Hide and Seek: Stopping Encrypted Attacks and Advanced Evasion Techniques
The cybercriminals that attack your network are a clever and crafty bunch. That’s why they continue to add new methods to their arsenal, and in some cases, they use the same tools as the good guys.
One such instance is encryption. It is estimated that nearly 70 percent of all Internet traffic will be encrypted this year. While the increased use of Secure Sockets Layer/Transport Layer Security (SSL/TLS) has improved privacy and enabled online business operations, it is a double-edged sword. The same encryption you use when banking online can be leveraged by cybercriminals to hide their attacks from your network security defenses and encrypt communications with command-and-control centers.
Advanced evasion techniques (AETs) also help attackers escape detection. Basic evasion techniques that bypass security devices have been around for decades. In many cases, security vendors have been able to update their products to detect some more common and basic evasion techniques.
AETs up the ante by combining several types of workarounds — such as packet fragmentation or protocol ambiguities — to obfuscate attacks. By creating new, unique evasion techniques, often delivered over multiple network layers at the same time, attackers can easily bypass conventional security defenses. It’s like using a stealth fighter to launch an attack: The bad actor flies in unnoticed and delivers the payload.
Preventing the Attacks You Can’t See
Many network security products claim to be able to protect against attacks that use encryption and AETs, but it is important to evaluate and confirm such capabilities when selecting your network security solutions.
That’s why IBM commissioned The Tolly Group, a leading provider of third-party validation services, to conduct an independent test of the IBM QRadar Network Security (XGS) 7100 appliance, a next-generation intrusion prevention system (IPS). Tolly evaluated both the security effectiveness of the XGS and its throughput performance.
Highlights from the report include:
- Blocked 100 percent of encrypted attacks: A corpus of 104 publicly disclosed exploits, both encrypted and unencrypted, were tested. The QRadar XGS onboard SSL/TLS inspection stopped them all.
- Blocked 100 percent of McAfee Evader test suite attacks: Using the Evader tool, nearly 4 million AETs were launched against the XGS over the course of 11 hours. All were stopped.
- High Throughput: QRadar XGS delivered 26 Gbps of multiprotocol throughput without SSL/TLS inspection and 17 Gbps with SSL/TLS Inspected Inbound turned on.
Why QRadar XGS?
QRadar XGS has been recognized as a leading next-generation IPS, having recently been included in the Leaders quadrant of the Gartner 2015 IPS Magic Quadrant. One of the reasons the XGS receives high marks is due to its market-leading Protocol Analysis Module (PAM).
Developed by IBM X-Force, PAM is the core IPS engine that delivers high-performance intrusion prevention. Instead of relying solely on pattern matching, PAM uses heuristics and behavior-based analysis to better protect against unknown and emerging threats — sometimes months or even years before an exploit is disclosed. It helps detect advanced evasion techniques and inspects the encrypted traffic flowing across your network.
To learn more about the results of the Tolly evaluation and about the QRadar XGS, watch the on-demand webinar “Tolly Report: Stopping Attacks You Can’t See.”