Malware doesn’t play by the rules, so today’s IT infrastructure needs to provide several layers of defense for end-users.  Some of the more common devices used to protect modern networks are Intrusion Prevention systems (IPS) and Firewalls. In recent years, there has been a lot of research on how evasion techniques bypass Intrusion Prevention systems (IPS) and firewall protections. It is important to understand the effects these evasion techniques have on the security posture of an organization and the layers required to continuously protect against them.

One common evasion technique happens when firewalls do not extract payload types from HTTP connections. When this occurs, malware goes undetected and passes directly to the end-user leaving no trace and making it difficult for the security staff to detect. This is a dangerous situation and has been demonstrated in research by Steffen Ullrich of HTTP-Evader – http://noxxi.de/research/http-evader.html.

Motivated cyber attackers use another evasion technique such as splitting malicious payloads into smaller packets or hide within legitimate applications. After the fragmented traffic bypasses the security detection system, the malware is reassembled and may begin sending sensitive data out of the network. These techniques are often referred to as fragmentation and obfuscation techniques, which may bypass firewall and IPS devices by delivering them across multiple or obscure protocols.

As Malware defense measures evolve, so will malware circumvention. Malware detection techniques need constant attention to control and mitigate potential attacks. A multi-layered security infrastructure is the best approach to guard against such attacks. Security control programs that evolve, learn and adapt to new attacks and techniques will be essential to remain ahead of these cyber-security threats. One such offering is the Cisco Advanced Malware Protection solution, http://www.cisco.com/c/en/us/solutions/collateral/enterprise-networks/advanced-malware-protection/solution-overview-c22-734228.html

Cisco PSIRT continuously works with product teams and the wider industry to analyze the impact security threats have on our entire security suite of products and we release security information in accordance with our Security Vulnerability Policy, available at: http://www.cisco.com/web/about/security/psirt/security_vulnerability_policy.html


John Klimarchuk

PSIRT Incident Manager

Security Research and Operations