Automated Hacking Tools:The New Rock Stars in the Cyber Underground              © 2012 Imperva, Inc. All rights reserved.
Agenda  Context for HII Reports  Introducing Automated Hacking     + Quantifying Automation     + Hacking Automation Use...
Presenter:  Amichai Shulman – CTO Imperva   Speaker at Industry Events    + RSA, Sybase Techwave, Info Security UK, Black...
HII Report Context  Hacker Intelligence Initiative is focused at   understanding how attackers are operating in   practic...
Introducing Automated Hacking5            © 2012 Imperva, Inc. All rights reserved.
Quantifying Automation 6              © 2012 Imperva, Inc. All rights reserved.
Quantifying Automation               RFI                                                          SQLi                 Man...
Hacking Automation Use Cases   Automation affects the magnitude of the threat posed by    hacking Honeypot.org: The Socia...
Hacking Automation Use Cases   Skilled Hackers     + Create more powerful tools     + Focus not only on finding vulnerabi...
Hacking Automation Use Cases   Botnets      + A step further in the evolution of automated hacking      + Rather than aut...
Automated Hacking Tools   Search engine hacking      + Discovery phase      + Mostly botnet based today   General scanne...
Automated Hacking Tools   High-end                                         Havij      + Slick GUI (point and            ...
Automated Hacking Tools 13             © 2012 Imperva, Inc. All rights reserved.
Automated Hacking Tools   Professional                                    SQLmap      + Command line                    ...
Automated Hacking Tools 15             © 2012 Imperva, Inc. All rights reserved.
Automated Hacking Tools   WhiteHat flipping                                              Nikto                          ...
Analyzing Real World Data17         © 2012 Imperva, Inc. All rights reserved.
Type of Automation   The type of automation is tightly related to the nature of    the vulnerability to be exploited   S...
Type of Automation 19             © 2012 Imperva, Inc. All rights reserved.
Type of Automation   RFI Attacks   Many sources attack more than one target                    © 2012 Imperva, Inc. All ...
Persistence of Sources   A fair amount of attack sources are persistent over time      + Persistent source = more than 3 ...
Persistence of Sources   RFI Attacks   Many consistent attackers                    © 2012 Imperva, Inc. All rights rese...
Persistence of Attack Vectors   RFI Attacks   Collect URLs that host infection script   Some URLs are being used consis...
Persistence of Attack Vectors   Many shell URLs are used against more than one target                    © 2012 Imperva, ...
Country of Origin   Most attack sources are in the US   Most high rate automation sources are in China!                 ...
Detection and Mitigation26         © 2012 Imperva, Inc. All rights reserved.
General   Motivation     + Automated hacking accounts for a large portion of attack traffic     + Being able to detect ma...
Detecting Automated Hacking - Passive   Passive Methods      + Watch network traffic “as-is”      + Non intrusive, do not...
Detecting Automated Hacking - Passive 29              © 2012 Imperva, Inc. All rights reserved.
Detecting Automated Hacking - Active   Introduce changes into the server response      + Test client’s reaction to change...
Mitigation - Wisdom of the Crowds   Detected automation feeds into building fingerprints of    tools and reputation data ...
Mitigation – Challenges and Metering   Introduce changes to the response that    require a true browser user-agent before...
Mitigation (cont.)   Introduce CAPTCHA or other test to tell apart a human    operator from a script  33                 ...
Summary  Automation is ruling the threat landscape      + It accounts for the lion share of attack traffic  Automation i...
Summary (cont.)   Detection and mitigation are essential for reducing noise    and focusing resources on the most complex...
Webinar Materials    Join Our LinkedIn Group,    Imperva Data Security Direct for…                                        ...
www.imperva.com- CONFIDENTIAL -
Upcoming SlideShare
Loading in …5
×

Automated Hacking Tools - Meet the New Rock Stars in the Cyber Underground

3,253 views

Published on

Research attributes nearly half of a typical website’s traffic to automated bots. This puts the odds of falling victim to a cyber attack at 100%. Automation tools, such as SQLMap and Havij, open new avenues for amateur and professional hackers to evade security defenses. How will your team prepare for, and stop, malicious, automated site traffic and defend against zero-day attacks? This presentation highlights observed trends in the automation of SQLi and RFI attacks, reveals the warning signs of an automated attack, and suggests identification methods and proven countermeasures to stop attacks.

Published in: Technology, News & Politics
0 Comments
3 Likes
Statistics
Notes
  • Be the first to comment

No Downloads
Views
Total views
3,253
On SlideShare
0
From Embeds
0
Number of Embeds
13
Actions
Shares
0
Downloads
71
Comments
0
Likes
3
Embeds 0
No embeds

No notes for slide

Automated Hacking Tools - Meet the New Rock Stars in the Cyber Underground

  1. 1. Automated Hacking Tools:The New Rock Stars in the Cyber Underground © 2012 Imperva, Inc. All rights reserved.
  2. 2. Agenda  Context for HII Reports  Introducing Automated Hacking + Quantifying Automation + Hacking Automation Use Cases + Sample Tools  Analyzing Real World Data  Detection and Mitigation  Questions and Answers 2 © 2012 Imperva, Inc. All rights reserved.
  3. 3. Presenter: Amichai Shulman – CTO Imperva  Speaker at Industry Events + RSA, Sybase Techwave, Info Security UK, Black Hat  Lecturer on Info Security + Technion - Israel Institute of Technology  Former Security Consultant to Banks and Financial Services Firms  Leads the Application Defense Center (ADC) + Discovered over 20 commercial application vulnerabilities – Credited by Oracle, MS-SQL, IBM and others Amichai Shulman one of InfoWorld’s “Top 25 CTOs” © 2012 Imperva, Inc. All rights reserved.
  4. 4. HII Report Context  Hacker Intelligence Initiative is focused at understanding how attackers are operating in practice + A different approach from vulnerability research  Data set composition + ~50 real world applications + Anonymous Proxies  More than 18 months of data  Powerful analysis system + Combines analytic tools with drill down capabilities 4 © 2012 Imperva, Inc. All rights reserved.
  5. 5. Introducing Automated Hacking5 © 2012 Imperva, Inc. All rights reserved.
  6. 6. Quantifying Automation 6 © 2012 Imperva, Inc. All rights reserved.
  7. 7. Quantifying Automation RFI SQLi Manual 2% 12% Manual Automatic 88% Automatic 98% 7 © 2012 Imperva, Inc. All rights reserved.
  8. 8. Hacking Automation Use Cases  Automation affects the magnitude of the threat posed by hacking Honeypot.org: The Social Dynamics of Hacking 8 © 2012 Imperva, Inc. All rights reserved.
  9. 9. Hacking Automation Use Cases  Skilled Hackers + Create more powerful tools + Focus not only on finding vulnerabilities but also on robust automation of their exploit (an engineering challenge)  Professional Hackers (Semi-skilled) + Can increase their business faster and more effectively using automation + Puts more organizations at risk as potential targets  Unskilled Hackers + Increased potential of incidental damages 9 © 2012 Imperva, Inc. All rights reserved.
  10. 10. Hacking Automation Use Cases  Botnets + A step further in the evolution of automated hacking + Rather than automating a task it is automation of the entire operation  Includes all steps of the operation + Target selection + Probing + Exploit 10 © 2012 Imperva, Inc. All rights reserved.
  11. 11. Automated Hacking Tools  Search engine hacking + Discovery phase + Mostly botnet based today  General scanners + Probing of chosen targets  Focused on attack type  Focused on individual vulnerability + Exist as standalone tools and botnet modules 11 © 2012 Imperva, Inc. All rights reserved.
  12. 12. Automated Hacking Tools  High-end  Havij + Slick GUI (point and + Focused on SQL click) Injection attacks + Evasion techniques + Used in attacks by + State of the art attack Lulzsec and vectors Anonymous 12 © 2012 Imperva, Inc. All rights reserved.
  13. 13. Automated Hacking Tools 13 © 2012 Imperva, Inc. All rights reserved.
  14. 14. Automated Hacking Tools  Professional  SQLmap + Command line + Focused on SQL + Ready for Injection instrumentation  FIMAP + Focused on Remote File Include 14 © 2012 Imperva, Inc. All rights reserved.
  15. 15. Automated Hacking Tools 15 © 2012 Imperva, Inc. All rights reserved.
  16. 16. Automated Hacking Tools  WhiteHat flipping  Nikto + Public domain, sides low end + Tools aimed at  Nessus vulnerability scanning + Public domain + Automation is essential for (some versions), continuous testing of very friendly GUI large and complex web  Acunetix applications + Powerful commercial tool, + Inherently easier to stolen licenses operate are shared among hackers 16 © 2012 Imperva, Inc. All rights reserved.
  17. 17. Analyzing Real World Data17 © 2012 Imperva, Inc. All rights reserved.
  18. 18. Type of Automation  The type of automation is tightly related to the nature of the vulnerability to be exploited  SQL Injection + Tools that focus on an individual application at a time + High volume, high rate traffic generated against a single application  RFI + Tools that try to cover as many applications as possible + Low volume traffic when watching a single application  Search Engine Hacking + Need to bypass search engine restrictions + Highly distributed botnets © 2012 Imperva, Inc. All rights reserved.
  19. 19. Type of Automation 19 © 2012 Imperva, Inc. All rights reserved.
  20. 20. Type of Automation  RFI Attacks  Many sources attack more than one target © 2012 Imperva, Inc. All rights reserved.
  21. 21. Persistence of Sources  A fair amount of attack sources are persistent over time + Persistent source = more than 3 days of activity + 30% of SQLi attacks + 60% of RFI attacks 10000 SQLi Attacks (Log scale) 1000 100 10 1 0 5 10 15 20 25 30 35 40 45 50 55 60 65 70 75 80 85 90 95 100 Activity Days 21 © 2012 Imperva, Inc. All rights reserved.
  22. 22. Persistence of Sources  RFI Attacks  Many consistent attackers © 2012 Imperva, Inc. All rights reserved.
  23. 23. Persistence of Attack Vectors  RFI Attacks  Collect URLs that host infection script  Some URLs are being used consistently over time © 2012 Imperva, Inc. All rights reserved.
  24. 24. Persistence of Attack Vectors  Many shell URLs are used against more than one target © 2012 Imperva, Inc. All rights reserved.
  25. 25. Country of Origin  Most attack sources are in the US  Most high rate automation sources are in China! SQLi SQLi Country Hosts % of Hosts Country Hosts % of Hosts USA 3994 80 China 98 30 China 355 7 USA 78 24 United Kingdom 75 2 Netherlands 9 3 Russian Federation 49 1 Morocco 8 2 Canada 40 1 Egypt 7 2 Republic of Korea 33 1 Luxemburg 7 2 Germany 31 1 Brazil 7 2 Brazil 29 1 France 7 2 India 28 1 Indonesia 6 2 France 24 1 Russian Federation 6 2 25 © 2012 Imperva, Inc. All rights reserved.
  26. 26. Detection and Mitigation26 © 2012 Imperva, Inc. All rights reserved.
  27. 27. General  Motivation + Automated hacking accounts for a large portion of attack traffic + Being able to detect malicious automation dramatically reduces the stress on other mechanisms designed to detect specific attacks  Challenge + Hard to implement WITHIN applications as automation can be applied against each and every part of the application or the underlying application server © 2012 Imperva, Inc. All rights reserved.
  28. 28. Detecting Automated Hacking - Passive  Passive Methods + Watch network traffic “as-is” + Non intrusive, do not affect user experience  Traffic Shape Indicators + We measure suspicious requests (rather than ALL requests) + Measured attributes – Rate – Rate change (ramp-up speed) – Volume + Difficult to measure in an inherently noisy source (NAT)  Request Shape Indicators + Missing headers + Mismatch between headers and location 28 © 2012 Imperva, Inc. All rights reserved.
  29. 29. Detecting Automated Hacking - Passive 29 © 2012 Imperva, Inc. All rights reserved.
  30. 30. Detecting Automated Hacking - Active  Introduce changes into the server response + Test client’s reaction to changes + May affect user experience – use with care + Verify type of user agent  Browsers support Javascript and an appropriate DOM + Client is expected to complete some computation + Application / GW can validate the computed value  Browsers comply with HTML tags (IMG, IFRAME) + Client is expected to access resource referenced by embedded tags + Failure to access the resources implies that client is an automated script 30 © 2012 Imperva, Inc. All rights reserved.
  31. 31. Mitigation - Wisdom of the Crowds  Detected automation feeds into building fingerprints of tools and reputation data for sources  Leveraged when data is collected within a community  Recent regulatory changes endorse the concept of community  Drop requests matching fingerprints or coming from ill reputed sources 31 © 2012 Imperva, Inc. All rights reserved.
  32. 32. Mitigation – Challenges and Metering  Introduce changes to the response that require a true browser user-agent before letting any further requests within a session + Application / GW keeps sending the test for any request not in a validated session + A session is validated only if user-agent responds properly  Introduce changes to the response that (based on the previous enforcement) introduce client side latency + Challenge the client to solve a mathematical riddle + Partial hash collisions are a good example 32 © 2012 Imperva, Inc. All rights reserved.
  33. 33. Mitigation (cont.)  Introduce CAPTCHA or other test to tell apart a human operator from a script 33 © 2012 Imperva, Inc. All rights reserved.
  34. 34. Summary  Automation is ruling the threat landscape + It accounts for the lion share of attack traffic  Automation is used in various forms + In depth scanning / attack of a single target + Wide breadth scanning / attack of multiple applications + Distributed scanning / attack of single / multiple applications 34 © 2012 Imperva, Inc. All rights reserved.
  35. 35. Summary (cont.)  Detection and mitigation are essential for reducing noise and focusing resources on the most complex attacks  Detection and mitigation are most effectively deployed out side of the application  Detection and mitigation must include a combination of passive and active measures  Detection and mitigation are best utilized within a community that can generate reputation data 35 © 2012 Imperva, Inc. All rights reserved.
  36. 36. Webinar Materials Join Our LinkedIn Group, Imperva Data Security Direct for… Answers to Post-Webinar Attendee Discussions Questions Webinar Webinar Slides Recording Link © 2012 Imperva, Inc. All rights reserved.
  37. 37. www.imperva.com- CONFIDENTIAL -

×