Your SlideShare is downloading. ×
Cyber Vigilantes: Turning the Tables on Hackers
Upcoming SlideShare
Loading in...5
×

Thanks for flagging this SlideShare!

Oops! An error has occurred.

×

Introducing the official SlideShare app

Stunning, full-screen experience for iPhone and Android

Text the download link to your phone

Standard text messaging rates apply

Cyber Vigilantes: Turning the Tables on Hackers

1,552
views

Published on

With command-and-control servers out in the open and key players in the hacking industry behind bars, are the tables beginning to turn on the underground world of cybercrime? …

With command-and-control servers out in the open and key players in the hacking industry behind bars, are the tables beginning to turn on the underground world of cybercrime?

Today's security practitioners are taking an aggressive approach to data security and applying defenses that stop hackers in their tracks. This proactive approach to security has uncovered ground-breaking hacker activities, including: full-fledged attack campaigns (XSS and server-generated DDoS), data collections that contain millions of consumer passwords, and cloud-based technologies used by hackers.

This webinar featuring Imperva Director of Security Strategy, Rob Rachwald, provides insight into the following: 1) techniques utilized by the security community to tap into hacker activity, 2) research on hacking campaigns, such as the recent Lulzsec attacks 3) technologies, methods, and models driving the business of cybercrime 4) recommendations for effective security controls to protect against next generation attacks.

Published in: Technology, News & Politics

1 Comment
1 Like
Statistics
Notes
  • The            setup            in            the            video            no            longer            works.           
    And            all            other            links            in            comment            are            fake            too.           
    But            luckily,            we            found            a            working            one            here (copy paste link in browser) :            www.goo.gl/yT1SNP
       Reply 
    Are you sure you want to  Yes  No
    Your message goes here
No Downloads
Views
Total Views
1,552
On Slideshare
0
From Embeds
0
Number of Embeds
0
Actions
Shares
0
Downloads
13
Comments
1
Likes
1
Embeds 0
No embeds

Report content
Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
No notes for slide

Transcript

  • 1. Cyber Vigilantes: Turning the Tables on HackersRob Rachwald, Director of Security Strategy, Imperva July 27, 2011
  • 2. Agenda  The state of cyber security + Reality check #1: Hackers know the value of data + Reality check #2: Hackers, by definition, are early adopters + Reality check #3: Organizations have more vulnerabilities than time or resources can manage  Four ways to catch the predator + Monitor communications + Understand the business model + Conduct technical attack analysis + Analyze traffic via honeypots  About Imperva  Q&A session 2
  • 3. Today’s Presenter Rob Rachwald, Dir. of Security Strategy, Imperva  Research + Directs security strategy + Works with the Imperva Application Defense Center  Security experience + Fortify Software and Coverity + Helped secure Intel’s supply chain software + Extensive international experience in Japan, China, France, and Australia  Thought leadership + Presented at RSA, InfoSec, OWASP, ISACA + Appearances on CNN, SkyNews, BBC, NY Times, and USA Today  Graduated from University of California, Berkeley 3
  • 4. Cyber Vigilantes:4
  • 5. Cyber security today Hacking has become industrialized. Attack techniques and vectors are changing at an ever rapid pace. Attack tools and platforms are evolving. 5
  • 6. Reality Check #1: Hackers know the value of data better than the good guys6
  • 7. Data is hacker currency
  • 8. Website access up for sale 8
  • 9. Website access up for sale 9 - CONFIDENTIAL -
  • 10. Reality Check #2: Hackers, by definition, are early adopters10
  • 11. Mobile (in)security Hacker Forum Discussion  Hacker interest in Analysis mobile has increased  Consider 4000+18001600 272 mentions in the past14001200 233 245 year versus only 4001000 901 nokia 800 511 iphone from 12+ months ago 600 815 android 400 257 522 200 408 171 126 40 0 Last 3 3 to 6 6 to 9 a year ago months months months and older ago ago Source: Imperva Application Defense Center Research 11
  • 12. Reality Check #3: The good guys have more vulnerabilities than time or resources can manage12
  • 13. WhiteHat Security Top 10 for 2010 Percentage likelihood of a Web site having at least one vulnerability sorted by class 13
  • 14. Studying hackers – Why this helps  Focus on what hackers want helps the good guys prioritize + Technical insight into hacker activity + Business trends in hacker activity + Future directions of hacker activity  Eliminate uncertainties + Active attack sources + Explicit attack vectors + Spam content  Focus on actual threats  Devise new defenses based on real data reducing guess work
  • 15. Approach #1: Monitoring communications15
  • 16. Method: Hacker forums  Tap into the neighborhood pub  Analyze activity + Quantitative analysis of topics + Qualitative analysis of information being disclosed + Follow up on interesting issues 16
  • 17. SQL injection = Most popular topic Source: Imperva Application Defense Center Research
  • 18. Non-SQL injection exploits Exploits (non-SQL injection) Anonymity 6% Other 8% Shellcode LFI / RFI 26% 9% Day 0 17% Hacked Sites XSS 17% 17%
  • 19. I believe in… 19
  • 20. Approach #2: Understanding hacker business models20
  • 21. Example: Rustock 21
  • 22. Lessons from the RSA Breach “…according to interviews with several security experts who keep a close eye on these domains, the Web sites in question weren’t merely one-time attack staging grounds: They had earned a reputation as launch pads for the same kind of attacks over at least a 12 month period prior to the RSA breach disclosure.” Source: http://krebsonsecurity.com/2011/05/rsa-among-dozens-of-firms-breached-by-zero-day-attacks 22
  • 23. Spy Eye vs. Zeus  When installing SpyEye there is a “Kill Zeus” capability… + If chosen, it checks for the installation of the Zeus Trojan and uninstalls before installing SpyEye  Towards the end of October, the bot code developers of SpyEye and Zeus bots were showing signs of a merger 23
  • 24. Approach #3: Technical attack analysis24
  • 25. Getting into command-and-control servers
  • 26. No honor among thieves
  • 27. Automated attacks  Botnets  Mass SQL injection attacks  Google dorks
  • 28. And you can monitor trendy attacks
  • 29. Approach #4: Traffic analysis via honeypots29
  • 30. Example: DDoS 2.0 30
  • 31. HTTP request caught a ToR honeypot + POST /.dos/function.php HTTP/1.1 + User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.9.2.3) Gecko/20100409 Gentoo Firefox/3.6.3 + Parameters – ip=82.98.255.161&time=100&port=80 31
  • 32. Scale – probably thousands  Google shows hundreds  Probably only the tip of the iceberg 32
  • 33. Impact: Who was brought down?  Only saw it launched against one server + IP was Dutch hosting provider  But there is likely more + We only see a fraction of the general traffic on our honeypot + This is only one implementation of DoS  Impact? + Depends on the hosting Web server bandwidth + A cable modem user typically has a 384Kbs upstream + Web host in data center can have 1Gbps pipe  1 server = 3000 bots 33
  • 34. Conclusions34
  • 35. Conclusions Time to get proactive + Scan Google for Dorks with respect to your application – Dorks and tools are available on the net + Search Google for Honey Tokens – Distinguishable credentials or credential sets – Specific distinguishable character strings + Watch out for name popping in the wrong forums… Deploy reputation-based services Fight automation + CAPTCHA + Adaptive authentication + Access rate control + Click rate control35
  • 36. Conclusions Application security meets proactive security + Quickly identify and block source of recent malicious activity + Enhance attack signatures with content from recent attacks + Identify sustainable attack platforms – Anonymous proxies – TOR relays – Active bots + Identify references from compromised servers + Introduce reputation based controls36
  • 37. Imperva Protecting the data that drives business37
  • 38. Imperva background Imperva’s mission is simple: Protect the data that drives business The leader in a new category: Data Security HQ in Redwood Shores CA; Global Presence + Installed in 50+ Countries 1,200+ direct customers; 25,000+ cloud users + 3 of the top 5 US banks + 3 of the top 10 financial services firms + 3 of the top 5 Telecoms + 2 of the top 5 food & drug stores + 3 of the top 5 specialty retailers + Hundreds of small and medium businesses
  • 39. Imperva: Our story in 60 seconds Attack Usage Protection Audit Virtual Rights Patching Management Reputation Access Controls Control
  • 40. Webinar materials Get LinkedIn to Imperva Data Security Direct for… Answers to Post-Webinar Attendee Discussions Questions Webinar Much more… Recording Link 40
  • 41. Questions41