APTs Way: Evading Your EBNIDS

Presented at Black Hat Europe 2014, Oct. 16, 2014, 10:15 a.m. (60 minutes).

APTs and government-supported attackers use a broad arsenal of techniques to avoid having their exploits detected by IDSes. Signature Based IDSes are not efficient against nation-state-sponsored attackers which use custom shellcode encoders in an exploit. Emulation Based NIDSes (EBNIDS) have been proposed as a solution to mitigate such attacks. EBNISes detect a suspicious network stream (pre-processing) and after converting them to emulate-able byte sequences run it in an instrumented environment (Emulation), finally matching the behavior with certain heuristics (Heuristics Detection). In this talk, we will present novel ways that an APT might use to circumvente the Pre-Processing, Emulation and Heuristic Detection steps of EBNIDSes by employing a wide range of evasion techniques.


Presenters:

  • Ali Abbasi - University of Twente, Distributed and Embedded System Security Group
    Ali Abbasi is a PhD candidate in Distributed and Embedded System Security group at University of Twente, Netherlands. His research interests involve embedded systems security mostly related to Industrial Control Systems and Critical Infrastructure Protection. He received his masters degree in Computer Science from Tsinghua University, Beijing, China in 2013. He was working there on Programable Logic Controller (PLC) security in Network Security Lab, Microprocessor and SoC Technology R&D center with the National 863 High Tech Program grant from Ministry of Industry and Information Technology of China. Also, he was involved in various cyber security projects with China CERT. He is currently involved in CRISALIS European Union project (FP7) related to Critical Infrastructure Protection at University of Twente. At the same time, he is working on project AVATAR for on the fly detection and containment of unknown malware and Advanced Persistent Threats. Before that Ali was working as Head of Vulnerability Analysis and Penetration Testing Group at National Computer Security Incident Response Team at Sharif University of Technology in Tehran, Iran.
  • Jos Wetzels - University of Twente
    Jos Wetzels is a Research Assistant with the Services, Cyber security and Safety research group at the University of Twente. He currently works on projects aimed at on-the-fly detection and containment of unknown malware and Advanced Persistent Threats, where he focuses on malware analysis, intrusion detection, and evasion techniques. He has assisted teaching hands-on offensive security classes for graduate students at the Dutch Kerckhoffs Institute for several years.

Links:

Similar Presentations: