In 2011, Imperva witnessed an assault by the hacktivist group, Anonymous, which included the use of social media for communications and, most importantly, their attack methods. Since Anonymous’ targets vary, it is important for security professionals to learn how to prepare their organization for a potential attack. These presentation slides will walk-through the key stages of an Anonymous attack campaign, including recruitment and communication, application attack methods, and mitigation strategies.

1. Unmasking Anonymous:
An Eyewitness Account of a Hacktivist Attack
Amichai Shulman, CTO
© 2012 Imperva, Inc. All rights reserved.

2. Agenda
 Anonymous Overview and Background
 How They Attack: Anatomy of an Anonymous Attack
+ Recruiting and Communications
+ Reconnaissance and Application Attack
+ DDoS
 Non-Mitigations Tools
 Mitigation Tools
2 © 2012 Imperva, Inc. All rights reserved.

3. Today’s Presenter
Amichai Shulman – CTO Imperva
 Speaker at Industry Events
+ RSA, Sybase Techwave, Info Security UK, Black Hat
 Lecturer on Info Security
+ Technion - Israel Institute of Technology
 Former security consultant to banks & financial services firms
 Leads the Application Defense Center (ADC)
+ Discovered over 20 commercial application vulnerabilities
– Credited by Oracle, MS-SQL, IBM and others
Amichai Shulman one of InfoWorld’s “Top 25 CTOs”
© 2012 Imperva, Inc. All rights reserved.

4. What/Who is Anonymous?
“…the first Internet-based superconsciousness.”
—Chris Landers. Baltimore City Paper, April 2, 2008
“Anonymous is an umbrella for anyone to hack anything for
any reason.”
—New York Times, 27 Feb 2012
“Anonymous is a handful of geniuses surrounded by a legion
of idiots.”—Cole Stryker, New York Times, 27 Feb 2012
4 © 2012 Imperva, Inc. All rights reserved.

5. The Plot
 Attack took place in 2011
over a 25 day period.
 Anonymous was on a
deadline to breach and
disrupt a website, a
proactive attempt at
hacktivism.
 The website was mostly
informational but contained
data and enabled some
commerce.
 The attack did not succeed.
5 © 2012 Imperva, Inc. All rights reserved.

6. On the Offense
Skilled hackers - This group, around 10 to 15
individuals per campaign, have genuine hacking
experience and are quite savvy.
Nontechnical - This group can be quite large, ranging
from a few dozen to a few hundred volunteers.
Directed by the skilled hackers, their role is primarily to
conduct DDoS attacks by either downloading and using
special software or visiting websites designed to flood
victims with excessive traffic.
6 © 2012 Imperva, Inc. All rights reserved.

7. On the Defense
 Deployment line was network firewall, web application firewall
(WAF), web servers and anti-virus.
 Imperva WAF
+ SecureSphere WAF version 8.5 inline, high availability
+ ThreatRadar
+ SSL wasn’t used, the whole website was in HTTP
 Unnamed network firewall and IDS
 Unnamed anti-virus
7 © 2012 Imperva, Inc. All rights reserved.

8. How They Attack: The Anonymous Attack
Anatomy
8 © 2012 Imperva, Inc. All rights reserved.

9. 1
-----------------------------------
Recruiting and Communications
9 © 2012 Imperva, Inc. All rights reserved.

10. Step 1A: An “Inspirational” Video
10 © 2012 Imperva, Inc. All rights reserved.

11. Step 1B: Social Media Helps Recruit
11 © 2012 Imperva, Inc. All rights reserved.

12. Setting Up An Early Warning System
12 © 2012 Imperva, Inc. All rights reserved.

13. Example
13 © 2012 Imperva, Inc. All rights reserved.

14. 2
-----------------------------------
Recon and Application Attack
“Avoid strength, attack weakness: Striking where the enemy is
most vulnerable.”
—Sun Tzu
14 © 2012 Imperva, Inc. All rights reserved.

15. Anonymous’ Attacks Mimic For-Profit Hackers
Hacker Forum Discussion Topics
9% 16%
12% spam
dos/ddos
12% 22% SQL Injection
zero-day
10% shell code
19% brute-force
HTML Injection
Source: Imperva. Covers July 2010 -July 2011 across 600,000 discussions
15 © 2012 Imperva, Inc. All rights reserved.

16. Step 1A: Finding Vulnerabilities
 Tool #1: Vulnerability Scanners
 Purpose: Rapidly find application vulnerabilities.
 Cost: $0-$1000 per license.
 The specific tools:
+ Acunetix (named a “Visionary” in a Gartner 2011 MQ)
+ Nikto (open source)
16 © 2012 Imperva, Inc. All rights reserved.

17. Hacking Tools
 Tool #2: Havij
 Purpose:
+ Automated SQL injection
and data harvesting
tool.
+ Solely developed to take
data transacted by
applications
 Developed in Iran
17 © 2012 Imperva, Inc. All rights reserved.

18. Vulnerabilities of Interest
4000
3500
3000
2500
#alerts
Directory Traversal
2000
SQL injection
DDoS recon
1500 XSS
1000
500
0
Day 19 Day 20 Day 21 Day 22 Day 23
Date
18 © 2012 Imperva, Inc. All rights reserved.

19. Mitigation: AppSec 101
Dork Yourself
Blacklisting
WAF
WAF + VA
Stop Automated
Attacks
Code Fixing
19 © 2012 Imperva, Inc. All rights reserved.

20. 3
-----------------------------------
DDoS
20 © 2012 Imperva, Inc. All rights reserved.

21. Hacking Tools
 Low-Orbit Ion Canon (LOIC)
 Purpose:
+ DDoS
+ Mobile and Javascript variations
+ Can create 200 requests per second per browser window
21 © 2012 Imperva, Inc. All rights reserved.

22. Anonymous and LOIC in Action
700000
600000
Mobile LOIC in
500000
Action
Transactions per Day
400000
300000
200000
Average Site Traffic
100000
0
Day 19 Day 20 Day 21 Day 22 Day 23 Day 24 Day 25 Day 26 Day 27 Day 28
22 © 2012 Imperva, Inc. All rights reserved.

23. LOIC Facts
 LOIC downloads
+ 2011: 381,976
+ 2012 (through March 19): 318,340
+ Jan 2012=83% of 2011’s downloads!
 Javascript LOIC:
+ Easy to create
+ Iterates up to 200 requests per minute
+ Can be used via mobile device.
23 © 2012 Imperva, Inc. All rights reserved.

24. BUT: DDoS Is Moving Up the Stack
 Decreasing costs. Traditional DDoS attacks require a large
investment on the attacker’s side, which include distributing the
attack between multiples sources.
 The DoS security gap. Traditionally, the defense against DDoS
was based on dedicated devices operating at lower layers (TCP/IP).
These devices are incapable of detecting higher layers attacks due
to their inherent shortcomings: they don't decrypt SSL, they do not
understand the HTTP protocol, and generally are not aware of the
web application.
For more: http://blog.imperva.com/2011/12/top-cyber-security-trends-for-2012-7.html
24 © 2012 Imperva, Inc. All rights reserved.

25. Application DDoS
The effectiveness of RefRef is due to the fact that it exploits a vulnerability in a
widespread SQL service. The flaw is apparently known but not widely patched
yet. The tool's creators don't expect their attacks to work on a high-profile target
more than a couple of times before being blocked, but they don't believe
organizations will rush to patch this flaw en masse before being hit.
—The Hacker News, July 30, 2011
25 © 2012 Imperva, Inc. All rights reserved.

26. But That Much Sophistication Isn’t Always
Required
26 © 2012 Imperva, Inc. All rights reserved.

27. But That Much Sophistication Isn’t Always
Required
Meet your target URL
27 © 2012 Imperva, Inc. All rights reserved.

28. Mitigation
WAF: It can decrypt SSL, understand
HTTP and also understand the application
business logic to analyze the traffic, sifting
out the DoS traffic.
28 © 2012 Imperva, Inc. All rights reserved.

29. 4
-----------------------------------
Non-Mitigations
29 © 2012 Imperva, Inc. All rights reserved.

30. Anti-Virus is Irrelevant: Malware is NOT the MO
McAfee mea culpa
“The security industry
may need to reconsider
some of its fundamental
assumptions, including
'Are we really protecting
users and companies?’”
--McAfee, September 2011
Source: http://www.nytimes.com/external/readwriteweb/2011/08/23/23readwriteweb-mcafee-to-security-industry-are-we-really-p-70470.html?partner=rss&emc=rss
30 © 2012 Imperva, Inc. All rights reserved.

31. Anti-Virus Recommendation (From A Hacker!)
Use your existing anti virus or download a free one
such as SpyBot Search And Destroy (Some AV is
better than none and at least it keeps basic
viruses out, don't pay for it though because your
just funding the companies that make this
problem worse). (Sic)
—Source: http://adamonsecurity.com/ , creator of RankMyHack.com
31 © 2012 Imperva, Inc. All rights reserved.

32. I have IPS and NGFW, am I safe?
 IPS and NGFWs do not prevent web application attacks.
+ Don’t confuse “application aware marketing” with Web Application
Security.
 WAFs at a minimum must include the following to
protect web applications:
• Web-App Profile
• Web-App Signatures
• Web-App Protocol Security
• Web-App DDOS Security Security Policy Correlation
• Web-App Cookie Protection
• Anonymous Proxy/TOR IP Security
• HTTPS (SSL) visibility
32 © 2012 Imperva, Inc. All rights reserved.

33. I have IPS and NGFW, am I safe?
 IPS and NGFWs do not prevent web application attacks.
+ Don’t confuse “application aware marketing” with Web Application
Security.
 However, IPS and NGFWs at best only partially support
the items in Red:
• Web-App Profile
• Web-App Signatures
• Web-App Protocol Security
• Web-App DDOS Security Security Policy Correlation
• Web-App Cookie Protection
• Anonymous Proxy/TOR IP Security
• HTTPS (SSL) visibility
33 © 2012 Imperva, Inc. All rights reserved.

34. I have IPS and NGFW, am I safe?
• IPS & NGFW Marketing – They have at least one web-app
feature so they market themselves as a solution.
• IPS & NGFW gaps to WAF – WAFs provide far more web-app
features than IPS and NGFWs. IPS and NGFWs do not even meet the
most minimal requirements of web application security.
• False Sense of Security - IPS and NGFWs are creating a false
sense of security with their claims and are leaving organizations like the
ones we have previously mentioned susceptible to web application
penetration.
34 © 2012 Imperva, Inc. All rights reserved.

35. Anonymous targets that we know of, so far…
US Department of Justice Polish Internal Security Agency PayPal
US Copyright Office French Presidential Site Mastercard
FBI Austria Ministry of Justice Visa
MPAA Austria Ministry of Internal Affairs Itau
Warner Brothers Austria Ministry of Economy Banco de Brazil
RIAA Austria Federal Chancellor US Senate
HADOPI Slovenia NLB CIA
BMI Mexican Interior Ministry Citibank
Sony Mexican Senate Caixa
AmazonHow many of these organizations have AV, IPS and Next Generations
Mexican Chamber of Deputies
Church of Scientology Firewalls?
Irish Department of Justice
SOHH Irish Department of Finance
Office of the AU Prime Minister Greek Department of Justice
Why are the attacks successfulNational Democratic Party
AU House of Parliament Egyptian when these technologies claim to prevent
AU Department of Communications HBGary Federal
Swiss bank PostFinance Spanish Police them?
Fine Gael Orlando Chamber of Commerce
New Zealand Parliament Catholic Diocese of Orlando
Tunisia Government Rotary Club or Orlando
Zimbabwe Government Bay Area Rapid Transit
Egyptian Government Syrian Defense Ministry
Malaysian Government Syrian Central Bank
Polish Government Syrian Ministry of Presidential Affairs
Polish Police Various Pornography sites
Polish President Muslim Brotherhood
Polish Ministry of Culture UMG
Polish Prime Minister
35 © 2012 Imperva, Inc. All rights reserved.
Polish Ministry of Foreign Affairs

36. 5
-----------------------------------
Mitigations
36 © 2012 Imperva, Inc. All rights reserved.

37. Automated Scanning Tools
37 © 2012 Imperva, Inc. All rights reserved.

38. Automated Scanning Tools
38 © 2012 Imperva, Inc. All rights reserved.

39. Automated Scanning Tools
39 © 2012 Imperva, Inc. All rights reserved.

40. Automated SQL Tool
40 © 2012 Imperva, Inc. All rights reserved.

41. Automated SQL Tool
41 © 2012 Imperva, Inc. All rights reserved.

42. Automated SQL Tool
Havij SQL attack
attempt fails with
errors due to WAF
mitigation.
42 © 2012 Imperva, Inc. All rights reserved.

43. Blocking Traffic Based on Reputation
43 © 2012 Imperva, Inc. All rights reserved.

44. Blocking Traffic Based on Reputation
Real-time alerts and ability to block
based on IP Reputation.
44 © 2012 Imperva, Inc. All rights reserved.

45. Blocking Traffic Based on Reputation
Real-time alerts and ability to block
based on IP Reputation.
45 © 2012 Imperva, Inc. All rights reserved.

46. DDoS Traffic
~4000 hits take the website offline.
46 © 2012 Imperva, Inc. All rights reserved.

47. DDoS Traffic
47 © 2012 Imperva, Inc. All rights reserved.

48. DDoS Traffic
~4000 hits take the website offline.
48 © 2012 Imperva, Inc. All rights reserved.

49. DDoS Traffic
** Note 25x the amount of hits blocked, with
no web outage in this example.
49 © 2012 Imperva, Inc. All rights reserved.

50. Webinar Materials
Get LinkedIn to
Imperva Data Security Direct for…
Answers to
Post-Webinar
Attendee
Discussions
Questions
Webinar
Webinar Slides
Recording Link
http://www.linkedin.com/groups/Imperva-Data-Security-Direct-3849609
© 2012 Imperva, Inc. All rights reserved.

51. www.imperva.com
- CONFIDENTIAL -