apresentação allen es
DESCRIPTION
TRANSCRIPT
The Anatomy of an Anonymous
May 2012
Carolina Bozza
Security Engineer
Imperva ?Imperva ?
Who we are and what we do
2
Next Generation Threats Require New Approach
Tech. AttackProtection
Logic AttackProtection
UsageAudit
User RightsManagement
ExternalCustomers
Staff, PartnersHackers
InternalEmployees
Malicious InsidersCompromised Insiders
Data CenterSystems and Admins
FraudPrevention
AccessControl
Imperva’s Mission is to Provide a Complete Solution
© Copyright 2012 Imperva, Inc. All rights reserved. 3
Hacktivism
From Wikipedia:
HACK + ACTIVISM - the use of
computers and computer networks as a
means of protest; (…) hacktivism could
be defined as "the nonviolent use of be defined as "the nonviolent use of
legal and/or illegal digital tools in
pursuit of political ends". These tools
include web site defacements, denial-of-
service attacks, information theft, (…)
Acts of hacktivism are carried out in the
belief that proper use of code will be
able to produce similar results to those
produced by regular activism or civil
disobedience.4
What is Anonymous?
What they claim to be:
Anonymous is an Internet meme (…),
representing the concept of many
Reality
“Anonymous is an umbrella for
anyone to hack anything for any
reason.” representing the concept of many
online and offline community users
simultaneously existing as
an anarchic, digitized global brain.
Hacktivists fighting for moral causes.
reason.” —New York Times, 27 Feb 2012
Targets include porn sites, Mexican
drug lords, Sony, government agencies,
banks, churches, law enforcement ,
airline, São Paulo’s Mayor and Vladimir
Putin.
Anyone can be a target.
5
The Plot - The anatomy of an Anonymous Attack
� Attack took place in 2011 over a 25
day period.
� Anonymous was on a deadline to
breach and disrupt a website, a
proactive attempt at hacktivism.proactive attempt at hacktivism.
� 10-15 skilled hackers or “geniuses.”
� Several hundred to a thousand
supporters.
6
On the Offense
Skilled hackers—This group, around 10
to 15 individuals per campaign, have
genuine hacking experience and are
quite savvy.
Nontechnical—This group can be quite
large, ranging from a few dozen to a few
hundred volunteers. Directed by the
skilled hackers, their role is primarily to
conduct DDoS attacks by either
downloading and using special software
or visiting websites designed to flood
victims with excessive traffic.
7
On the Defense
� Deployment line was network firewall, WAF, web servers and anti-virus.
� Imperva WAF
+ SecureSphere WAF version 8.5 inline, high availability
+ ThreatRadar reputation
+ SSL wasn’t used, the whole website was in HTTP
� Unnamed network firewall and IDS
� Unnamed anti-virus
8
Phase #1
Recruiting and Communications
9
An “Inspirational” Videos
10
Social Media Helps Recruit
11
Phase #2Phase #2
Recon and Application Attack
12
“Avoid strength, attack weakness: Striking where the enemy is most vulnerable.”
—Sun Tzu
Finding Vulnerabilities
� Tool #1: Vulnerability Scanners
� Purpose: Rapidly find application vulnerabilities.
� Cost: $0-$1000 per license.� Cost: $0-$1000 per license.
� The specific tools:
+ Acunetix (named a “Visionary” in a Gartner 2011 MQ)
+ Nikto (open source)
13
Hacking Tools
� Tool #2: Havij
� Purpose:
+ Automated SQL injection
and data harvesting tool.
+ Solely developed to take
data transacted by data transacted by
applications
� Developed in Iran
14
Phase #3
DDoS
15
Hacking Tools
� Low-Orbit Ion Canon (LOIC)
� Purpose:
+ DDoS
+ Mobile and Javascript variations
+ Can create 200 requests per second per browser window
16
Anonymous and LOIC in Action
400000
500000
600000
700000
LOIC in Action
Tran
sact
ions
per
Sec
ond
17
0
100000
200000
300000
400000
Day 19 Day 20 Day 21 Day 22 Day 23 Day 24 Day 25 Day 26 Day 27 Day 28
Average Site Traffic
Tran
sact
ions
per
Sec
ond
LOIC Facts
� LOIC downloads
+ 2011: 381,976
+ 2012 (through March 19): 318,340
+ Jan 2012=83% of 2011’s downloads!
� Javascript LOIC:� Javascript LOIC:
+ Easy to create
+ Iterates up to 200 requests per minute
+ Can be used via mobile device.
18
Anybody can be an anonymous!
Let’s Demo!!19
I’ve spent a lot of money…I’ve spent a lot of money…
And why I’m not Safe Yet?
20
I have IPS and NGFW, am I safe?
� IPS and NGFWs do not prevent web application attacks.+ Don’t confuse “application aware marketing” with Web Application Security.
� WAFs at a minimum must include the following to protect
web applications:
21
• Web-App Profile
• Web-App Signatures
• Web-App Protocol Security
• Web-App DDOS Security
• Web-App Cookie Protection
• Anonymous Proxy/TOR IP Security
• HTTPS (SSL) visibility
Security Policy Correlation
I have IPS and NGFW, am I safe?
� IPS and NGFWs do not prevent web application attacks.+ Don’t confuse “application aware marketing” with Web Application Security.
� However, IPS and NGFWs at best only partially support the
items in Red:
22
• Web-App Profile
• Web-App Signatures
• Web-App Protocol Security
• Web-App DDOS Security
• Web-App Cookie Protection
• Anonymous Proxy/TOR IP Security
• HTTPS (SSL) visibility
Security Policy Correlation
I have IPS and NGFW, am I safe?
• IPS & NGFW Marketing – They have at least one web-app feature so
they market themselves as a solution.
• IPS & NGFW gaps to WAF – WAFs provide far more web-app features than
IPS and NGFWs. IPS and NGFWs do not even meet the most minimal requirements of
web application security.
23
web application security.
• False Sense of Security - IPS and NGFWs are creating a false sense of security
with their claims and are leaving organizations like the ones we have previously
mentioned susceptible to web application penetration.
Anonymous targets that we know of, so far…
US Department of Justice
US Copyright Office
FBI
MPAA
Warner Brothers
RIAA
HADOPI
BMI
Sony
Amazon
Church of Scientology
SOHH
Office of the AU Prime Minister
Polish Prime Minister
Polish Ministry of Foreign Affairs
Polish Internal Security Agency
French Presidential Site
Austria Ministry of Justice
Austria Ministry of Internal Affairs
Austria Ministry of Economy
Austria Federal Chancellor
Slovenia NLB
Mexican Interior Ministry
Mexican Senate
Mexican Chamber of Deputies
Irish Department of Justice
Muslim Brotherhood
UMG
PayPal
Mastercard
Visa
US Senate
CIA
Citibank
Itau
Banco do Brazil
Caixa Econômica Federal
Tim Celular Brasil
Presidência da República
24
Office of the AU Prime Minister
AU House of Parliament
AU Department of Communications
Swiss bank PostFinance
Fine Gael
New Zealand Parliament
Tunisia Government
Zimbabwe Government
Egyptian Government
Malaysian Government
Polish Government
Polish Police
Polish President
Polish Ministry of Culture
Irish Department of Justice
Irish Department of Finance
Greek Department of Justice
Egyptian National Democratic Party
HBGary Federal
Spanish Police
Orlando Chamber of Commerce
Catholic Diocese of Orlando
Rotary Club or Orlando
Bay Area Rapid Transit
Syrian Defense Ministry
Syrian Central Bank
Syrian Ministry of Presidential Affairs
Various Pornography sites
Presidência da República
Petrobrás
Receita Federal
Ministério dos Esportes
Rede Globo de Televisão
Cielo (Visa)
Banco Central
HSBC Brasil
Bradesco
Itau (Brasil)
Dilma (President)
Kassab (São Paulo Mayor)
55
Mitigations
25
First, some interesting facts
�No bots;
�No Malwave;
26
�No Malwave;
�No Phishing;
�Public Recruitment.
Mitigation
� Monitor social media� Twitter, Facebook, YouTube, blogspot, pastebin etc.
� Use Google alerts
� Protect applications� Web application firewalls, VA and code reviews
27
� Analyze the alert messages generated by your security devices� The DDoS attack was preceded by a few-days-long phase of reconnaissance.
Daily analysis of alert information may help better prepare for tomorrow’s
attack.
� IP reputation is very valuable� Most of the reconnaissance traffic could have been blocked
� Threat Radar
Anonymous Attack on Customer Site
Web Application Protection Use Case
PHASE I
Scanners such as Nikto
SecureSphere stopped all phases of attack Technical Attack
Phase III
PHASE II
Havij SQL injection tool
LOIC application
Business Logic Attack
Technical Attack
© Copyright 2012 Imperva, Inc. All rights reserved. 28
� Web Application ProtectionCompliance and Legal
Web Application Security Use Cases
� Application Virtual Patching� DDoS Protection
IT Operations
� Site Scraping Prevention� Fraud Prevention� Legacy Application Security� Hosted Application Protection
Line of Business
© Copyright 2012 Imperva, Inc. All rights reserved. 29
Dynamic Profiling
Attack Signatures
HTTP Protocol Validation
Cookie Protection
Technical AttackProtection
The Defenses Required to Protect Web AppsC
orr
ela
ted
Att
ack
Va
lid
ati
on
Cookie Protection
Malware Fraud DetectionFraud Prevention
Business Logic Attack Protection
Co
rre
late
d A
tta
ck
Va
lid
ati
on
IP Geolocation
IP Reputation
Anti-Scraping Policies
Bot Mitigation Policies
© Copyright 2012 Imperva, Inc. All rights reserved. 30
Dynamic Profiling
Attack Signatures
HTTP Protocol Validation
Cookie Protection
Technical AttackProtection
IPS & NG Firewall Web Security Features C
orr
ela
tio
n (
We
b P
rofi
le C
orr
ela
tio
n)
� High rate of false positives and negatives Cookie Protection
Malware Fraud DetectionFraud Prevention
Business Logic Attack Protection
IP Geolocation
IP Reputation
Anti-Scraping Policies
Bot Mitigation Policies
Co
rre
lati
on
(W
eb
Pro
file
Co
rre
lati
on
)
because of lack of app awareness
� Easy for hackers to evade via encoding,
custom app vulnerabilities
© Copyright 2012 Imperva, Inc. All rights reserved. 31
Challenges for payment processor:
� Costly, time-consuming vulnerability fix cycles
� Target of Web attacks
Vulnerabilities imported into WAF
Virtual Patching Use Case
SecureSphere:
� Reduces window of exposure,
cost of manual app fixes
� Offers visibility for developersCompany scans site with app scanner
© Copyright 2012 Imperva, Inc. All rights reserved. 32
� SecureSphere can import scan results and instantly
create mitigation policies
� Eliminated payment processors’ emergency fix and
test cycles
Virtual Patching Through Scanner Integration
Customer Site
Scanner finds vulnerabilities
SecureSphere imports scan results
Web applications are protected
© Copyright 2012 Imperva, Inc. All rights reserved. 33
DEPLOYTESTTest for vulnerabilities
DESIGN & CODE Block attacks
Monitor and report
Software Development Lifecycle
Architect and
Improve Application Development Processes
Virtually patch vulnerabilities
Monitor and report exploits
Detect leaks, errors
Architect and implement code
Fix errors and vulnerabilities
Imperva SecureSphere
Manual processes or third party tools
© Copyright 2012 Imperva, Inc. All rights reserved. 34
A bank inherited a treasury app
� App had 50+ vulnerabilities,
would cost $ millions to fix
� Wouldn’ t allow vulnerable
app into new data center
Legacy Application Security Use Case
� Paying $1M a month to keep
legacy app in old data center
Imperva SecureSphere WAF:
� Mitigated vulnerabilities
� Periodic scans confirm app
is secureVulnerable Legacy Application
© Copyright 2012 Imperva, Inc. All rights reserved. 35
SecureSphere tracks fraud details
A bank needed to:
� Stop Man-in-the-Browser
attacks
� Address FFIEC compliance
Fraud Prevention Use Case
SecureSphere & ThreatRadar Fraud:
� Detects devices with fraud malware
� Requires no changes to apps for
initial rollout or policy changes
ClientDevices
SecureSphere
© Copyright 2012 Imperva, Inc. All rights reserved. 36
� SecureSphere integrates with Trusteer to detect users infected with malware like SpyEye, Zeus, Gozi, & Silon
1. User accesses Website
2. SecureSphere redirects browser to Trusteer
3. Browser downloads, runs malware check
ThreatRadar Fraud Prevention
Is this endpoint safe?
Pass / Block
3. Browser downloads, runs malware check
4. Result sent to WAF
© Copyright 2012 Imperva, Inc. All rights reserved. 37
Websites
RV Manufacturer:
� Received DDoS that took
down Website for 3 days
Websites
DDoS Protection Use Case
WebsitesDDoS attack traffic
is blocked
2 Gbps
20 Mbps
Cloud DDoS Protection:
� Stopped SYN Flood in less
than 2 hours from phone call
� Stopped follow-on attack
© Copyright 2012 Imperva, Inc. All rights reserved. 38
� Stops all DDoS threats
+ Application & network attacks
+ Proprietary technology differentiates humans from bots
– Analyzes HTTP redirect, cookie, and JavaScript execution capabilities
Attacker MaliciousBot
SearchEngine
Full Web-based DDoS Protection
– Analyzes HTTP redirect, cookie, and JavaScript execution capabilities
� Scales beyond your Internet
connection limit
+ Support DDoS attacks that
burst to 2 Gbps or 4 Gbps
Cloud DDoS Protection dashboard
© Copyright 2012 Imperva, Inc. All rights reserved. 39
Retailer:
� Had upcoming PCI audit
� Needed to protect
Website & meet PCI 6.6
� Hosted apps in the cloud
Bots
Hackers
Legitimate Users
Hosted Application Protection Use Case
Imperva Cloud WAF:
� Helped retailer meet PCI
� Fast, easy deployment
Company’sWebsite
Scrapers
Comment Spammers
Imperva Cloud WAF Dashboard
© Copyright 2012 Imperva, Inc. All rights reserved. 40
� Full, PCI-Certified Web application firewall
+ Leverages years of Imperva security expertise
� Stops SQL injection, XSS, OWASP Top 10, bots
� Protects both on-premise and hosted Websites
Web Application Firewall in the Cloud
� Cost-effective managed WAF service
� Satisfies PCI DSS #6.6
360° Global Threat Detection: Early detection of threats based on attacks to other protected sites
Globally Distributed, High-Performance Proxy Network
© Copyright 2012 Imperva, Inc. All rights reserved. 41
Bots
Web Attacks
App DDoS
Scrapers
SecureSphere
Complete Protection Against Web Threats
Known Attackers
Undesirable Countries
Malware-based Fraud
Phishing Sites
Comment Spammers
Vulnerabilities
Web Apps
© Copyright 2012 Imperva, Inc. All rights reserved. 42
The Anatomy of an Anonymous Operation
May 2012
Carolina Bozza
Security Engineer