Tuesday, 15 October 2013

Historical Tour Of IDS Evasion

DeepSEC 2013 - Finux's Historical Tour Of IDS Evasion, Insertions, and Other Oddities – Arron 'f1nux' Finnon


Never let it be said that I don't know how to flog a dead horse! In fact if flogging a dead horse was an Olympic sport you'd all be calling me 'Sir Finux' by now! The problem is that this dead horse seems to have come straight from the pages of some sort of zombie story. No matter how many times you think NIDS/NIPS, or whatever the vendors marketing department calls them nowadays, this dead horse isn't dead, it's alive, well, and worth big money. I'm not talking small sums of money like hip-hop stars are used to, I mean mega bucks, well like vendors are used to. So maybe in the end I’m not flogging a dead horse after all, maybe I’m flogging a cash cow!

Worrying thing is, I’ve spent years talking about this stuff. I know deep down I’m like a typecast actor, only good for playing the geek roles, in this case the detection geek! What can I say though, I’m one of those geeks that loves detection. It is an interesting challenge, that is both rewarding, and complex. I've lost count of the amount of times I have spoken about network detection and the real sad testament to NIDS/NIPS industry. In the long and fruitful journey of NIDS/NIPS industry’s life, I am just the proverbial 5 minutes before midnight of the doomsday clock.

You see, I’ve talked a lot about effective NIDS/NIPS testing, about building methodologies and standards that everyone interested in network defence technology can utilise to make them, well, better. One of the interesting comments I hear regularly about this is; Don't you think we run the risk that the IDS industry will become like the Anti-Virus industry? Well, I always answer this question the same way, which industry do you think came first? NIDS/NIPS have been around for a very long time, not to say the AV market is new or anything, but people tend to be genuinely surprised to find out NIDS/NIPS is older.

My DeepSEC talk looks at the history of NIDS/NIPS, but more importantly, the history of failing. Now look, yes of course I’m going to do some vendor bashing, why change a habit of a lifetime! More importantly though, it is about recognising what has gone wrong, how this can be addressed, and what we can expect from the future. Because in the end, I have been told three things every year since I’ve been involved in security; Next year will be the year of the Linux Desktop; next year we will run our of IPv4 address space; and that NIDS/NIPS will be dead next year. Each year none of those things have played out as expected.

On a personal note, I would like to add this. It is and always will be a great honour to speak at DeepSEC, and this year will mark my third. I intend for this to be a special occasion and invite you all to come and enjoy it!


Arron 'finux' Finnon
You can find out more about Arron's talk here, http://deepsec.net/speaker.html#PSLOT132


If you want to learn more about testing NIDS/NIPS effectiveness then come join us at DeepSEC in Vienna this year, where Arron Finnon and Gavin Ewan of Alba13 Research Labs will be showing what goes into making an effective and useful NIDS/NIPS assessment. Also we'll be showing how enterprise threats can be managed and how you can build better detection. Find out more details here http://deepsec.net/speaker.html#WSLOT96