Why Evasions Are More Dangerous Than Ever...Copyright © 2017 Forcepoint. All rights reserved. | 15...
Transcript of Why Evasions Are More Dangerous Than Ever...Copyright © 2017 Forcepoint. All rights reserved. | 15...
Copyright © 2017 Forcepoint. All rights reserved.
Why Evasions Are More
Dangerous Than Ever
Tijl VermantSE BENELUX - NETWORK SECURITY
Copyright © 2017 Forcepoint. All rights reserved. | 2Copyright © 2017 Forcepoint. All rights reserved.Copyright © 2017 Forcepoint. | 2
ALL TECHNOLOGY IS VULNERABLE(IF YOU TRY HARD ENOUGH)
▸ Browsers
▸ PDF readers
▸ Office
▸ Web servers
▸ Name servers
▸ File servers
Copyright © 2017 Forcepoint. All rights reserved. | 3Copyright © 2017 Forcepoint. All rights reserved.Copyright © 2017 Forcepoint. | 3
EVASIONS GET EXPLOITS & MALWARE
THROUGH SECURITY DEFENSES
Copyright © 2017 Forcepoint. All rights reserved. | 4Copyright © 2017 Forcepoint. All rights reserved.Copyright © 2017 Forcepoint. | 4
WITHOUT EVASIONS, EXPLOITS & MALWARE
ARE EASY TO DETECT AND BLOCK
Copyright © 2017 Forcepoint. All rights reserved. | 5Copyright © 2017 Forcepoint. All rights reserved.Copyright © 2017 Forcepoint. | 5
EVASIONS HIDE EXPLOITS & MALWARE
FROM DEFENSES
Copyright © 2017 Forcepoint. All rights reserved. | 6Copyright © 2017 Forcepoint. All rights reserved.Copyright © 2017 Forcepoint. | 6
ROOT CAUSES OF EVASIONS
▸ Throughput often prioritized over security
▸ Not analyzing full protocols
▸ Design flaws or missing features
Application
Presentation
Session
Transport
Network
Data
Physical
Copyright © 2017 Forcepoint. All rights reserved. | 7Copyright © 2017 Forcepoint. All rights reserved.Copyright © 2017 Forcepoint. | 7
TEST YOUR SECURITY DEVICES WITH FORCEPOINT
EVADERBY FORCEPOINT
Ready-Made
Evasion Test Lab
Copyright © 2017 Forcepoint. All rights reserved. | 8Copyright © 2017 Forcepoint. All rights reserved.Copyright © 2017 Forcepoint. | 8
Copyright © 2017 Forcepoint. All rights reserved. | 9Copyright © 2017 Forcepoint. All rights reserved.Copyright © 2017 Forcepoint. | 9
EVADER IN ACTION
EVADERBY FORCEPOINT
Ready-Made
Evasion Test Lab
EVASION GENERATOR DEVICE BEING TESTED(VARIETY OF VENDORS)
TARGET SYSTEM(CLIENTS AND SERVERS)
EXPLOIT
Copyright © 2017 Forcepoint. All rights reserved. | 10Copyright © 2017 Forcepoint. All rights reserved.Copyright © 2017 Forcepoint. | 10
2013: FORCEPOINT PUBLISHED EVADER
Vendor / Test 0 1 2 3 4 5 6 7 8 9 10 11 12
Forcepoint(Stonesoft) ✓ ✓ ✓ ✓ ✓ ✓ ✓ ✓ ✓ ✓ ✓ ✓ ✓
Juniper ✓ ✗ ✗ ✗ ✗ ✗ ✗ ✗ ✓ ✗ ✗ ✗ ✗
Palo Alto ✗ ✗ ✗ ✗ ✗ ✗ ✗ ✗ ✓ ✗ ✗ ✗ ✗
Cisco(SourceFire) ✓ ✓ ✗ ✓ ✓ ✓ ✓ ✓ ✓ ✓ ✗ ✓ ✗
McAfee ✗ ✗ ✗ ✗ ✗ ✗ ✗ ✗ ✓ ✗ ✗ ✗ ✗
Fortinet ✓ ✓ ✗ ✓ ✓ ✓ ✗ ✗ ✓ ✓ ✗ ✗ ✗
0: payload obfuscation
1: tcp_paws
2: tcp_synretranswithpayload
3: ipv4_opt
4: tcp_urgent
5: tcp_recv_window
6: tcp_seg, tcp_order
7: tcp_seg, tcp_order, tcp_paws
8: tcp_seg, tcp_order,
tcp_synretranswithpayload
9: tcp_seg, tcp_order, ipv4_opt
10: tcp_seg, tcp_order,
tcp_urgent
11: tcp_seg, tcp_order,
tcp_recv_window
12: Random combination of 1-11
Copyright © 2017 Forcepoint. All rights reserved. | 11Copyright © 2017 Forcepoint. All rights reserved.Copyright © 2017 Forcepoint. | 11
2017: FORCEPOINT CONTINUES TO LEAD
Vendor / Test 0 1 2 3 4 5 6 7 8 9 10 11 12
Forcepoint(Stonesoft)
Juniper ✓ ✗ ✓ ✗ ✗ ✗ ✗ ✗ ✗ ✗ ✗ ✗ ✗
Palo Alto ✗ ✗ ✓ ✓ ✓ ✓ ✗ ✗ ✓ ✗ ✓ ✗ ✗
Cisco(SourceFire) ✗ ✗ ✓ ✗ ✗ ✗ ✗ ✗ ✓ ✗ ✗ ✗ ✗
McAfee ✗ ✗ ✓ ✗ ✗ ✗ ✗ ✗ ✓ ✗ ✗ ✗ ✗
Fortinet ✗ ✗ ✓ ✓ ✓ ✓ ✓ ✗ ✗ ✓ ✗ ✓ ✗
0: payload obfuscation
1: tcp_paws
2: tcp_synretranswithpayload
3: ipv4_opt
4: tcp_urgent
5: tcp_recv_window
6: tcp_seg, tcp_order
7: tcp_seg, tcp_order, tcp_paws
8: tcp_seg, tcp_order,
tcp_synretranswithpayload
9: tcp_seg, tcp_order, ipv4_opt
10: tcp_seg, tcp_order,
tcp_urgent
11: tcp_seg, tcp_order,
tcp_recv_window
12: Random combination of 1-11
✓ ✓ ✓ ✓ ✓ ✓ ✓ ✓ ✓ ✓ ✓ ✓ ✓
Copyright © 2017 Forcepoint. All rights reserved. | 12Copyright © 2017 Forcepoint. All rights reserved.Copyright © 2017 Forcepoint. | 12
EVASIONS IN
NSS LABS
NGFW TEST
Copyright © 2017 Forcepoint. All rights reserved. | 13Copyright © 2017 Forcepoint. All rights reserved.Copyright © 2017 Forcepoint. | 13
94.0096.00 96.50 97.50
99.95
60
65
70
75
80
85
90
95
100
2012 2013 2014 2016 2017
Forcepoint NSS Test Average
THE “EVASION GAP” –
FORCEPOINT CLOSES THE
DOOR ON ATTACKERS
Copyright © 2017 Forcepoint. All rights reserved. | 14Copyright © 2017 Forcepoint. All rights reserved.Copyright © 2017 Forcepoint. | 14
TAKEAWAYS
▸ Evasions give attackers free access to
your network … and they know it
▸ Forcepoint is the pioneer – and leader –
in anti-evasion defense
▸ See Evader for yourself at
forcepoint.com/evader
Copyright © 2017 Forcepoint. All rights reserved. | 15Copyright © 2017 Forcepoint. All rights reserved.Copyright © 2017 Forcepoint. | 15
WHAT TYPE OF INSIDER ARE YOU?