How to use Trellix IPS to combat Advanced Evasion Techniques
Last Modified: 2024-01-17 14:07:49 Etc/GMT
Affected Products
Languages:
This article is available in the following languages:
Trellix CEO, Bryan Palma, explains the critical need for security that’s always learning.
As per Gartner, "XDR is an emerging technology that can offer improved threat prevention, detection and response."
Trellix announced the establishment of the Trellix Advanced Research Center to advance global threat intelligence.
Trellix Advanced Research Center analyzes threat data on ransomware, nation-states, sectors, vectors, LotL, MITRE ATT&CK techniques, and emails.
As of May 14, 2024, Knowledge Base (KB) articles will only be published and updated in our new Trellix Thrive Knowledge space.
Log in to the Thrive Portal using your OKTA credentials and start searching the new space. Legacy KB IDs are indexed and you will be able to find them easily just by typing the legacy KB ID.
How to use Trellix IPS to combat Advanced Evasion Techniques
Technical Articles ID:
KB87308
Last Modified: 2024-01-17 14:07:49 Etc/GMT EnvironmentTrellix Intrusion Prevention System (Trellix IPS)
ProblemIn recent years, security analysts have reported a significant increase in attackers using advanced evasion techniques (AETs) to gain unauthorized entry into enterprise networks. AETs use concealed methods to penetrate target networks undetected, and deliver malicious payloads. Using AETs, an attacker can split an exploit into multiple segments, and bypass a traditional network security device. When inside the network, the attacker can reassemble the code to unleash malware and start advanced persistent threats (APTs) from a remote location.
CauseEach AET is designed to use inherent features in a protocol to pass through the IPS system undetected. An AET combines several known evasion methods to create a new technique that is delivered over multiple network layers simultaneously. A few examples of such advanced evasions are as follows:
SolutionTrellix IPS products provide several mechanisms to perform advanced inspection on such traffic.
For example, chunked transfer encoding is a data transfer mechanism of HTTP that uses the HTTP response header. It uses this header in place of the content-length header, which the protocol would otherwise require. Chunked transfer encoding supports sending dynamically generated content to clients without having to buffer it. These payload chunks can evade network inspection devices. To enable inspection of this traffic in your network, configure the Inspection Options in your Manager. NOTE: Advanced Traffic Inspection is disabled by default and inspects traffic per interface or sub-interface. You can also configure your IPS Sensor for other advanced traffic inspection such as the following:
For more details, see the chapter Advanced Traffic Inspection in the IPS Administration Guide for your version. See the "Related Information" section below for links.
We also recommend that you read article KB92003 - Combating Advanced Evasion Techniques.
This article documents AETs and the mechanisms that Trellix IPS uses to handle these evasions. WorkaroundRegularly patching the systems in your network provides protection against most of the attacks, including AETs. Evasions can only help the attacker to bypass the network security system, but they don't help with an attack against a patched system.
Related Information
Affected ProductsLanguages:This article is available in the following languages: |
|