Evasive techniques are regularly used by cyber attackers to avoid detection and hide malicious activity, and they are quite effective too. In our Mandiant Security Effectiveness Report 2020, we found that 65% of the time evasive techniques used to bypass policies were not able to be detected or prevented within a security environment. Add to that, only 15% were alerted and 25% were detected—and 31% were missed altogether.
What this really means is that organizations are performing below their predicted levels of effectiveness, and for obvious reasons that is quite alarming. In today’s world, security must be top of mind for everyone within an organization, and that means setting and adhering to cyber security policies are essential to preventing breaches and attacks.
When looking at the threat landscape, we see attackers using many
different types of evasion techniques, but the three most common are:
Encryption and tunneling: IPS sensors monitor the network and
capture packets as they go through the network, but these
network-based sensors rely on data being transmitted in plain text.
An example of this type of method is a secure shell connection to a
secure shell host server.
Timing of attacks: Attackers can evade detection by
performing their actions slower than normal. This type of evasion
attack can be mounted against any correlating engine that uses a
fixed window and a threshold to classify them.
Protocol level misinterpretation: The attacker is able to
make a sensor ignore or not ignore traffic, resulting in an
organization seeing that traffic differently from the target.
As shared in our report, we found that the three most common causes
that lead to poor prevention and detection are:
- Outdated classification categories
- Limited network
monitoring on expected protocols
- Inadequate tracking and
communication of changes for one-off exceptions
For instance, a perfect example of protocol level misinterpretation
was found when working with one of our customers, a Fortune 500
company. The company leveraged security validation to continuously
monitor for changes causing environmental drift, and the investigating
team discovered that data was not being delivered to the SIEM. After
analyzing test results, they discovered that syslogs were being sent
over UDP instead of TCP, and a misconfigured load balancer was
dropping all UDP traffic. As a result, events were not being sent to
the SIEM and correlation rules did not trigger alerts to initiate the
incident response process. The ability to test this with real attack
actions exposed this scenario and allowed the company’s security team
to remove the risk.
As evidenced by this example and the findings in our report,
organizations are at much greater risk than they realize. It’s
imperative that they validate security effectiveness in order to
strengthen cyber hygiene and minimize risk. Only then can
organizations better protect business-critical assets, brand
reputation and economic value.
Interested in learning how you can expose and uncover evasive
techniques by validating your controls against current and actual
attacks? Download a full copy of the Mandiant
Security Effectiveness Report 2020, including a list of
the 10 fundamentals for successful cyber security effectiveness validation.