unmasking anonymous: an eyewitness account of a hacktivist attack
DESCRIPTION
In 2011, Imperva witnessed an assault by the hacktivist group, Anonymous, which included the use of social media for communications and, most importantly, their attack methods. Since Anonymous’ targets vary, it is important for security professionals to learn how to prepare their organization for a potential attack. These presentation slides will walk-through the key stages of an Anonymous attack campaign, including recruitment and communication, application attack methods, and mitigation strategies.TRANSCRIPT
Amichai Shulman, CTO
Unmasking Anonymous: An Eyewitness Account of a Hacktivist Attack
© 2012 Imperva, Inc. All rights reserved.
© 2012 Imperva, Inc. All rights reserved.
Agenda
2
Anonymous Overview and Background How They Attack: Anatomy of an Anonymous Attack
+ Recruiting and Communications + Reconnaissance and Application Attack + DDoS
Non-Mitigations Tools Mitigation Tools
© 2012 Imperva, Inc. All rights reserved.
Today’s Presenter Amichai Shulman – CTO Imperva
Speaker at Industry Events + RSA, Sybase Techwave, Info Security UK, Black Hat
Lecturer on Info Security + Technion - Israel Institute of Technology
Former security consultant to banks & financial services firms Leads the Application Defense Center (ADC)
+ Discovered over 20 commercial application vulnerabilities – Credited by Oracle, MS-SQL, IBM and others
Amichai Shulman one of InfoWorld’s “Top 25 CTOs”
© 2012 Imperva, Inc. All rights reserved.
What/Who is Anonymous?
4
“…the first Internet-based superconsciousness.” —Chris Landers. Baltimore City Paper, April 2, 2008
“Anonymous is an umbrella for anyone to hack anything for any reason.”
—New York Times, 27 Feb 2012
“Anonymous is a handful of geniuses surrounded by a legion of idiots.”—Cole Stryker, New York Times, 27 Feb 2012
© 2012 Imperva, Inc. All rights reserved.
The Plot
5
Attack took place in 2011 over a 25 day period.
Anonymous was on a deadline to breach and disrupt a website, a proactive attempt at hacktivism.
The website was mostly informational but contained data and enabled some commerce.
The attack did not succeed.
© 2012 Imperva, Inc. All rights reserved.
On the Offense
6
Skilled hackers - This group, around 10 to 15
individuals per campaign, have genuine hacking experience and are quite savvy.
Nontechnical - This group can be quite large, ranging from a few dozen to a few hundred volunteers. Directed by the skilled hackers, their role is primarily to conduct DDoS attacks by either downloading and using special software or visiting websites designed to flood victims with excessive traffic.
© 2012 Imperva, Inc. All rights reserved.
On the Defense
7
Deployment line was network firewall, web application firewall (WAF), web servers and anti-virus.
Imperva WAF + SecureSphere WAF version 8.5 inline, high availability + ThreatRadar + SSL wasn’t used, the whole website was in HTTP
Unnamed network firewall and IDS Unnamed anti-virus
© 2012 Imperva, Inc. All rights reserved.
How They Attack: The Anonymous Attack Anatomy
8
© 2012 Imperva, Inc. All rights reserved.
1 -----------------------------------
Recruiting and Communications
9
© 2012 Imperva, Inc. All rights reserved.
Step 1A: An “Inspirational” Video
10
© 2012 Imperva, Inc. All rights reserved.
Step 1B: Social Media Helps Recruit
11
© 2012 Imperva, Inc. All rights reserved.
Setting Up An Early Warning System
12
© 2012 Imperva, Inc. All rights reserved.
Example
13
© 2012 Imperva, Inc. All rights reserved.
14
“Avoid strength, attack weakness: Striking where the enemy is most vulnerable.”
—Sun Tzu
2 ----------------------------------- Recon and Application Attack
© 2012 Imperva, Inc. All rights reserved.
Anonymous’ Attacks Mimic For-Profit Hackers
15
Hacker Forum Discussion Topics
16%
22%
19%
10%
12%
12% 9%
spam dos/ddos SQL Injection zero-day shell code brute-force HTML Injection
Source: Imperva. Covers July 2010 -July 2011 across 600,000 discussions
© 2012 Imperva, Inc. All rights reserved.
Step 1A: Finding Vulnerabilities
16
Tool #1: Vulnerability Scanners Purpose: Rapidly find application vulnerabilities. Cost: $0-$1000 per license. The specific tools:
+ Acunetix (named a “Visionary” in a Gartner 2011 MQ) + Nikto (open source)
© 2012 Imperva, Inc. All rights reserved.
Hacking Tools
17
Tool #2: Havij Purpose:
+ Automated SQL injection and data harvesting tool.
+ Solely developed to take data transacted by applications
Developed in Iran
© 2012 Imperva, Inc. All rights reserved.
Vulnerabilities of Interest
18
0
500
1000
1500
2000
2500
3000
3500
4000
Day 19 Day 20 Day 21 Day 22 Day 23
#al
erts
Date
Directory Traversal
SQL injection
DDoS recon
XSS
© 2012 Imperva, Inc. All rights reserved.
Mitigation: AppSec 101
Code Fixing
Dork Yourself
Blacklisting
WAF
WAF + VA
Stop Automated Attacks
19
© 2012 Imperva, Inc. All rights reserved.
3 -----------------------------------
DDoS
20
© 2012 Imperva, Inc. All rights reserved.
Hacking Tools
21
Low-Orbit Ion Canon (LOIC) Purpose:
+ DDoS + Mobile and Javascript variations + Can create 200 requests per second per browser window
© 2012 Imperva, Inc. All rights reserved.
Anonymous and LOIC in Action
22
0
100000
200000
300000
400000
500000
600000
700000
Day 19 Day 20 Day 21 Day 22 Day 23 Day 24 Day 25 Day 26 Day 27 Day 28
Average Site Traffic
Mobile LOIC in Action
Tran
sact
ions
per
Day
© 2012 Imperva, Inc. All rights reserved.
LOIC Facts
23
LOIC downloads + 2011: 381,976 + 2012 (through March 19): 318,340 + Jan 2012=83% of 2011’s downloads!
Javascript LOIC: + Easy to create + Iterates up to 200 requests per minute + Can be used via mobile device.
© 2012 Imperva, Inc. All rights reserved.
BUT: DDoS Is Moving Up the Stack
24
Decreasing costs. Traditional DDoS attacks require a large investment on the attacker’s side, which include distributing the attack between multiples sources.
The DoS security gap. Traditionally, the defense against DDoS was based on dedicated devices operating at lower layers (TCP/IP). These devices are incapable of detecting higher layers attacks due to their inherent shortcomings: they don't decrypt SSL, they do not understand the HTTP protocol, and generally are not aware of the web application.
For more: http://blog.imperva.com/2011/12/top-cyber-security-trends-for-2012-7.html
© 2012 Imperva, Inc. All rights reserved.
Application DDoS
25
The effectiveness of RefRef is due to the fact that it exploits a vulnerability in a widespread SQL service. The flaw is apparently known but not widely patched
yet. The tool's creators don't expect their attacks to work on a high-profile target more than a couple of times before being blocked, but they don't believe
organizations will rush to patch this flaw en masse before being hit. —The Hacker News, July 30, 2011
© 2012 Imperva, Inc. All rights reserved.
But That Much Sophistication Isn’t Always Required
26
© 2012 Imperva, Inc. All rights reserved.
But That Much Sophistication Isn’t Always Required
27
Meet your target URL
© 2012 Imperva, Inc. All rights reserved.
Mitigation
28
WAF: It can decrypt SSL, understand HTTP and also understand the application business logic to analyze the traffic, sifting
out the DoS traffic.
© 2012 Imperva, Inc. All rights reserved.
4 -----------------------------------
Non-Mitigations
29
© 2012 Imperva, Inc. All rights reserved.
Anti-Virus is Irrelevant: Malware is NOT the MO
30
McAfee mea culpa
“The security industry may need to reconsider some of its fundamental assumptions, including
'Are we really protecting users and companies?’”
--McAfee, September 2011
Source: http://www.nytimes.com/external/readwriteweb/2011/08/23/23readwriteweb-mcafee-to-security-industry-are-we-really-p-70470.html?partner=rss&emc=rss
© 2012 Imperva, Inc. All rights reserved.
Anti-Virus Recommendation (From A Hacker!)
31
Use your existing anti virus or download a free one such as SpyBot Search And Destroy (Some AV is
better than none and at least it keeps basic viruses out, don't pay for it though because your
just funding the companies that make this problem worse). (Sic)
—Source: http://adamonsecurity.com/ , creator of RankMyHack.com
© 2012 Imperva, Inc. All rights reserved.
I have IPS and NGFW, am I safe?
32
IPS and NGFWs do not prevent web application attacks. + Don’t confuse “application aware marketing” with Web Application
Security.
WAFs at a minimum must include the following to protect web applications: • Web-App Profile
• Web-App Signatures • Web-App Protocol Security • Web-App DDOS Security • Web-App Cookie Protection • Anonymous Proxy/TOR IP Security • HTTPS (SSL) visibility
Security Policy Correlation
© 2012 Imperva, Inc. All rights reserved.
I have IPS and NGFW, am I safe?
33
IPS and NGFWs do not prevent web application attacks. + Don’t confuse “application aware marketing” with Web Application
Security.
However, IPS and NGFWs at best only partially support the items in Red: • Web-App Profile
• Web-App Signatures • Web-App Protocol Security • Web-App DDOS Security • Web-App Cookie Protection • Anonymous Proxy/TOR IP Security • HTTPS (SSL) visibility
Security Policy Correlation
© 2012 Imperva, Inc. All rights reserved.
I have IPS and NGFW, am I safe?
34
• IPS & NGFW Marketing – They have at least one web-app feature so they market themselves as a solution.
• IPS & NGFW gaps to WAF – WAFs provide far more web-app features than IPS and NGFWs. IPS and NGFWs do not even meet the most minimal requirements of web application security.
• False Sense of Security - IPS and NGFWs are creating a false sense of security with their claims and are leaving organizations like the ones we have previously mentioned susceptible to web application penetration.
© 2012 Imperva, Inc. All rights reserved.
© 2012 Imperva, Inc. All rights reserved.
35
Polish Internal Security Agency French Presidential Site Austria Ministry of Justice Austria Ministry of Internal Affairs Austria Ministry of Economy Austria Federal Chancellor Slovenia NLB Mexican Interior Ministry Mexican Senate Mexican Chamber of Deputies Irish Department of Justice Irish Department of Finance Greek Department of Justice Egyptian National Democratic Party HBGary Federal Spanish Police Orlando Chamber of Commerce Catholic Diocese of Orlando Rotary Club or Orlando Bay Area Rapid Transit Syrian Defense Ministry Syrian Central Bank Syrian Ministry of Presidential Affairs Various Pornography sites Muslim Brotherhood UMG
Anonymous targets that we know of, so far…
US Department of Justice US Copyright Office FBI MPAA Warner Brothers RIAA HADOPI BMI Sony Amazon Church of Scientology SOHH Office of the AU Prime Minister AU House of Parliament AU Department of Communications Swiss bank PostFinance Fine Gael New Zealand Parliament Tunisia Government Zimbabwe Government Egyptian Government Malaysian Government Polish Government Polish Police Polish President Polish Ministry of Culture Polish Prime Minister Polish Ministry of Foreign Affairs
PayPal Mastercard Visa Itau Banco de Brazil US Senate CIA Citibank Caixa
How many of these organizations have AV, IPS and Next Generations Firewalls?
Why are the attacks successful when these technologies claim to prevent
them?
© 2012 Imperva, Inc. All rights reserved.
5 -----------------------------------
Mitigations
36
© 2012 Imperva, Inc. All rights reserved.
Automated Scanning Tools
37
© 2012 Imperva, Inc. All rights reserved.
Automated Scanning Tools
38
© 2012 Imperva, Inc. All rights reserved.
Automated Scanning Tools
39
© 2012 Imperva, Inc. All rights reserved.
Automated SQL Tool
40
© 2012 Imperva, Inc. All rights reserved.
Automated SQL Tool
41
© 2012 Imperva, Inc. All rights reserved.
Automated SQL Tool
42
Havij SQL attack attempt fails with errors due to WAF mitigation.
© 2012 Imperva, Inc. All rights reserved.
Blocking Traffic Based on Reputation
43
© 2012 Imperva, Inc. All rights reserved.
Blocking Traffic Based on Reputation
44
Real-time alerts and ability to block based on IP Reputation.
© 2012 Imperva, Inc. All rights reserved.
Blocking Traffic Based on Reputation
45
Real-time alerts and ability to block based on IP Reputation.
© 2012 Imperva, Inc. All rights reserved.
DDoS Traffic
46
~4000 hits take the website offline.
© 2012 Imperva, Inc. All rights reserved.
DDoS Traffic
47
© 2012 Imperva, Inc. All rights reserved.
DDoS Traffic
48
~4000 hits take the website offline.
© 2012 Imperva, Inc. All rights reserved.
DDoS Traffic
49
** Note 25x the amount of hits blocked, with no web outage in this example.
© 2012 Imperva, Inc. All rights reserved.
© 2012 Imperva, Inc. All rights reserved.
Webinar Materials
Post-Webinar Discussions
Answers to Attendee Questions
Webinar Recording Link Webinar Slides
Get LinkedIn to Imperva Data Security Direct for…
http://www.linkedin.com/groups/Imperva-Data-Security-Direct-3849609
www.imperva.com
- CONFIDENTIAL -