cyber vigilantes: turning the tables on hackers

Cyber Vigilantes: Turning the Tables on Hackers

Rob Rachwald, Director of Security Strategy, ImpervaJuly 27, 2011

Agenda

The state of cyber security

+ Reality check #1: Hackers know the value of data

+ Reality check #2: Hackers, by definition, are early adopters

+ Reality check #3: Organizations have more vulnerabilities than time or resources can manage

Four ways to catch the predator

+ Monitor communications

+ Understand the business model

+ Conduct technical attack analysis

+ Analyze traffic via honeypots

About Imperva

Q&A session

2

Today’s Presenter

Rob Rachwald, Dir. of Security Strategy, Imperva

Research

+ Directs security strategy

+ Works with the Imperva Application Defense Center

Security experience

+ Fortify Software and Coverity

+ Helped secure Intel’s supply chain software

+ Extensive international experience in Japan, China, France, and Australia

Thought leadership

+ Presented at RSA, InfoSec, OWASP, ISACA

+ Appearances on CNN, SkyNews, BBC, NY Times, and USA Today

Graduated from University of California, Berkeley

3

Cyber Vigilantes:

4

Cyber security today

5

Hacking has become industrialized.

Attack techniques and vectors are changing at an ever rapid pace.

Attack tools and platforms are evolving.

Reality Check #1:Hackers know the value of data better

than the good guys

6

Data is hacker currency

Website access up for sale

8

Website access up for sale

- CONFIDENTIAL -9

Reality Check #2:Hackers, by definition, are early adopters

10

Mobile (in)security

Hacker Forum Discussion Analysis

Hacker interest in mobile has increased

Consider 4000+ mentions in the past year versus only 400 from 12+ months ago

11Source: Imperva Application Defense Center Research

0

200

400

600

800

1000

1200

1400

1600

1800

Last 3

months

3 to 6

months

ago

6 to 9

months

ago

a year ago

and older

522408

17140

901

511815

126

272

245233

257

nokia

iphone

android

Reality Check #3:The good guys have more vulnerabilities than

time or resources can manage

12

WhiteHat Security Top 10 for 2010

Percentage likelihood of a Web site having at least one vulnerability sorted by class

13

Studying hackers – Why this helps

Focus on what hackers want helps the good guys prioritize

+ Technical insight into hacker activity

+ Business trends in hacker activity

+ Future directions of hacker activity

Eliminate uncertainties

+ Active attack sources

+ Explicit attack vectors

+ Spam content

Focus on actual threats

Devise new defenses based on real data reducing guess work

Approach #1:Monitoring communications

15

Method: Hacker forums

Tap into the neighborhood pub

Analyze activity

+ Quantitative analysis of topics

+ Qualitative analysis of information being disclosed

+ Follow up on interesting issues

16

SQL injection = Most popular topic

Source: Imperva Application Defense Center Research

Non-SQL injection exploits

%Anonymity 6 Other8%

LFI / RFI9%

Hacked Sites17%XSS

17%

0Day17%

Shellcode26%

Exploits (non-SQL injection)

I believe in…

19

Approach #2:Understanding hacker business models

20

Example: Rustock

21

Lessons from the RSA Breach

“…according to interviews with several

security experts who keep a close eye on these domains, the Web sites in question weren’t merely one-time attack staging grounds: They had earned a reputation as launch pads for the same kind of attacks over at least a 12 month period prior to the RSA breach disclosure.”

22Source: http://krebsonsecurity.com/2011/05/rsa-among-dozens-of-firms-breached-by-zero-day-attacks

Spy Eye vs. Zeus

When installing SpyEye there is a “Kill Zeus” capability…

+ If chosen, it checks for the installation of the Zeus Trojan and uninstalls before installing SpyEye

Towards the end of October, the bot code developers of SpyEye and Zeus bots were showing signs of a merger

23

Approach #3:Technical attack analysis

24

Getting into command-and-control servers

No honor among thieves

Automated attacks

Botnets

Mass SQL injection attacks

Google dorks

And you can monitor trendy attacks

Approach #4:Traffic analysis via honeypots

29

Example: DDoS 2.0

30

HTTP request caught a ToR honeypot

+ POST /.dos/function.php HTTP/1.1

+ User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.9.2.3) Gecko/20100409 Gentoo Firefox/3.6.3

+ Parameters

– ip=82.98.255.161&time=100&port=80

31

Scale – probably thousands

Google shows hundreds

Probably only the tip of the iceberg

32

Impact: Who was brought down?

Only saw it launched against one server

+ IP was Dutch hosting provider

But there is likely more

+ We only see a fraction of the general traffic on our honeypot

+ This is only one implementation of DoS

Impact?

+ Depends on the hosting Web server bandwidth

+ A cable modem user typically has a 384Kbs upstream

+ Web host in data center can have 1Gbps pipe

1 server = 3000 bots

33

Conclusions

34

Conclusions

Time to get proactive

+ Scan Google for Dorks with respect to your application– Dorks and tools are available on the net

+ Search Google for Honey Tokens– Distinguishable credentials or credential sets

– Specific distinguishable character strings

+ Watch out for name popping in the wrong forums…

Deploy reputation-based services

Fight automation

+ CAPTCHA

+ Adaptive authentication

+ Access rate control

+ Click rate control

35

Conclusions

Application security meets proactive security

+ Quickly identify and block source of recent malicious activity

+ Enhance attack signatures with content from recent attacks

+ Identify sustainable attack platforms– Anonymous proxies

– TOR relays

– Active bots

+ Identify references from compromised servers

+ Introduce reputation based controls

36

ImpervaProtecting the data that drives business

37

Imperva background

Imperva’s mission is simple:Protect the data that drives business

The leader in a new category:Data Security

HQ in Redwood Shores CA; Global Presence

+ Installed in 50+ Countries

1,200+ direct customers; 25,000+ cloud users

+ 3 of the top 5 US banks

+ 3 of the top 10 financial services firms

+ 3 of the top 5 Telecoms

+ 2 of the top 5 food & drug stores

+ 3 of the top 5 specialty retailers

+ Hundreds of small and medium businesses

Usage

Audit

Access

Control

Rights

Management

Attack

Protection

Reputation

Controls

Virtual

Patching

Imperva: Our story in 60 seconds

Webinar materials

40

Post-Webinar Discussions

Answers to Attendee Questions

Webinar Recording Link

Much more…

Get LinkedIn to Imperva Data Security Direct for…

Questions

41