IPS virtual patching undermined by new threats, Stonesoft says

IPS virtual patching is undermined by more than 120 new advanced evasion techniques (ATEs) that are being used by hackers.

Hackers continue to refine their methods to bypass intrusion prevention systems (IPS) and exploit vulnerabilities within corporate networks. This presents a threat to companies that rely on their IPS to provide protection for unpatched systems.

Finnish IPS company, Stonesoft Corp., said during the last few months it has detected more than 120 new advanced evasion techniques (AETs) being used by hackers to fool IPS and intrusion detection systems (IDS) and get into their networks.

The new discoveries are in addition to the 23 AETs Stonesoft identified last October.

The company said that, through research and the use of honeypots, it has detected a growing sophistication in the hacker techniques used to bypass IPS defences, whose main functions are to analyse traffic coming into a network and to filter out anything suspicious. For this reason, IPS is often used as a stopgap measure to help protect systems with known vulnerabilities that have yet to be patched.

Ash Patel, UK country manager for Stonesoft, said the techniques were likely to be used against big companies, government organisations or utilities. "These AETs are not the kind of automated attacks you'd see against small- and medium-sized businesses, they are complex and targeted," he said. "They could be especially dangerous for utilities running SCADA-based systems, which cannot be patched on a regular basis. The only way they can be protected is through a virtual patching system -- in other words, an IPS."

He added that the sophistication of the attacks indicated that they were the work of well-funded criminal elements.

Reaction to the news has been mixed. Jack Walsh, a researcher with ICSA Labs, a division of Verizon, wrote on the company blog that although he had harboured doubts about the initial 23 AETs that Stonesoft discovered, he felt the new discoveries confirmed that this is now a serious problem facing all IPS manufacturers.

"I hope security vendors will continue (or begin in some cases) to take more significant action to combat these and other evasion techniques to better protect enterprises that depend in part on these devices for network security," Walsh wrote.

But Peter Wood, chairman of Brighton-based consultancy First Base Technologies LLP, was more sceptical, saying advanced evasion techniques were generally unnecessary because so few organisations managed their intrusion detection/prevention systems properly.

"My experience with some reasonably large organisations is they really don't have much of a handle on IDS or IPS. They hope they can buy a product that will work straight out of the box, which is never the case because you have to tune it," he said. "An IPS needs maintaining, regular tuning and well-trained people to keep it on target. Most large companies don't allocate enough people."

Stonesoft has submitted samples of the 123 new AETs to CERT-FI, the Finnish national computer emergency response team for further evaluation.

Read more on Hackers and cybercrime prevention