The Evader story
1. How did it all start?
In 2007, a small group from Stonesoft R&D started to collect bits of information about evasive hacking. They were trying to improve our own products, so they went through academic papers, hacking presentations, public hacking tools, and they met with knowledgeable individuals.
They learned a lot but there were many open questions. In 2008, Stonesoft R&D started to experiment with these ideas in practice, using the very same knowledge and tools available to hackers. They were shocked at how well old evasion ideas seemed to work – easily bypassing Stonesoft’s security devices!
This was a real eye-opener for the Stonesoft engineers and all of us at the company wanted to dig deeper. By 2009, Stonesoft had been in evasion research for a while but we were only just starting to redesign our own products. The updated products failed in some public tests!
The Evader story
2. Breakthrough for the dedicated AET team
By late 2009, there was a dedicated team to accelerate testing and research work. Soon it became clear that manual testing was limited and slow. The team then developed comprehensive in-house software to automate testing and expanded the research across new protocols and the whole network stack. And the earliest incarnation of Evader was born.
It was a breakthrough in evasion research, and significant for the whole security industry. We were able to run a huge number of test runs daily, and try different simultaneous evasions on multiple network layers/protocols to create, modify, combine and tweak new evasions – what we now know as Advanced Evasion Techniques. This was the discovery of a whole new generation of evasive hacking techniques. We realized that the number of working evasion techniques, including combinations, had suddenly risen from dozens to millions – and beyond.
The Evader story
3. All leading devices totally blind to AETs
The discovery that you can easily create a new advanced evasion was intriguing from the security technology point of view. Stonesoft R&D thought they could not be the only ones struggling with this, so they acquired and installed all the leading security devices in the lab for testing. The results were astonishing. Nearly all the devices were not only incapable of detecting and blocking exploits if AETs were used – but they were totally blind! Sending a well-known exploit and using a simple evasion to hide it went through without leaving any trace!
In June 2010, Stonesoft reported this and sent (23) samples to the CERT vulnerability coordination process for all network security vendors. Not one responded satisfactorily. In October 2010, Stonesoft decided to go public with the new information about AETs because it was an issue that needed to be addressed by the wider security community – and customers needed to know – but there was no vendor response!
In 2011, we sent more samples (124 plus 180) to CERT and AETs started to get more attention in public discussions. But there was still no vendor response. Some academic researchers, test labs, analysts and forensic scientists validated AETs as real. But still no vendor response!
The Evader story
4. Evader signifies the time for action against AETs
Today we have reached a situation were the pressure in our field is just too great. News about recent major hacks and cyber criminals’ successes has us all seriously concerned. Meanwhile, our industry is not telling the whole story. 35% of recent cyber attacks against large organizations are reported to include an unknown attack vector.
For Stonesoft, it is a matter of responsibility and integrity to make Evader, the ready-made AET test lab – and our knowledge of Advanced Evasion Techniques – available for everyone in cyber defense.
