have in place for visibility and mitigation: AV to take care of the malicious code being planted, and application / botnet control for outbound threats. Likewise, in the case of a phishing email that evades spam detection do you have webfiltering in place for the malicious link that was clicked on? This is what defense in depth is all about.
It’s our goal to fix vulnerabilities when they exist. In fact, we have a full time security research team that has discovered over 150 vulnerabilities ourselves. The goal is to close holes responsibly, so that the vendor can provide a patch before an attacker would even find out about it. This is known as responsible disclosure. We ask anyone do the same: if you have something you think may be a potential security concern, please communicate to firstname.lastname@example.org using our Fortinet PSIRT PGP key.