Apresentação Allen ES


Published on

Published in: Technology, News & Politics
  • Be the first to comment

  • Be the first to like this

No Downloads
Total views
On SlideShare
From Embeds
Number of Embeds
Embeds 0
No embeds

No notes for slide

Apresentação Allen ES

  1. 1. The Anatomy of an Anonymous Carolina Bozza Security Engineer May 2012
  2. 2. Imperva ? Who we are and what we do2
  3. 3. Next Generation Threats Require New Approach Tech. Attack Usage Protection Audit Logic Attack User Rights Protection Management Fraud Access Prevention Control External Internal Customers Employees Staff, Partners Malicious Insiders Hackers Compromised Insiders Data Center Systems and Admins Imperva’s Mission is to Provide a Complete Solution © Copyright 2012 Imperva, Inc. All rights reserved. 3
  4. 4. Hacktivism From Wikipedia: HACK + ACTIVISM - the use of computers and computer networks as a means of protest; (…) hacktivism could be defined as "the nonviolent use of legal and/or illegal digital tools in pursuit of political ends". These toolsinclude web site defacements, denial-of- service attacks, information theft, (…) Acts of hacktivism are carried out in the belief that proper use of code will be able to produce similar results to those produced by regular activism or civil disobedience. 4
  5. 5. What is Anonymous? Reality What they claim to be: “Anonymous is an umbrella for Anonymous is an Internet meme (…), anyone to hack anything for any representing the concept of many reason.” online and offline community users —New York Times, 27 Feb 2012 simultaneously existing as an anarchic, digitized global brain. Targets include porn sites, Mexican drug lords, Sony, government agencies, banks, churches, law enforcement , Hacktivists fighting for moral causes. airline, São Paulo’s Mayor and Vladimir Putin. Anyone can be a target. 5
  6. 6. The Plot - The anatomy of an Anonymous Attack Attack took place in 2011 over a 25 day period. Anonymous was on a deadline to breach and disrupt a website, a proactive attempt at hacktivism. 10-15 skilled hackers or “geniuses.” Several hundred to a thousand supporters. 6
  7. 7. On the Offense Skilled hackers—This group, around 10 to 15 individuals per campaign, have genuine hacking experience and are quite savvy. Nontechnical—This group can be quite large, ranging from a few dozen to a few hundred volunteers. Directed by the skilled hackers, their role is primarily to conduct DDoS attacks by either downloading and using special software or visiting websites designed to flood victims with excessive traffic. 7
  8. 8. On the Defense Deployment line was network firewall, WAF, web servers and anti-virus. Imperva WAF + SecureSphere WAF version 8.5 inline, high availability + ThreatRadar reputation + SSL wasn’t used, the whole website was in HTTP Unnamed network firewall and IDS Unnamed anti-virus 8
  9. 9. Phase #1 Recruiting and Communications9
  10. 10. An “Inspirational” Videos 10
  11. 11. Social Media Helps Recruit 11
  12. 12. Phase #2 Recon and Application Attack “Avoid strength, attack weakness: Striking where the enemy is most vulnerable.” —Sun Tzu12
  13. 13. Finding Vulnerabilities Tool #1: Vulnerability Scanners Purpose: Rapidly find application vulnerabilities. Cost: $0-$1000 per license. The specific tools: + Acunetix (named a “Visionary” in a Gartner 2011 MQ) + Nikto (open source) 13
  14. 14. Hacking Tools Tool #2: Havij Purpose: + Automated SQL injection and data harvesting tool. + Solely developed to take data transacted by applications Developed in Iran 14
  15. 15. Phase #3 DDoS15
  16. 16. Hacking Tools Low-Orbit Ion Canon (LOIC) Purpose: + DDoS + Mobile and Javascript variations + Can create 200 requests per second per browser window 16
  17. 17. Anonymous and LOIC in Action 700000 600000 LOIC in Action Transactions per Second 500000 400000 300000 200000 Average Site Traffic 100000 0 Day 19 Day 20 Day 21 Day 22 Day 23 Day 24 Day 25 Day 26 Day 27 Day 28 17
  18. 18. LOIC Facts LOIC downloads + 2011: 381,976 + 2012 (through March 19): 318,340 + Jan 2012=83% of 2011’s downloads! Javascript LOIC: + Easy to create + Iterates up to 200 requests per minute + Can be used via mobile device. 18
  19. 19. Anybody can be an anonymous! Let’s Demo!! 19
  20. 20. I’ve spent a lot of money… And why I’m not Safe Yet?20
  21. 21. I have IPS and NGFW, am I safe? IPS and NGFWs do not prevent web application attacks. + Don’t confuse “application aware marketing” with Web Application Security. WAFs at a minimum must include the following to protect web applications: • Web-App Profile • Web-App Signatures • Web-App Protocol Security • Web-App DDOS Security Security Policy Correlation • Web-App Cookie Protection • Anonymous Proxy/TOR IP Security • HTTPS (SSL) visibility 21
  22. 22. I have IPS and NGFW, am I safe? IPS and NGFWs do not prevent web application attacks. + Don’t confuse “application aware marketing” with Web Application Security. However, IPS and NGFWs at best only partially support the items in Red: • Web-App Profile • Web-App Signatures • Web-App Protocol Security • Web-App DDOS Security Security Policy Correlation • Web-App Cookie Protection • Anonymous Proxy/TOR IP Security • HTTPS (SSL) visibility 22
  23. 23. I have IPS and NGFW, am I safe? • IPS & NGFW Marketing – They have at least one web-app feature so they market themselves as a solution. • IPS & NGFW gaps to WAF – WAFs provide far more web-app features than IPS and NGFWs. IPS and NGFWs do not even meet the most minimal requirements of web application security. • False Sense of Security - IPS and NGFWs are creating a false sense of security with their claims and are leaving organizations like the ones we have previously mentioned susceptible to web application penetration. 23
  24. 24. Anonymous targets that we know of, so far… US Department of Justice Polish Prime Minister Muslim Brotherhood US Copyright Office Polish Ministry of Foreign Affairs UMG FBI Polish Internal Security Agency PayPal MPAA French Presidential Site Mastercard Warner Brothers Austria Ministry of Justice Visa RIAA Austria Ministry of Internal Affairs US Senate HADOPI Austria Ministry of Economy CIA BMI Austria Federal Chancellor Citibank Sony Slovenia NLB Itau Amazon Mexican Interior Ministry Banco do Brazil Church of Scientology Mexican Senate Caixa Econômica Federal SOHH Mexican Chamber of Deputies Tim Celular Brasil Office of the AU Prime Minister Irish Department of Justice Presidência da República AU House of Parliament Irish Department of Finance Petrobrás AU Department of Communications Greek Department of Justice Receita Federal Swiss bank PostFinance Egyptian National Democratic Party Ministério dos Esportes Fine Gael HBGary Federal Rede Globo de Televisão New Zealand Parliament Spanish Police Cielo (Visa) Tunisia Government Orlando Chamber of Commerce Banco Central Zimbabwe Government Catholic Diocese of Orlando HSBC Brasil Egyptian Government Rotary Club or Orlando Bradesco Malaysian Government Bay Area Rapid Transit Itau (Brasil) Polish Government Syrian Defense Ministry Dilma (President) Polish Police Syrian Central Bank Kassab (São Paulo Mayor) Polish President Syrian Ministry of Presidential Affairs Polish Ministry of Culture Various Pornography sites 24
  25. 25. 5 Mitigations25
  26. 26. First, some interesting facts No bots; No Malwave; No Phishing; Public Recruitment. 26
  27. 27. Mitigation Monitor social media Twitter, Facebook, YouTube, blogspot, pastebin etc. Use Google alerts Protect applications Web application firewalls, VA and code reviews Analyze the alert messages generated by your security devices The DDoS attack was preceded by a few-days-long phase of reconnaissance. Daily analysis of alert information may help better prepare for tomorrow’s attack. IP reputation is very valuable Most of the reconnaissance traffic could have been blocked Threat Radar 27
  28. 28. Anonymous Attack on Customer Site Web Application Protection Use Case PHASE ISecureSphere stopped allphases of attack Technical Attack Scanners such as Nikto Phase IIIBusiness Logic PHASE II Attack Technical Attack Havij SQL injection tool LOIC application © Copyright 2012 Imperva, Inc. All rights reserved. 28
  29. 29. Web Application Security Use Cases Compliance Web Application Protection and Legal IT Application Virtual Patching Operations DDoS Protection Site Scraping Prevention Line of Fraud Prevention Business Legacy Application Security Hosted Application Protection © Copyright 2012 Imperva, Inc. All rights reserved. 29
  30. 30. The Defenses Required to Protect Web Apps Dynamic Profiling Attack Signatures Correlated Attack Validation Technical Attack HTTP Protocol Validation Protection Cookie Protection IP Reputation Anti-Scraping Policies Business Logic Attack Protection Bot Mitigation Policies IP Geolocation Fraud Prevention Malware Fraud Detection © Copyright 2012 Imperva, Inc. All rights reserved.30
  31. 31. IPS & NG Firewall Web Security Features Dynamic Profiling Correlation (Web Profile Correlation) Attack Signatures Technical Attack HTTP Protocol Validation Protection High rate of false positives and negatives Cookie Protection because of lack of app awareness IP Reputation Easy for hackers to evade via encoding, Anti-Scraping Policies Business Logic custom app vulnerabilities Attack Protection Bot Mitigation Policies IP Geolocation Fraud Prevention Malware Fraud Detection © Copyright 2012 Imperva, Inc. All rights reserved.31
  32. 32. Virtual Patching Use Case Vulnerabilities Challenges for payment imported into WAF processor: Costly, time-consuming vulnerability fix cycles Target of Web attacks SecureSphere: Reduces window of exposure, cost of manual app fixes Offers visibility for developers Company scans site with app scanner © Copyright 2012 Imperva, Inc. All rights reserved. 32
  33. 33. Virtual Patching Through Scanner Integration SecureSphere can import scan results and instantly create mitigation policies Eliminated payment processors’ emergency fix and test cycles Scanner finds vulnerabilities Customer Site SecureSphere imports Web applications scan results are protected © Copyright 2012 Imperva, Inc. All rights reserved.33
  34. 34. Improve Application Development Processes Software Development Lifecycle DESIGN TEST DEPLOY & CODE Test for Block attacks vulnerabilities Architect and Monitor and report implement code exploits Virtually patch Fix errors and Detect leaks, errors vulnerabilities vulnerabilities Imperva SecureSphere Manual processes or third party tools © Copyright 2012 Imperva, Inc. All rights reserved.34
  35. 35. Legacy Application Security Use Case A bank inherited a treasury app App had 50+ vulnerabilities, would cost $ millions to fix Wouldn’ t allow vulnerable app into new data center Paying $1M a month to keep legacy app in old data center Imperva SecureSphere WAF: Mitigated vulnerabilities Periodic scans confirm app is secure Vulnerable Legacy Application © Copyright 2012 Imperva, Inc. All rights reserved.35
  36. 36. Fraud Prevention Use Case A bank needed to: Stop Man-in-the-Browser attacks SecureSphere tracks Address FFIEC compliance fraud details SecureSphere Client SecureSphere & ThreatRadar Fraud: Devices Detects devices with fraud malware Requires no changes to apps for initial rollout or policy changes © Copyright 2012 Imperva, Inc. All rights reserved.36
  37. 37. ThreatRadar Fraud Prevention SecureSphere integrates with Trusteer to detect users infected with malware like SpyEye, Zeus, Gozi, & Silon 1. User accesses Website 2. SecureSphere redirects browser to Trusteer 3. Browser downloads, runs malware check 4. Result sent to WAF Is this endpoint safe? Pass / Block © Copyright 2012 Imperva, Inc. All rights reserved.37
  38. 38. DDoS Protection Use Case RV Manufacturer: Websites Received DDoS that took down Website for 3 days Websites DDoS attack traffic is blocked 20 Mbps Cloud DDoS Protection: Stopped SYN Flood in less 2 Gbps than 2 hours from phone call Stopped follow-on attack © Copyright 2012 Imperva, Inc. All rights reserved.38
  39. 39. Full Web-based DDoS Protection Stops all DDoS threats + Application & network attacks Attacker Malicious Search Bot Engine + Proprietary technology differentiates humans from bots – Analyzes HTTP redirect, cookie, and JavaScript execution capabilities Scales beyond your Internet connection limit + Support DDoS attacks that burst to 2 Gbps or 4 Gbps Cloud DDoS Protection dashboard © Copyright 2012 Imperva, Inc. All rights reserved.39
  40. 40. Hosted Application Protection Use Case Retailer: Hackers Had upcoming PCI audit Bots Needed to protect Website & meet PCI 6.6 Legitimate Hosted apps in the cloud Users Scrapers Company’s Website Comment Spammers Imperva Cloud WAF: Helped retailer meet PCI Fast, easy deployment Imperva Cloud WAF Dashboard © Copyright 2012 Imperva, Inc. All rights reserved.40
  41. 41. Web Application Firewall in the Cloud Full, PCI-Certified Web application firewall + Leverages years of Imperva security expertise Stops SQL injection, XSS, OWASP Top 10, bots Protects both on-premise and hosted Websites Cost-effective managed WAF service Satisfies PCI DSS #6.6 Globally Distributed, High-Performance Proxy Network 360° Global Threat Detection: Early detection of threats based on attacks to other protected sites © Copyright 2012 Imperva, Inc. All rights reserved.41
  42. 42. Complete Protection Against Web Threats Bots Scrapers Web Attacks SecureSphere App DDoS Known Attackers Web Apps Phishing Sites Undesirable Countries Comment Spammers Vulnerabilities Malware-based Fraud © Copyright 2012 Imperva, Inc. All rights reserved.42
  43. 43. The Anatomy of an Anonymous Operation Carolina Bozza Security Engineer May 2012