Open in app

Sign in

Write

Sign in

Network Evasion

By N0H4TS

N0H4TS
4 min readAug 30, 2022

What is Defense Evasion?

Defense Evasion is a tactic that an adversary applies to try to avoid being detected.

Defense Evasion consists of techniques that adversaries use to avoid detection throughout their compromise. Techniques used for defense evasion include uninstalling/disabling security software or obfuscating/encrypting data and scripts. Adversaries also leverage and abuse trusted processes to hide and masquerade their malware. Other tactics’ techniques are cross-listed here when those techniques include the added benefit of subverting defenses.

Taken from Mitre Att&ck

Why Evasion is Being Used

Evasion is used when attackers seek to carry out malicious operations while remaining undetected.

From an attacker’s point of view, this is crucial for achieving their objectives. Staying under the radar allows the attacker to potentially access the system at any given time without alerting the defenders.

The Importance of Understanding Evasion

For defenders, understanding how an attacker might use Evasion can be beneficial in helping them spot different evasion strategies when they are used against them.

Through the use of security tools, defenders can increase their chances of detecting Evasion techniques and suspicious activities.

Tools Used for Detection

Intrusion Detection System (IDS)

  • IDS refers to monitoring tools that are used to detect suspicious traffic and activities in a network.
  • Uses rule-based access control
  • Alerts users about the network activities flagged
  • It is usually positioned at where the switch or router is to mirror the traffic into the IDS
  • Some open-source IDS tools include Snort, Suricata, Security Onion Distribution

Intrusion Prevention System (IPS)

  • IPS have similar functionalities to IDS
  • They can block/drop incoming connection/packets based on the rule sets configured

There are two ways of blocking incoming connections/packets:

  • Immediately when IPS captures the traffic
  • Alert the user and prompt to see if the incoming traffic should be blocked/dropped

Firewall

  • Firewalls are the first line of defence against suspicious network traffic.
  • firewalls can be used both in endpoint and network invasion depending on where the firewall is being installed
  • For network evasion, firewalls are usually installed just before any network traffic reaches the router/switch
  • Security policies can be configured to limit the access of network traffic
  • Firewalls do not have the capability of alerting users of network activities

Evasion Methods

Packet Fragmentation

Network packets are fragmented during transmission in order to evade the detention mechanisms on the receiving ending of the infrastructure. The purpose of packet fragmentation is to hide the malicious payload of the actual packet itself. Depending on the OS version, un-updated versions may not have security focused logic implemented to reassemble and do the checks on the packet that is sent during reassembly.

  • Used to evade both IDS and IPS monitoring tools
  • Most IDS and IPS have a timer for receiving and piecing together the fragmented packets.
  • If the timer is too short, we can bypass detection from the IDS / IPS by sending fragmented packets after the timer has timed out
  • Instead of sending the whole chunk of payload to the target, we split them into smaller portions. example: payload = “GET /etc/passwd” fragment one: “GET /et” fragment two: “c/passwd”

For example, if the IDS timer is only 5 seconds:

  • Send fragment one of payload out
  • Wait 5 seconds and send fragment two of payload
  • The IDS will only capture either the first fragment or the second fragment of the payload as a packet. It will not piece together the two fragmented packets as it has already dropped the first packet it received.
  • If the server has a longer timer (e.g. timer of 10 seconds), the IDS will be able to piece the payload together and detect the attack.

Timing Attacks

Timing attacks can be increasing or decreasing of the scan speed.

For example, when using nmap to scan a network, the attacker can specify the ‘T0’ (paranoid mode) option, which makes the scan slower, but allows evasion of certain network defences. By default, nmap runs using the ‘T3’ speed.

Conclusion

The different evasion techniques show us that hackers are constantly developing new, harmful ways to target our networks and systems. Attacks are now primarily carried out by Advanced Peristent Threats (APT) hackers. In the event of an evasion attack, it is crucial to perform damage control. One way to do this is by implementing intent-based network segmentation, which will ensure that the damage is only contained to a particular network segment.

Here’s a little shoutout to our N0H4TS members:

  1. Gabriel, for writing the blogpost
  2. Josh, for writing the blogpost
  3. Min, for writing the blogpost

References

  1. Mitre Att&ck Evasion
  2. NordVpn
Network
Evasion
Cybersecurity

--

--

N0H4TS

Written by N0H4TS

138 Followers

Start as an Apprentice, and become a Master.

Help

Status

About

Careers

Press

Blog

Privacy

Terms

Text to speech

Teams