Policy Evasion: Evasive Techniques You Need to Understand to Prevent Breaches and Attacks

Evasive techniques are regularly used by cyber attackers to avoid detection and hide malicious activity, and they are quite effective too. In our Mandiant Security Effectiveness Report 2020, we found that 65% of the time evasive techniques used to bypass policies were not able to be detected or prevented within a security environment. Add to that, only 15% were alerted and 25% were detected—and 31% were missed altogether.

What this really means is that organizations are performing below their predicted levels of effectiveness, and for obvious reasons that is quite alarming. In today’s world, security must be top of mind for everyone within an organization, and that means setting and adhering to cyber security policies are essential to preventing breaches and attacks.

Part of preventing attacks means thinking like a threat actor. We go into this concept further in our video blog post, “Security Effectiveness Report: Policy Evasion,” where we discuss the importance of understanding the various techniques used by attackers. Only then can countermeasures be implemented that are the most effective and relevant to each environment—anti-evasion countermeasures, in our case.

When looking at the threat landscape, we see attackers using many different types of evasion techniques, but the three most common are:

  • Encryption and tunneling: IPS sensors monitor the network and capture packets as they go through the network, but these network-based sensors rely on data being transmitted in plain text. An example of this type of method is a secure shell connection to a secure shell host server.
  • Timing of attacks: Attackers can evade detection by performing their actions slower than normal. This type of evasion attack can be mounted against any correlating engine that uses a fixed window and a threshold to classify them.
  • Protocol level misinterpretation: The attacker is able to make a sensor ignore or not ignore traffic, resulting in an organization seeing that traffic differently from the target.

As shared in our report, we found that the three most common causes that lead to poor prevention and detection are:

  • Outdated classification categories
  • Limited network monitoring on expected protocols
  • Inadequate tracking and communication of changes for one-off exceptions

For instance, a perfect example of protocol level misinterpretation was found when working with one of our customers, a Fortune 500 company. The company leveraged security validation to continuously monitor for changes causing environmental drift, and the investigating team discovered that data was not being delivered to the SIEM. After analyzing test results, they discovered that syslogs were being sent over UDP instead of TCP, and a misconfigured load balancer was dropping all UDP traffic. As a result, events were not being sent to the SIEM and correlation rules did not trigger alerts to initiate the incident response process. The ability to test this with real attack actions exposed this scenario and allowed the company’s security team to remove the risk.

As evidenced by this example and the findings in our report, organizations are at much greater risk than they realize. It’s imperative that they validate security effectiveness in order to strengthen cyber hygiene and minimize risk. Only then can organizations better protect business-critical assets, brand reputation and economic value.

Interested in learning how you can expose and uncover evasive techniques by validating your controls against current and actual attacks? Download a full copy of the Mandiant Security Effectiveness Report 2020, including a list of the 10 fundamentals for successful cyber security effectiveness validation.

This post was first first published on

FireEye Stories

‘s website by Earl Matthews. You can view it by clicking here