Getty Images

Tip

7 common intrusion detection system evasion techniques

Malicious attackers use various evasion tactics to infiltrate networks without intrusion detection systems noticing. Learn what these techniques are and how to mitigate them.

Intrusion detection systems help enterprise cybersecurity teams monitor systems and workloads for suspicious activity. However, attackers can still penetrate networks and remain undetected for long periods using evasion techniques.

For more than two decades, IDSes have been a security must-have, helping identify anomalous activity and alerting admins of potential issues. Their later advancements, including automated actions, such as blocking suspicious network traffic, stopping malicious packets, and sending alerts and data to a SIEM or similar centralized platform, fortified their place in the security arsenal.

Yet malicious hackers have devised numerous ways to elude IDSes. Let's examine seven common IDS evasion techniques security teams should know about, as well as how to mitigate them.

1. Compromising trusted applications and infrastructure

End users tend to implicitly trust the applications they use and the infrastructure those applications run on. Attackers have developed techniques, such as fileless malware, to masquerade as trusted apps and services. Fileless malware lacks executable files, which makes it hard to detect. It is designed to take over and control trusted apps and services without the user noticing. The malware then installs keyloggers or Trojans and tries to steal login credentials. Because not all services and apps encrypt communications, attackers can easily insert malicious payloads to steal business-critical data.

2. Obfuscation

Cyberattackers design malware to confuse network security tools and penetrate networks unnoticed. This is known as obfuscation. For example, organizations use encryption obfuscation to protect data from being read by bad actors. Attackers use obfuscation to render a file's data or signature indecipherable, remove identifying metadata, insert useless code or alter file names. Obfuscated, the malware's code might appear innocuous to an IDS or static analysis tool and be allowed to pass through a scan without being revealed as malicious.

The 2019 SolarWinds supply chain attack involved obfuscation. Attackers used it to bypass security measures and insert backdoors into the SolarWinds Orion platform. The obfuscation techniques included faking activity, deleting programs after use and altering audit logs.

3. IP packet fragmentation

Packet fragmentation involves splitting packets into smaller fragments under the network's maximum size and reassembling them at their destination. While not necessarily a malicious process, attackers use packet fragmentation nefariously. For example, attackers know that IDSes often won't scan every network packet fragment because it expends a lot of computing and processing power. Attackers therefore send a slot of fragmented packets in hopes the IDS will not scan them, allowing the malicious code to bypass the security system altogether.

4. Source routing

Source routing enables a sender to specify a packet's route through a network, rather than letting a router determine its path. Attackers use source routing maliciously by providing a specific destination that bypasses the IDS.

5. Source port manipulation

IDSes and firewalls can be tricked into believing a file is going to a specific -- and often benign -- port rather than a legitimate one. Known as source port manipulation, this usually involves a port that is blocked from external traffic. For example, an attacker could make it appear the destination for their malware is port 80 -- primarily used for HTTP -- when the actual target port is normally not open to external traffic.

6. IP address spoofing

IP address spoofing involves attackers altering the headers of their malicious data packets to appear to be from a legitimate host. The target system's IDS and firewall believe the data packets are from a legitimate source and, therefore do not filter the packets containing spoofed IP addresses.

7. Creating specialized packets

Attackers can use packet crafting tools to create their own customized data packets that evade an IDS. The attackers append data to the payload or use Unicode -- special characters designed to represent various languages. The malware's pattern, disguised to trick a signature-based IDS, looks legitimate, which enables malicious payloads to reach the intended server.

How to mitigate intrusion detection system evasion

Organizations should take the following steps to prevent and detect IDS evasion techniques:

  • Regular patch management ensures IDS software and firmware are up to date.
  • A centralized management system enables the IDS to alert security teams of issues in real time, resulting in faster security responses and reduced false positives.
  • A zero-trust framework segments a network into different zones, each with its own security controls and mechanisms, such as MFA. This multilayer strategy helps reduce vulnerabilities and the attack surface.
  • Advanced technologies, such as next-generation firewalls, enable security teams to create more customized and sophisticated data packet filtering rules.
  • Remain vigilant and report suspicious network activity.

Ravi Das is a technical engineering writer for an IT services provider. He is also a cybersecurity consultant at his private practice, ML Tech, Inc., and has the Certified in Cybersecurity (CC) certification from ISC2.

Dig Deeper on Threats and vulnerabilities