Business counts cost of cyber attackers’ secret weapon

Businesses are counting the cost of failing to defend against advanced evasion techniques (AETs), a report reveals

Businesses around the world are counting the cost of failing to defend against advanced evasion techniques (AETs), a report reveals.

Nearly 40% of CIOs and security managers whose organisations have been breached by cyber attacks on their networks believe AETs played a key role, according to a survey by Vanson Bourne.

The study polled 800 CIOs and security managers in the UK, US, Germany, France, Australia, Brazil and South Africa.

On average, respondents said breaches in the past 12 months have cost around $931,000, with the financial sector hardest hit. The cost is estimated at more than $2m per breach globally.

Understanding how AETs play a critical role in cyber attacks is vital to protecting any organisation, according to the research report commissioned by McAfee, a division of Intel Security.

The report describes AETs as a “dirty little secret weapon” that attackers use to bypass security systems and penetrate even the most locked-down networks.

But despite being well-known in the cyber criminal community and widely deployed, most information security professionals lack understanding and awareness of AETs, the research revealed.

As a result, 39% of respondents admitted they do not have the ability to detect and track AETs within their organisations.

Almost two-thirds of respondents said the biggest challenge when trying to implement technology against AETs is convincing the board that they are a real and serious threat.

“Hackers already know about advanced evasion techniques and are using them on a daily basis,” said Ashish Patel, regional director, network security UK & Ireland at McAfee.

“What we’re hoping to do is educate businesses so they know what to look for and understand what’s needed to defend against them. Education is absolutely key,” he told Computer Weekly.

This will be in the form of roadshows, reports, security summits and client briefings. “The study has shown the real lack of understanding, knowledge and awareness in the community,” said Patel.

Mixed messages from IT suppliers

One of the biggest challenges, he said, is the mixed messaging in the IT security industry, with some suppliers denying the existence of AETs and others saying they are possible only in theory.

This is despite research by the University of South Wales that has confirmed the existence of at least 800 million AETs.

Another problem, according to McAfee, is that in paid tests, suppliers are given the chance to correct for AETs. This means only the specific techniques identified are corrected for, and not the broader techniques that are rapidly updated and adapted by criminal organisations.

“Unfortunately, third-party security tests and supplier responses are obfuscating the problem, and leading some to conclude that these techniques don’t exist,” said Patel.

The threat is further compounded by the fact that of the security suppliers that claim to protect against AETs, most are capable of detecting only around 1%, according to Patel.

He called on security suppliers to admit if they cannot deal with AETs or can deal with only some AETs rather than making misleading claims that give customers a false sense of security.

What are advanced evasion techniques?

For the uninitiated, AETs are methods of disguise used to penetrate target networks undetected and deliver malicious payloads. They were first discovered in 2010 by Stonesoft, which was acquired by McAfee in May 2013.

Typically, AETs are used to attack networks by combining several known evasion methodologies to create new and dynamically changing techniques that can be delivered over several layers of a network simultaneously.

By splitting attacks across different network layers, attackers are able to make malicious traffic appear harmless to most network security systems.

The result is a new generation of hacking techniques that enable malware, viruses, worms and other security threats to bypass next-generation firewalls and intrusion prevention systems (IPS).

Any business can check the capability of existing systems to detect and track AETs by downloading a free testing tool, said Patel.

The Evader tool was developed by Stonesoft to enable businesses to see for themselves whether or not security suppliers’ claims are supported in reality.

“Do not rely on a supplier or a testing house, test your systems against 800 million AETs using Evader in your environment with your network and protection systems,” said Patel.

Evader launches sets of AETs against next-generation firewall (NGFW), intrusion prevention system (IPS) and unified threat management (UTM) products to help organisations establish the specific threat AETs pose to their network and business-critical digital assets.

Read more on Hackers and cybercrime prevention