Industry Trends

Evasion Techniques: How Cyber Criminals Go Unnoticed

By Derek Manky | November 08, 2019

Cybercriminals and security teams have a long adversarial history, each working to outsmart the other. As security software has improved its ability to detect and quash common threats, cyber criminals have developed a different approach: evading detection in the first place.

What Are Evasion Techniques, and How Do Cyber Criminals Use Them?

As security solutions have become more advanced, so too have cybercriminals’ evasion techniques. In simple terms, evasion techniques are practiced by cybercriminals to help avoid detection. Two of these techniques are obfuscation and anti-analysis practices, and they have recently become more sophisticated than ever.

Obfuscation and Anti-Analysis Practices

Based on information uncovered in Fortinet’s Q2 2019 Threat Landscape Report, there are several examples of how cyber criminals use evasion tactics to minimize detection.    

Anti-analysis techniques were used in a recent campaign in Japan, in which a phishing email was circulated with a weaponized Excel document attachment containing a malicious macro. This macro disabled security tools and executed commands using an undocumented infiltration technique, which meant standard threat detection was useless against it.

Another example of an anti-analysis technique was seen in a variant of the Dridex banking Trojan. This Trojan changed file names and hashes each time someone in the affected system logged in, making it virtually impossible to spot the malware with traditional threat detection measures. Researchers also discovered an attack focused on the financial space, known as AndroMut. AndroMut used sandboxing and emulator verification, as well as debuggers to target employees at financial institutions. 

In addition to anti-analysis techniques, cyber criminals are achieving their goals by developing increasingly stealthy infostealers to gather data from connected devices. One particularly impressive infostealer was Zegost. Zegost’s creators designed it to be low-observable, with functions that enable evasion - this includes the clearing of application, security, and system event logs.

These few examples are grim reminders that systems need multi-layered defenses and behavior-based threat detection in order to stay on top of cyber criminals’ latest evasion techniques.

Five Ways to Stay Ahead of Advanced Evasion Techniques

As IT and security teams adapt their security strategies to keep pace with these new sophisticated attack strategies, they must keep these five best practices in mind.

  1. Take inventory of everything across your network. Pinpoint vulnerable systems, patch or replace older ones that no longer have support, add proximity controls for systems that can’t be upgraded, and upgrade your security tools to include asset tracking and monitoring.
  2. Stay abreast of anti-analysis and other trends. IT must maintain a current risk analysis strategy that covers redundant systems, includes off-site storage of backups, and the ability to cordon off segments of the system once an attack is detected.
  3. Practice segmentation. Segmenting your networks, especially IoT systems, is sound security practice. Managers should use device authentication and network access control to automatically separate devices from the production network until they are secured. Create checkpoints that assess for anomalous behavior as traffic passes between network segments.
  4. Automatically correlate threat data. Automation is key for evaluating threat intelligence and conducting event correlation in order to stop an attack before it makes a full impact – such as stealing data or delivering a payload.
  5. Perform deep inspection of encrypted traffic. Encrypted data and unstructured data (like that collected from IoT devices) require more processing power in order to inspect the information. Many security tools aren’t powerful enough to inspect encrypted data without significantly impacting performance. These systems should be upgraded to ensure malware does not sneak through as encrypted traffic.

Final Thoughts

Cyberattacks are evolving due to the development of advanced evasion techniques designed to help cyber criminals fly under the radar. To protect critical data assets and services, security teams must start by working to understand these new types of anti-evasion risks. They must then implement best practices and solutions to not only defend against these recent attacks, but also select adaptable technologies that can address those that have yet to be discovered.

Learn about how FortiGuard Labs provides unmatched security and intelligence services using integrated AI systems. Find out about the FortiGuard Security Services portfolio and sign up for our weekly FortiGuard Threat Brief. 

Read about the FortiGuard Security Rating Service, which provides security audits and best practices to guide customers in designing, implementing, and maintaining the security posture best suited for their organization.