Introduction:
Evasion technique is where the malwares can bypass the security control devices without even getting detected by them and executes the successful exploitation on the targeted victims. The term “Evasion” was first derived from the Latin word “Evadere” means to Escape or to get away undetected.
We can see that Incident responders or detection engineers to leverage the techniques used for evading and fill the gaps for security improvement on the Evading techniques.
Classification of Evasion techniques
We often see different type’s files and methods that are getting bypassed or evaded through mostly by EDR (End Point Response) detections security tools, will get more into classification of evasion in more detailed.
Logical Evasion
Usually the detections are based upon some certain strategy or methodology to identify the malwares. But the system will look into specific parameters like command line, execution path and few more binaries. We need to understand that no detection is a bulletproof, as there are lot of strategies that an attacker can leverage to attack the target. They all have certain gaps which is uncovered and these opportunities are filled by the attackers. This is evasion technique is called as Logical Evasion.
Logical evasion can be implemented into 2 scenarios,
Intentional Logical Evasion – Here the adversary finds and exploits the logic set of the evasion.
Unintentional logical Evasion – The attacker uses an evasion effort, if the detection engineer implements the security control with gaps that were not covered unintentionally.
Classification Evasion
In this types of evasion, when the context that can’t be applied to the dataset or even when it is difficult to differentiate the dataset that is different from the “normal” behaviour. This evasion technique is called as classification evasion.
This evasion’s inability to gather the required information to classify and notify the alert.
For Example: If you’re waiting to see if a particular service was created remotely, but no network data is been identified. Here it is blending into like a normal behaviour to classify this as a false positive alert.
Temporal Evasion
When the analyst has to investigate the base dataset by applying triaging process, in which analyst has to take decision based on the available data whether to escalate the alert or close the alert. This evasion technique is called Temporal Evasion.
Here, attacker has the time to clear the activity performed and move on to the other due to high volume of alerts. And due to high volume of alerts, attackers have time to complete a task faster than the defenders ability to remediate the alerts triggered.
For Example: The security controls detected an alert on the attack, but the analysts didn’t have enough time to stop and remediate the attack from being successful.
Technical Evasion
When the analyst lacks the knowledge or skillset in investigating the alerts properly, the attackers use this opportunity to expand more attacks on the target network. This evasion opportunity requires and both Investigation and response knowledge. Hence this is called as Technical Evasion.
For Example: An alert with suspicious binary is present in the infected host, but the analyst lacks the knowledge and skillset to determine and stop the execution in case if it’s actually a malware.
Procedural Evasion
When the methodology offers an attacker for other opportunities to evade an attack when alert logic, Investigation or response, triaging, criticality and the data collection. Simply if any these processes being broken or there is control failure, infected host is offline etc., all of these possibilities lead to the failure of identification of an alert. This is called procedural Evasion.
For Example: If the sensor of the security control fails during the log parsing, log transfer from a critical device to the centralised system or server to trigger an alert (SIEM). The process of detecting the alert is failed and attackers can evade controls.
Conclusion:
If all the above said evasion techniques can be combined and correlated together to find an alert or an intrusion in the organizations without letting the malwares evading the systems with security controls, which applies the evasion mechanisms in controlling to detect an alert with true positive and take necessary actions, which might lead to successful mitigation of the incident.
It’s important to understand the common terminology, so the SOC, Threat Hunting, Red team, Blue team can successfully detect and mitigate the malware or intrusion or an alert.