Stealth Attacks: Why Hackers Love Networks That Are ‘Crunchy on the Outside and Chewy on the Inside’

By on Jan 10, 2014

The advertising slogan “crunchy on the outside and chewy on the inside” has been used by companies to market candy, cookies, and even tacos. The slogan is particularly relevant given some of the predictions in the McAfee Labs 2014 Predictions Report.

Specifically, the crunchy/chewy model illuminates the prediction that deals with the expectations of McAfee Labs regarding stealth attacks. One class of stealth attack that we believe will prove extremely popular in 2014 is based on advanced evasion techniques (AETs). In an AET attack the perpetrator spends at least as much time designing and building the threat transport mechanism as the threat itself or payload. The goal of an AET-based attack is to fool the target’s network perimeter defenses into believing that a seemingly unrelated set of data transmissions contains benign data rather than what they actually contain—a malicious virus, data-stealing Trojan, or a program designed specifically to cause a physical malfunction of the target device.

A second class of stealth attack that targets endpoint devices is known as return-oriented programming (ROP), in which an exploit inserts itself into a known good application’s execution stack. From there it does its dirty work. Being that it’s “hidden” in a trusted application, the malware can work completely undetected by the operating system and most application-layer security defenses. The payload may sit dormant in memory for weeks or months until one day awakening to chew on the most valuable data it can find. I’ll cover ROP attacks in another blog, but today I’m going to focus on AETs that target network infrastructure and security measures.

In a classic AET-based attack, the payload or exploit comes wrapped in a “shell” of evasion logic that causes it to look completely benign to firewalls, intrusion detection systems, and even modern executable sandboxing technologies. The AET shell is specifically designed to subvert the crunchy outside of an enterprise network, where much of the security heavy lifting is done. If a network has been targeted by earlier reconnaissance attacks, it might be designed solely to penetrate that specific network.

The goal of all this effort to breach the network is to take up residence in the chewy “inside” of the enterprise, where all the really good stuff (data and devices) live. Once inside the network, an AET will continue to cover its tracks to make itself as undetectable as possible. Common techniques include self-erasing malware that installs itself in a corner of memory and then deletes all traces of itself on the system’s storage subsystem.

From the cybercriminal’s perspective, the AET approach has a few distinct advantages. First, by investing in penetration technology, the odds of creating a successful exploit increase dramatically. McAfee Labs has identified more than 450 distinct evasion techniques as of December 2013.

The second advantage the AET approach provides is that individual evasions may be combined to create entirely new ones for which there is no available detection technique. Individual evasions can’t be combined arbitrarily, but if perpetrators know enough about the target network and how it’s defended, they can create a new combined evasion “wrapper” designed specifically to defeat the target’s defenses.

Finally, the AET approach allows the perpetrators to invest less in the exploit payload, because once inside, old exploits can work very well against unprotected or unpatched systems. Yes, I know, you don’t have any unpatched systems in your network. Or do you? What about all of those industrial control systems that are running operating systems that can be patched only during a maintenance cycle or can’t be patched at all due to their age?

So, what is a savvy and responsible security practitioner to do in the face of the expected onslaught of stealth attacks predicted by McAfee Labs?

First, start thinking like the perpetrators of these advanced attacks. If you wanted to hack your own network, where would you start? If you can identify three to four known weaknesses in your current security posture, it’s likely the bad guys can as well. If you aren’t running regular “red team” drills to identify new vulnerabilities and attack surfaces, start now.

Second, recognize that protecting your infrastructure and protecting your data are sometimes different activities that require different security policies, procedures, and technologies. For example, the policies, practices, and technologies used to protect your company’s core intellectual property might involve very robust access and authentication  combined with state-of-the-art encryption, while protecting the smart devices on your manufacturing floor might involve very strict application control and a separate internal network that is “air gapped” from the rest of the enterprise network.

Finally, I’d be remiss if I didn’t mention the McAfee products designed specifically to identify and isolate AET-based attacks. McAfee Next Generation Firewall is the only next-generation firewall solution to unite anti-evasion security with enterprise-scale availability, and a modular security engine that allows you to add features as your security posture evolves. McAfee Network Security Platform is capable of scanning up to 60 gigabytes of data traffic per second to identify incoming stealth attacks. McAfee Network Threat Response captures, deconstructs, and analyzes malware that does make it past perimeter defenses and identifies malware targeting the “soft and chewy” inside of an enterprise network.

(To learn more about AETs, download McAfee Evader, an automated evasion testing tool, and read the report that SANS did with the Evader.)

Leave a Reply

Your email address will not be published. Required fields are marked *

You may use these HTML tags and attributes: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <strike> <strong>