Unmasking Anonymous: An Eyewitness Account of a Hacktivist Attack

1,647 views

Published on

In 2011, Imperva witnessed an assault by the hacktivist group, Anonymous, which included the use of social media for communications and, most importantly, their attack methods. Since Anonymous’ targets vary, it is important for security professionals to learn how to prepare their organization for a potential attack. These presentation slides will walk-through the key stages of an Anonymous attack campaign, including recruitment and communication, application attack methods, and mitigation strategies.

Published in: Technology
0 Comments
2 Likes
Statistics
Notes
  • Be the first to comment

No Downloads
Views
Total views
1,647
On SlideShare
0
From Embeds
0
Number of Embeds
30
Actions
Shares
0
Downloads
41
Comments
0
Likes
2
Embeds 0
No embeds

No notes for slide

Unmasking Anonymous: An Eyewitness Account of a Hacktivist Attack

  1. 1. Unmasking Anonymous:An Eyewitness Account of a Hacktivist AttackAmichai Shulman, CTO © 2012 Imperva, Inc. All rights reserved.
  2. 2. Agenda Anonymous Overview and Background How They Attack: Anatomy of an Anonymous Attack + Recruiting and Communications + Reconnaissance and Application Attack + DDoS Non-Mitigations Tools Mitigation Tools 2 © 2012 Imperva, Inc. All rights reserved.
  3. 3. Today’s Presenter Amichai Shulman – CTO Imperva Speaker at Industry Events + RSA, Sybase Techwave, Info Security UK, Black Hat Lecturer on Info Security + Technion - Israel Institute of Technology Former security consultant to banks & financial services firms Leads the Application Defense Center (ADC) + Discovered over 20 commercial application vulnerabilities – Credited by Oracle, MS-SQL, IBM and others Amichai Shulman one of InfoWorld’s “Top 25 CTOs” © 2012 Imperva, Inc. All rights reserved.
  4. 4. What/Who is Anonymous? “…the first Internet-based superconsciousness.” —Chris Landers. Baltimore City Paper, April 2, 2008 “Anonymous is an umbrella for anyone to hack anything for any reason.” —New York Times, 27 Feb 2012 “Anonymous is a handful of geniuses surrounded by a legion of idiots.”—Cole Stryker, New York Times, 27 Feb 20124 © 2012 Imperva, Inc. All rights reserved.
  5. 5. The Plot  Attack took place in 2011 over a 25 day period.  Anonymous was on a deadline to breach and disrupt a website, a proactive attempt at hacktivism.  The website was mostly informational but contained data and enabled some commerce.  The attack did not succeed.5 © 2012 Imperva, Inc. All rights reserved.
  6. 6. On the Offense Skilled hackers - This group, around 10 to 15 individuals per campaign, have genuine hacking experience and are quite savvy. Nontechnical - This group can be quite large, ranging from a few dozen to a few hundred volunteers. Directed by the skilled hackers, their role is primarily to conduct DDoS attacks by either downloading and using special software or visiting websites designed to flood victims with excessive traffic.6 © 2012 Imperva, Inc. All rights reserved.
  7. 7. On the Defense  Deployment line was network firewall, web application firewall (WAF), web servers and anti-virus.  Imperva WAF + SecureSphere WAF version 8.5 inline, high availability + ThreatRadar + SSL wasn’t used, the whole website was in HTTP  Unnamed network firewall and IDS  Unnamed anti-virus7 © 2012 Imperva, Inc. All rights reserved.
  8. 8. How They Attack: The Anonymous Attack Anatomy8 © 2012 Imperva, Inc. All rights reserved.
  9. 9. 1 ----------------------------------- Recruiting and Communications9 © 2012 Imperva, Inc. All rights reserved.
  10. 10. Step 1A: An “Inspirational” Video10 © 2012 Imperva, Inc. All rights reserved.
  11. 11. Step 1B: Social Media Helps Recruit11 © 2012 Imperva, Inc. All rights reserved.
  12. 12. Setting Up An Early Warning System12 © 2012 Imperva, Inc. All rights reserved.
  13. 13. Example13 © 2012 Imperva, Inc. All rights reserved.
  14. 14. 2 ----------------------------------- Recon and Application Attack “Avoid strength, attack weakness: Striking where the enemy is most vulnerable.” —Sun Tzu14 © 2012 Imperva, Inc. All rights reserved.
  15. 15. Anonymous’ Attacks Mimic For-Profit Hackers Hacker Forum Discussion Topics 9% 16% 12% spam dos/ddos 12% 22% SQL Injection zero-day 10% shell code 19% brute-force HTML InjectionSource: Imperva. Covers July 2010 -July 2011 across 600,000 discussions 15 © 2012 Imperva, Inc. All rights reserved.
  16. 16. Step 1A: Finding Vulnerabilities Tool #1: Vulnerability Scanners Purpose: Rapidly find application vulnerabilities. Cost: $0-$1000 per license. The specific tools: + Acunetix (named a “Visionary” in a Gartner 2011 MQ) + Nikto (open source) 16 © 2012 Imperva, Inc. All rights reserved.
  17. 17. Hacking Tools Tool #2: Havij Purpose: + Automated SQL injection and data harvesting tool. + Solely developed to take data transacted by applications Developed in Iran 17 © 2012 Imperva, Inc. All rights reserved.
  18. 18. Vulnerabilities of Interest 4000 3500 3000 2500 #alerts Directory Traversal 2000 SQL injection DDoS recon 1500 XSS 1000 500 0 Day 19 Day 20 Day 21 Day 22 Day 23 Date18 © 2012 Imperva, Inc. All rights reserved.
  19. 19. Mitigation: AppSec 101 Dork Yourself Blacklisting WAF WAF + VA Stop Automated Attacks Code Fixing19 © 2012 Imperva, Inc. All rights reserved.
  20. 20. 3 ----------------------------------- DDoS20 © 2012 Imperva, Inc. All rights reserved.
  21. 21. Hacking Tools Low-Orbit Ion Canon (LOIC) Purpose: + DDoS + Mobile and Javascript variations + Can create 200 requests per second per browser window 21 © 2012 Imperva, Inc. All rights reserved.
  22. 22. Anonymous and LOIC in Action 700000 600000 Mobile LOIC in 500000 ActionTransactions per Day 400000 300000 200000 Average Site Traffic 100000 0 Day 19 Day 20 Day 21 Day 22 Day 23 Day 24 Day 25 Day 26 Day 27 Day 28 22 © 2012 Imperva, Inc. All rights reserved.
  23. 23. LOIC Facts LOIC downloads + 2011: 381,976 + 2012 (through March 19): 318,340 + Jan 2012=83% of 2011’s downloads! Javascript LOIC: + Easy to create + Iterates up to 200 requests per minute + Can be used via mobile device. 23 © 2012 Imperva, Inc. All rights reserved.
  24. 24. BUT: DDoS Is Moving Up the Stack Decreasing costs. Traditional DDoS attacks require a large investment on the attacker’s side, which include distributing the attack between multiples sources. The DoS security gap. Traditionally, the defense against DDoS was based on dedicated devices operating at lower layers (TCP/IP). These devices are incapable of detecting higher layers attacks due to their inherent shortcomings: they dont decrypt SSL, they do not understand the HTTP protocol, and generally are not aware of the web application. For more: http://blog.imperva.com/2011/12/top-cyber-security-trends-for-2012-7.html 24 © 2012 Imperva, Inc. All rights reserved.
  25. 25. Application DDoS The effectiveness of RefRef is due to the fact that it exploits a vulnerability in a widespread SQL service. The flaw is apparently known but not widely patched yet. The tools creators dont expect their attacks to work on a high-profile target more than a couple of times before being blocked, but they dont believe organizations will rush to patch this flaw en masse before being hit. —The Hacker News, July 30, 201125 © 2012 Imperva, Inc. All rights reserved.
  26. 26. But That Much Sophistication Isn’t Always Required26 © 2012 Imperva, Inc. All rights reserved.
  27. 27. But That Much Sophistication Isn’t Always Required Meet your target URL27 © 2012 Imperva, Inc. All rights reserved.
  28. 28. Mitigation WAF: It can decrypt SSL, understand HTTP and also understand the application business logic to analyze the traffic, sifting out the DoS traffic.28 © 2012 Imperva, Inc. All rights reserved.
  29. 29. 4 ----------------------------------- Non-Mitigations29 © 2012 Imperva, Inc. All rights reserved.
  30. 30. Anti-Virus is Irrelevant: Malware is NOT the MO McAfee mea culpa “The security industry may need to reconsider some of its fundamental assumptions, including Are we really protecting users and companies?’” --McAfee, September 2011Source: http://www.nytimes.com/external/readwriteweb/2011/08/23/23readwriteweb-mcafee-to-security-industry-are-we-really-p-70470.html?partner=rss&emc=rss 30 © 2012 Imperva, Inc. All rights reserved.
  31. 31. Anti-Virus Recommendation (From A Hacker!)Use your existing anti virus or download a free one such as SpyBot Search And Destroy (Some AV is better than none and at least it keeps basic viruses out, dont pay for it though because your just funding the companies that make this problem worse). (Sic) —Source: http://adamonsecurity.com/ , creator of RankMyHack.com31 © 2012 Imperva, Inc. All rights reserved.
  32. 32. I have IPS and NGFW, am I safe? IPS and NGFWs do not prevent web application attacks. + Don’t confuse “application aware marketing” with Web Application Security. WAFs at a minimum must include the following to protect web applications: • Web-App Profile • Web-App Signatures • Web-App Protocol Security • Web-App DDOS Security Security Policy Correlation • Web-App Cookie Protection • Anonymous Proxy/TOR IP Security • HTTPS (SSL) visibility 32 © 2012 Imperva, Inc. All rights reserved.
  33. 33. I have IPS and NGFW, am I safe? IPS and NGFWs do not prevent web application attacks. + Don’t confuse “application aware marketing” with Web Application Security. However, IPS and NGFWs at best only partially support the items in Red: • Web-App Profile • Web-App Signatures • Web-App Protocol Security • Web-App DDOS Security Security Policy Correlation • Web-App Cookie Protection • Anonymous Proxy/TOR IP Security • HTTPS (SSL) visibility 33 © 2012 Imperva, Inc. All rights reserved.
  34. 34. I have IPS and NGFW, am I safe?• IPS & NGFW Marketing – They have at least one web-appfeature so they market themselves as a solution.• IPS & NGFW gaps to WAF – WAFs provide far more web-appfeatures than IPS and NGFWs. IPS and NGFWs do not even meet themost minimal requirements of web application security.• False Sense of Security - IPS and NGFWs are creating a falsesense of security with their claims and are leaving organizations like theones we have previously mentioned susceptible to web applicationpenetration.34 © 2012 Imperva, Inc. All rights reserved.
  35. 35. Anonymous targets that we know of, so far…US Department of Justice Polish Internal Security Agency PayPalUS Copyright Office French Presidential Site MastercardFBI Austria Ministry of Justice VisaMPAA Austria Ministry of Internal Affairs ItauWarner Brothers Austria Ministry of Economy Banco de BrazilRIAA Austria Federal Chancellor US SenateHADOPI Slovenia NLB CIABMI Mexican Interior Ministry CitibankSony Mexican Senate CaixaAmazonHow many of these organizations have AV, IPS and Next Generations Mexican Chamber of DeputiesChurch of Scientology Firewalls? Irish Department of JusticeSOHH Irish Department of FinanceOffice of the AU Prime Minister Greek Department of Justice Why are the attacks successfulNational Democratic PartyAU House of Parliament Egyptian when these technologies claim to preventAU Department of Communications HBGary FederalSwiss bank PostFinance Spanish Police them?Fine Gael Orlando Chamber of CommerceNew Zealand Parliament Catholic Diocese of OrlandoTunisia Government Rotary Club or OrlandoZimbabwe Government Bay Area Rapid TransitEgyptian Government Syrian Defense MinistryMalaysian Government Syrian Central BankPolish Government Syrian Ministry of Presidential AffairsPolish Police Various Pornography sitesPolish President Muslim BrotherhoodPolish Ministry of Culture UMGPolish Prime Minister 35 © 2012 Imperva, Inc. All rights reserved.Polish Ministry of Foreign Affairs
  36. 36. 5 ----------------------------------- Mitigations36 © 2012 Imperva, Inc. All rights reserved.
  37. 37. Automated Scanning Tools37 © 2012 Imperva, Inc. All rights reserved.
  38. 38. Automated Scanning Tools38 © 2012 Imperva, Inc. All rights reserved.
  39. 39. Automated Scanning Tools39 © 2012 Imperva, Inc. All rights reserved.
  40. 40. Automated SQL Tool40 © 2012 Imperva, Inc. All rights reserved.
  41. 41. Automated SQL Tool41 © 2012 Imperva, Inc. All rights reserved.
  42. 42. Automated SQL Tool Havij SQL attack attempt fails with errors due to WAF mitigation.42 © 2012 Imperva, Inc. All rights reserved.
  43. 43. Blocking Traffic Based on Reputation43 © 2012 Imperva, Inc. All rights reserved.
  44. 44. Blocking Traffic Based on Reputation Real-time alerts and ability to block based on IP Reputation.44 © 2012 Imperva, Inc. All rights reserved.
  45. 45. Blocking Traffic Based on Reputation Real-time alerts and ability to block based on IP Reputation.45 © 2012 Imperva, Inc. All rights reserved.
  46. 46. DDoS Traffic ~4000 hits take the website offline.46 © 2012 Imperva, Inc. All rights reserved.
  47. 47. DDoS Traffic47 © 2012 Imperva, Inc. All rights reserved.
  48. 48. DDoS Traffic ~4000 hits take the website offline.48 © 2012 Imperva, Inc. All rights reserved.
  49. 49. DDoS Traffic ** Note 25x the amount of hits blocked, with no web outage in this example.49 © 2012 Imperva, Inc. All rights reserved.
  50. 50. Webinar Materials Get LinkedIn to Imperva Data Security Direct for… Answers to Post-Webinar Attendee Discussions Questions Webinar Webinar Slides Recording Link http://www.linkedin.com/groups/Imperva-Data-Security-Direct-3849609 © 2012 Imperva, Inc. All rights reserved.
  51. 51. www.imperva.com- CONFIDENTIAL -

×