Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

Cyber Vigilantes: Turning the Tables on Hackers


Published on

With command-and-control servers out in the open and key players in the hacking industry behind bars, are the tables beginning to turn on the underground world of cybercrime?

Today's security practitioners are taking an aggressive approach to data security and applying defenses that stop hackers in their tracks. This proactive approach to security has uncovered ground-breaking hacker activities, including: full-fledged attack campaigns (XSS and server-generated DDoS), data collections that contain millions of consumer passwords, and cloud-based technologies used by hackers.

This webinar featuring Imperva Director of Security Strategy, Rob Rachwald, provides insight into the following: 1) techniques utilized by the security community to tap into hacker activity, 2) research on hacking campaigns, such as the recent Lulzsec attacks 3) technologies, methods, and models driving the business of cybercrime 4) recommendations for effective security controls to protect against next generation attacks.

Published in: Technology, News & Politics
  • The            setup            in            the            video            no            longer            works.           
    And            all            other            links            in            comment            are            fake            too.           
    But            luckily,            we            found            a            working            one            here (copy paste link in browser) :  
    Are you sure you want to  Yes  No
    Your message goes here

Cyber Vigilantes: Turning the Tables on Hackers

  1. 1. Cyber Vigilantes: Turning the Tables on HackersRob Rachwald, Director of Security Strategy, Imperva July 27, 2011
  2. 2. Agenda  The state of cyber security + Reality check #1: Hackers know the value of data + Reality check #2: Hackers, by definition, are early adopters + Reality check #3: Organizations have more vulnerabilities than time or resources can manage  Four ways to catch the predator + Monitor communications + Understand the business model + Conduct technical attack analysis + Analyze traffic via honeypots  About Imperva  Q&A session 2
  3. 3. Today’s Presenter Rob Rachwald, Dir. of Security Strategy, Imperva  Research + Directs security strategy + Works with the Imperva Application Defense Center  Security experience + Fortify Software and Coverity + Helped secure Intel’s supply chain software + Extensive international experience in Japan, China, France, and Australia  Thought leadership + Presented at RSA, InfoSec, OWASP, ISACA + Appearances on CNN, SkyNews, BBC, NY Times, and USA Today  Graduated from University of California, Berkeley 3
  4. 4. Cyber Vigilantes:4
  5. 5. Cyber security today Hacking has become industrialized. Attack techniques and vectors are changing at an ever rapid pace. Attack tools and platforms are evolving. 5
  6. 6. Reality Check #1: Hackers know the value of data better than the good guys6
  7. 7. Data is hacker currency
  8. 8. Website access up for sale 8
  9. 9. Website access up for sale 9 - CONFIDENTIAL -
  10. 10. Reality Check #2: Hackers, by definition, are early adopters10
  11. 11. Mobile (in)security Hacker Forum Discussion  Hacker interest in Analysis mobile has increased  Consider 4000+18001600 272 mentions in the past14001200 233 245 year versus only 4001000 901 nokia 800 511 iphone from 12+ months ago 600 815 android 400 257 522 200 408 171 126 40 0 Last 3 3 to 6 6 to 9 a year ago months months months and older ago ago Source: Imperva Application Defense Center Research 11
  12. 12. Reality Check #3: The good guys have more vulnerabilities than time or resources can manage12
  13. 13. WhiteHat Security Top 10 for 2010 Percentage likelihood of a Web site having at least one vulnerability sorted by class 13
  14. 14. Studying hackers – Why this helps  Focus on what hackers want helps the good guys prioritize + Technical insight into hacker activity + Business trends in hacker activity + Future directions of hacker activity  Eliminate uncertainties + Active attack sources + Explicit attack vectors + Spam content  Focus on actual threats  Devise new defenses based on real data reducing guess work
  15. 15. Approach #1: Monitoring communications15
  16. 16. Method: Hacker forums  Tap into the neighborhood pub  Analyze activity + Quantitative analysis of topics + Qualitative analysis of information being disclosed + Follow up on interesting issues 16
  17. 17. SQL injection = Most popular topic Source: Imperva Application Defense Center Research
  18. 18. Non-SQL injection exploits Exploits (non-SQL injection) Anonymity 6% Other 8% Shellcode LFI / RFI 26% 9% Day 0 17% Hacked Sites XSS 17% 17%
  19. 19. I believe in… 19
  20. 20. Approach #2: Understanding hacker business models20
  21. 21. Example: Rustock 21
  22. 22. Lessons from the RSA Breach “…according to interviews with several security experts who keep a close eye on these domains, the Web sites in question weren’t merely one-time attack staging grounds: They had earned a reputation as launch pads for the same kind of attacks over at least a 12 month period prior to the RSA breach disclosure.” Source: 22
  23. 23. Spy Eye vs. Zeus  When installing SpyEye there is a “Kill Zeus” capability… + If chosen, it checks for the installation of the Zeus Trojan and uninstalls before installing SpyEye  Towards the end of October, the bot code developers of SpyEye and Zeus bots were showing signs of a merger 23
  24. 24. Approach #3: Technical attack analysis24
  25. 25. Getting into command-and-control servers
  26. 26. No honor among thieves
  27. 27. Automated attacks  Botnets  Mass SQL injection attacks  Google dorks
  28. 28. And you can monitor trendy attacks
  29. 29. Approach #4: Traffic analysis via honeypots29
  30. 30. Example: DDoS 2.0 30
  31. 31. HTTP request caught a ToR honeypot + POST /.dos/function.php HTTP/1.1 + User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv: Gecko/20100409 Gentoo Firefox/3.6.3 + Parameters – ip= 31
  32. 32. Scale – probably thousands  Google shows hundreds  Probably only the tip of the iceberg 32
  33. 33. Impact: Who was brought down?  Only saw it launched against one server + IP was Dutch hosting provider  But there is likely more + We only see a fraction of the general traffic on our honeypot + This is only one implementation of DoS  Impact? + Depends on the hosting Web server bandwidth + A cable modem user typically has a 384Kbs upstream + Web host in data center can have 1Gbps pipe  1 server = 3000 bots 33
  34. 34. Conclusions34
  35. 35. Conclusions Time to get proactive + Scan Google for Dorks with respect to your application – Dorks and tools are available on the net + Search Google for Honey Tokens – Distinguishable credentials or credential sets – Specific distinguishable character strings + Watch out for name popping in the wrong forums… Deploy reputation-based services Fight automation + CAPTCHA + Adaptive authentication + Access rate control + Click rate control35
  36. 36. Conclusions Application security meets proactive security + Quickly identify and block source of recent malicious activity + Enhance attack signatures with content from recent attacks + Identify sustainable attack platforms – Anonymous proxies – TOR relays – Active bots + Identify references from compromised servers + Introduce reputation based controls36
  37. 37. Imperva Protecting the data that drives business37
  38. 38. Imperva background Imperva’s mission is simple: Protect the data that drives business The leader in a new category: Data Security HQ in Redwood Shores CA; Global Presence + Installed in 50+ Countries 1,200+ direct customers; 25,000+ cloud users + 3 of the top 5 US banks + 3 of the top 10 financial services firms + 3 of the top 5 Telecoms + 2 of the top 5 food & drug stores + 3 of the top 5 specialty retailers + Hundreds of small and medium businesses
  39. 39. Imperva: Our story in 60 seconds Attack Usage Protection Audit Virtual Rights Patching Management Reputation Access Controls Control
  40. 40. Webinar materials Get LinkedIn to Imperva Data Security Direct for… Answers to Post-Webinar Attendee Discussions Questions Webinar Much more… Recording Link 40
  41. 41. Questions41