Investigating the efficiency of modern Intrusion Detection Systems (IDS) in detecting current evasion techniques – Part 3 – Basic Evasion

IDS Evasion Techniques

Since the introduction of intrusion detection systems they became very popular amongst network administrators because it provided a way to detect if any attacks took place. At them days (1990s) these systems were very simple devises that monitor the network traffic, match it to a database of signatures and if there is a match an alert is produced that informs the administrator of the event
(Bruneau, 2001,
History and Evolution of Intrusion Detection, p. 3). Throughout the years attackers, security professionals, researchers and developers have always played a cat and mouse game. Every time developers, security professionals and researchers find or develop new ways to counteract attacks, attackers seem to develop new ways to attack security devises such as IDSs or even bypass them altogether. This is because of the complexities in capturing, analysing and understanding network traffic (Timm, 2002, IDS Evasion Techniques and Tactics, p. 1). These complexities meant the existence of many techniques that can be used to take advantage of the weaknesses in IDSs. These methods were very simple such as pattern matching, denial of service (DOS) and false positives. However overtime more advanced techniques such as fragmentation, session splicing and polymorphic shell-code techniques began to appear.

As mentioned by (Roberts, 2010)
that stonesoft’s disclosure of a new way to evade IDSs and IPSs (IDPSs) raises some doubts about the effectiveness of many security products already used by many organisations worldwide. However stonesoft’s discovery was not new; anyone has an interest in information security knows that these techniques have been around for a very long time and was first mentioned in 1998 by (Newsham, 1998).

As quoted by (Roberts, 2010):

“Researchers working for Stonesoft have been delving into evasion techniques since 2007 in an effort to improve Stonesoft’s own products, said Matt McKinley, Director of Product Management in the U.S.”

He further quoted:

“”In the process of doing so, we basically discovered that it’s possible to combine multiple evasion techniques together working at different layers (of the IP stack) and they can confound the IPS and become hard to protect,” he said.”

However, I respectfully disagrees with what Mr. Matt McKinley had said; this is because these techniques as will be discussed in the following sections have been around for a very long time and all are based on the techniques mentioned in
(Newsham, 1998)

In this section the author presents an overview of some of these techniques by dividing them into two categories Basic techniques and Complex techniques.

Continue reading Investigating the efficiency of modern Intrusion Detection Systems (IDS) in detecting current evasion techniques – Part 3 – Basic Evasion

Investigating the efficiency of modern Intrusion Detection Systems (IDS) in detecting current evasion techniques – Part 2

A look at IDSs in more details

As described by Karen Scarfone and Peter Mell (2007, page 15):

“Intrusion detection is the process of monitoring the events occurring in a computer system or network and analysing them for signs of possible incidents, which are violations or imminent threats of violation of computer security policies, acceptable use policies, or standard security practices. Incidents have many causes, such as malware (e.g., worms, spyware), attackers gaining unauthorized access to systems from the Internet, and authorized users of systems who misuse their privileges or attempt to gain additional privileges for which they are not authorized.”

They also mentioned that an IDS is a software that automates the process of intrusion detection and an IPS has the same functionality of an IDS but with an extra option that can stop incidents. An IPS can work as an IDS by deactivating the IPS option, which is why the term IDPS is used to mean both (IDS and IPS).

This post provides solid foundations to setup the seen for the understanding the upcoming posts in this series when we delve into different methods used to defeat these systems.

Continue reading Investigating the efficiency of modern Intrusion Detection Systems (IDS) in detecting current evasion techniques – Part 2

Investigating the efficiency of modern Intrusion Detection Systems (IDS) in detecting current evasion techniques – Part 1


Computers have advanced to become part of our daily life, everywhere you go there is a computer network that’s been installed to perform a certain number of jobs; and the effectiveness of organisation’s business performance has become greatly dependent on the availability, reliability and security of these networks and the systems connected to it. This has resulted to the unfortunate fact that many systems connected to the internet is a target of a range of attacks especially organisations with hundreds of hosts, services and sensitive data. It is also equally true for small offices and isolated home users with no data to protect. This is because criminals would benefit greatly from the data they steal from big organisations; and in the case of small offices and home users, criminals would benefit from them by using them as a stepping stone so they can launch their attack without being caught.

From the beginning of 2003, the (SANS Internet Storm Centre ISC 2003) started to monitor the average survival time of un-patched machines and found that the time it takes to download patches is greater than the time to install the software. This means that before a system is fully patched attacks have already spread across the network at incredible speed. In many cases the speed of these attacks and the speed they spread across the network exceed the possibility of human intervention. Therefore the development of the components (hardware and software) that detects these attacks becomes extremely important.

As it has been mentioned by (Bruneau 2001); the rule-based method developed by Dorothy Dinning and Peter Neumann between 1984 and 1986 was used by the first IDS system. This work was influenced by a report published by James P Anderson in 1980 titled “How to use accounting audit files to detect unauthorised access”. This model was improved to create what is recognised today as the Next-Generation Intrusion Detection Expert System (Bruneau 2001, p.3).

Continue reading Investigating the efficiency of modern Intrusion Detection Systems (IDS) in detecting current evasion techniques – Part 1

Secure Messaging Applications


Discussing End-To-End Encryption Protocols used by messaging applications such as WhatsApp

Due to the highly interconnected world we live in today and the increased dependency on technology in almost every aspect of our lives, the rise of crimes for which technology added another vector that not only makes our lives easier, it has also been utilized by criminals in many ways including the ease of communication. At the same time governments are forced and on occasions takes advantage of this to tap into every aspect of our privacy.

This paper investigates several secure messaging applications and how end-to-end encryption used to secure our communications, not only in transit but also from the moment we initiate this communication from our handset or computer. 

Continue reading Secure Messaging Applications

Cyber Threats – How effective is your Cyber Security Operations?

The advancement in the technology of the world we live in today made it very easy for every business regardless of its size to reach out to places that would otherwise be very challenging to communicate with, let alone have a full business presence in.

In the past, very large organisations experienced many different types of difficulties in maintaining their businesses in different cities or keeping up with the demands of their customers who may be located in different regions.

Today we have small home-based businesses or businesses that may not even have a physical presence in their own region trade very successfully and easily across the globe.

A few years ago an organisation’s security operations analysts were not expected to have great level of knowledge in the different areas of information security to be able to learn the trade and analyse what they see on their screens. This was because abnormal behavior in most cases can easily be identified.

However the advancements we are experiencing brings with it a wide range of different applications and services that are built into the overall infrastructure. We have a wide range of different cloud services that are interconnected to internet facing applications that distribute their content on multiple different locations in the cloud.

These services in one transaction can generate many different signatures that a couple of years ago security analyst would consider them as a clear sign of an intrusion attempt, however today these signatures are not enough to determine the maliciousness of the activity. This means malicious activity can easily hide in plain sight of what is now considered as normal traffic in many environments.

These rapid developments aided in the spike in cyber threats, their complexity and continuous changes of the adversary’s Tactics, Techniques and Procedures (TTPs).

The information security community are observing on a daily basis, news of many different types of organisations being breached with a variety of attack methods that ranges in their complexity, delivery mechanisms AND motives.

Many organisations such as SANS institute, EC-Counsil, ISC2 and many more are working extremely hard to raise the level of expertise and research new methods to detect, collect and investigate breaches.

The GOOD news is that we are also observing many if not all organisations are starting to recognize how important it is to have a solid infrastructure that is built with security in mind.

Many developers are now being encouraged and educated in the methods of secure application development. Network administrators are also starting to take a security stance and work to harden their network and create that balance between Accessibility, Security and Usability.

Organisations are indeed stepping in the correct direction and have dedicated a large amount of money to secure their infrastructure and implement a wide range of security controls from IDPSs, SIEMs up to deception controls, however many organisations in their efforts to improve their security resilience neglect dedicating enough time to perfect their processes and forget that cyber security is made of three important components (People, Technology and Processes) that are part of a successful ISMS.

Having a well thought out processes can compensate for technological gaps or failures and neglecting your processes can render your state of the art devices very useless and break communications between your teams.

Your processes can save you in moments when everything else fails.

So, what makes a perfect or a well thought out processes?

2- Basic Malware Analysis – Static – Part 2

OK continuing from Part 1, today’s tutorial’s will involve the following:

  1. We will look at the strings of the program using strings.exe.

  2. We will check if the program is packed?

Examining the Program’s Strings

A string in an application is a set of characters such as “hello”, it is stored in either ASCII or Unicode format. The cases where a program may contain strings are as follows:

  1. I f the program prints a message.

  2. If it accesses a URL.

  3. Or if it copies a file to a certain location.

ASCII and Unicode uses NULL characters to indicate the string is complete.

The reason looking at the strings is important is that the string of a program would give us important information about the program or the codes functionality.

Strings.exe scans the program for any sequence or characters that are 3 characters or more in length, which is why it can produce results that don’t make sense. Therefore when reading the results from the strings.exe always make note of strings the make sense as shown below:

Continue reading 2- Basic Malware Analysis – Static – Part 2

2- Basic Malware Analysis – Static – Part 1

To perform Basic Static Analysis we need to complete several steps, which will allow us to answer some of the following questions:

  1. What the suspicious file is?

  2. What does it do?

  3. When was it made?

  4. Does it depend on other files?

  5. Does it download other files?

  6. How does it work?

  7. What type of Malware is it?

Each of the Malware Analysis stages (Basic and Advanced) will provide us answers to some of the above questions and to be able to answer them all we need to exhaust each of the stages we mentioned in the first tutorial (1- Practical Malware Analysis – Introduction).

In today’s tutorial’s case we will be performing the following:

  1. We will run the suspicious file through multiple Anti Virus scanners such as to see if the file is already known and have been flagged previously.

  2. We will create an MD5 signature of the file, that we can use to share with our colleagues and we can also use it to search online for a file with the same MD5 hash.

  3. We will look at the strings of the program using strings.exe.

  4. We will check if the program is packed?

  5. Also we will check the Portable Executable File Format (PE) header, which will provide us with valuable information about the code, the type of application, required library functions and space requirements.

  6. To end this we will examine Linked libraries and functions.

Continue reading 2- Basic Malware Analysis – Static – Part 1