If 2011 was the year of the advanced persistent threat (APT), then 2012 may be noted as the period in which the advanced evasion technique (AET) gained recognition as a dangerous, malicious, multifaceted and disguised threat carrying a variance of payload(s). But just what is this thing called AET, and is it new?
Like all arrivals on the scene of insecurity, there will be some difference among professional opinions as to what AETs are. However, with comments and observations from reputable bodies including Gartner and NSS Labs, there is a level of corroboration that the AET is a real-time threat that should be taken very seriously. That said, let us also be clear that the AET does not have to apply any rigid rules to be successful, other than those applied out of the imagination of its creator. The AET may be defined as:
Mechanisms by which known attack conditions are subjected to an altered profile to cloak their recognised signature or condition from external and/or internal protective-security devices and applications, in order to circumvent detection.
In other words, it is feasible that a security device accommodated with the latest detection signature for a known condition—say, Conficker—may declare a condition safe, even though the known malicious condition is present.
This risk is further enhanced by the fact that perimeter security devices are busy beasts, so the time to do real-time, deep inspections may not always be accommodated, an opportunity that may be further leveraged by the attacker.
To some extent, the profile of the AET may have been with us for some years, but never recognised in that guise. Going back to the Virus Bulletin Conference in Amsterdam in 1993, I found myself being nervously thrust in front of an audience to present a paper on encapsulated threats. In a nutshell, the presentation demonstrated how an active known virus could be buried inside multi-layered attachments, which could then bypass deployed perimeter security checks and thus gain access to the softer insider of the enterprise. In some shape, this could be argued as being a simple and early profile of an AET.
No matter the definition or the individual opinions security professionals may have, I am convinced that the threats posed by the AET are very real. Therefore, in addition to looking for technological solutions that are maintained at the cutting edge of their detection capabilities to attempt to counter and mitigate these threats, we also need to over-indulge in a little more situational awareness, and start to leverage the rich resources offered by our professional association with ISACA, which can provide thought-provoking information to underpin the mission of delivering a secure operational enterprise.
John Walker, CISM, FBCS, CITP, MFSSoc, A.IISP
Chief Technology Officer at Secure-Bastion
We welcome your comments! Please log in using the Sign In link at the top right of this page and then leave your comment in the box at the end of the post. To view all blog posts, please click on the ISACA Now link in the blue box on the left.
Note: To download cloud resources from ISACA, including six principles for effective cloud computing, visit www.isaca.org/cloud. Join the conversation in the Cloud Computing group in ISACA’s Knowledge Center.