The Concept Of “Defense Evasion” And Its Specific Tactical Techniques

In recent times, news articles have been reflecting massive data breaches in some of the world’s largest corporations, leaving people wondering why these massive organizations could have been so vulnerable. Among the reasons for these vulnerabilities is that cyber-network adversaries have developed techniques to either avoid or go around computer network defense computer network defense systems.

Defense evasion is a general word used to define techniques that adversaries use to breach cyber networks in spite of the existence of effective and state of the art CND systems (The MITRE Corporation). The technique might involve misleading the CND system to believe that the intruder is benign, or even a means to avoid the CND altogether. The Gatekeeper Bypass is one of the simplest and most ingenious means of defense evasion and is based on physically avoiding detection and flagging by a CND system (The MITRE Corporation). There is an underlying assumption in cybersecurity that some types of attacks enter the system through the internet. CND systems are thus designed to find, flag, and quarantine that kind of attacks, a system known as the Gatekeeper.

The Gatekeepers bypass entails evading the CND by entering the system in a physical manner, for example by plugging a thumb drive to a device that is already connected to the system. The malignant file is never flagged and can be used to breach the system. Another relatively easy but effective defense evasion technique is file deletion. Most advanced CND systems integrate the post-exploit approach where they remain effective even after a breach has happened. Among the critical mitigation approaches after a data breach has happed is being able to identify the breach in order to run diagnostics and remedy the damage caused. Deleting the files that were interfered with is an effective means of preventing detection of breaches, conducting of diagnostics and remedying the situation. The adversaries will use advanced deletion software to eliminate any traces of the files. If the affected files are not often used, it might take a long time before the system users realize there had been a breach. Further, they might even assume that an authorized person made an erroneous deletion. The longer it takes to detect a breach, the more damage the breach might cause.

Another method that adversaries might use as a defense evasion technique is Disabling Security Tools. Some security tools are very effective but may have internal vulnerabilities within them. For example, a security tool might be designed to record and report everything that happens within the network system that it is designed to protect, but it does not record and report what happens within itself.

As a defense evasion technique, an adversary may first interfere with the security system, so as to prevent it from stopping or recording a breach in the system itself. For example, the adversary can set the CND system to delay for a split second after the cyber system has been switched off, then use the short period to breach the system using advanced malware. The CND will not stop the breach, and most importantly, it will not log it, thus creating a form of impunity for the adversaries.