cyber vigilantes: turning the tables on hackers
DESCRIPTION
With command-and-control servers out in the open and key players in the hacking industry behind bars, are the tables beginning to turn on the underground world of cybercrime? Today's security practitioners are taking an aggressive approach to data security and applying defenses that stop hackers in their tracks. This proactive approach to security has uncovered ground-breaking hacker activities, including: full-fledged attack campaigns (XSS and server-generated DDoS), data collections that contain millions of consumer passwords, and cloud-based technologies used by hackers. This webinar featuring Imperva Director of Security Strategy, Rob Rachwald, provides insight into the following: 1) techniques utilized by the security community to tap into hacker activity, 2) research on hacking campaigns, such as the recent Lulzsec attacks 3) technologies, methods, and models driving the business of cybercrime 4) recommendations for effective security controls to protect against next generation attacks.TRANSCRIPT
Cyber Vigilantes: Turning the Tables on Hackers
Rob Rachwald, Director of Security Strategy, ImpervaJuly 27, 2011
Agenda
The state of cyber security
+ Reality check #1: Hackers know the value of data
+ Reality check #2: Hackers, by definition, are early adopters
+ Reality check #3: Organizations have more vulnerabilities than time or resources can manage
Four ways to catch the predator
+ Monitor communications
+ Understand the business model
+ Conduct technical attack analysis
+ Analyze traffic via honeypots
About Imperva
Q&A session
2
Today’s Presenter
Rob Rachwald, Dir. of Security Strategy, Imperva
Research
+ Directs security strategy
+ Works with the Imperva Application Defense Center
Security experience
+ Fortify Software and Coverity
+ Helped secure Intel’s supply chain software
+ Extensive international experience in Japan, China, France, and Australia
Thought leadership
+ Presented at RSA, InfoSec, OWASP, ISACA
+ Appearances on CNN, SkyNews, BBC, NY Times, and USA Today
Graduated from University of California, Berkeley
3
Cyber Vigilantes:
4
Cyber security today
5
Hacking has become industrialized.
Attack techniques and vectors are changing at an ever rapid pace.
Attack tools and platforms are evolving.
Reality Check #1:Hackers know the value of data better
than the good guys
6
Data is hacker currency
Website access up for sale
8
Website access up for sale
- CONFIDENTIAL -9
Reality Check #2:Hackers, by definition, are early adopters
10
Mobile (in)security
Hacker Forum Discussion Analysis
Hacker interest in mobile has increased
Consider 4000+ mentions in the past year versus only 400 from 12+ months ago
11Source: Imperva Application Defense Center Research
0
200
400
600
800
1000
1200
1400
1600
1800
Last 3
months
3 to 6
months
ago
6 to 9
months
ago
a year ago
and older
522408
17140
901
511815
126
272
245233
257
nokia
iphone
android
Reality Check #3:The good guys have more vulnerabilities than
time or resources can manage
12
WhiteHat Security Top 10 for 2010
Percentage likelihood of a Web site having at least one vulnerability sorted by class
13
Studying hackers – Why this helps
Focus on what hackers want helps the good guys prioritize
+ Technical insight into hacker activity
+ Business trends in hacker activity
+ Future directions of hacker activity
Eliminate uncertainties
+ Active attack sources
+ Explicit attack vectors
+ Spam content
Focus on actual threats
Devise new defenses based on real data reducing guess work
Approach #1:Monitoring communications
15
Method: Hacker forums
Tap into the neighborhood pub
Analyze activity
+ Quantitative analysis of topics
+ Qualitative analysis of information being disclosed
+ Follow up on interesting issues
16
SQL injection = Most popular topic
Source: Imperva Application Defense Center Research
Non-SQL injection exploits
%Anonymity 6 Other8%
LFI / RFI9%
Hacked Sites17%XSS
17%
0Day17%
Shellcode26%
Exploits (non-SQL injection)
I believe in…
19
Approach #2:Understanding hacker business models
20
Example: Rustock
21
Lessons from the RSA Breach
“…according to interviews with several
security experts who keep a close eye on these domains, the Web sites in question weren’t merely one-time attack staging grounds: They had earned a reputation as launch pads for the same kind of attacks over at least a 12 month period prior to the RSA breach disclosure.”
22Source: http://krebsonsecurity.com/2011/05/rsa-among-dozens-of-firms-breached-by-zero-day-attacks
Spy Eye vs. Zeus
When installing SpyEye there is a “Kill Zeus” capability…
+ If chosen, it checks for the installation of the Zeus Trojan and uninstalls before installing SpyEye
Towards the end of October, the bot code developers of SpyEye and Zeus bots were showing signs of a merger
23
Approach #3:Technical attack analysis
24
Getting into command-and-control servers
No honor among thieves
Automated attacks
Botnets
Mass SQL injection attacks
Google dorks
And you can monitor trendy attacks
Approach #4:Traffic analysis via honeypots
29
Example: DDoS 2.0
30
HTTP request caught a ToR honeypot
+ POST /.dos/function.php HTTP/1.1
+ User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.9.2.3) Gecko/20100409 Gentoo Firefox/3.6.3
+ Parameters
– ip=82.98.255.161&time=100&port=80
31
Scale – probably thousands
Google shows hundreds
Probably only the tip of the iceberg
32
Impact: Who was brought down?
Only saw it launched against one server
+ IP was Dutch hosting provider
But there is likely more
+ We only see a fraction of the general traffic on our honeypot
+ This is only one implementation of DoS
Impact?
+ Depends on the hosting Web server bandwidth
+ A cable modem user typically has a 384Kbs upstream
+ Web host in data center can have 1Gbps pipe
1 server = 3000 bots
33
Conclusions
34
Conclusions
Time to get proactive
+ Scan Google for Dorks with respect to your application– Dorks and tools are available on the net
+ Search Google for Honey Tokens– Distinguishable credentials or credential sets
– Specific distinguishable character strings
+ Watch out for name popping in the wrong forums…
Deploy reputation-based services
Fight automation
+ CAPTCHA
+ Adaptive authentication
+ Access rate control
+ Click rate control
35
Conclusions
Application security meets proactive security
+ Quickly identify and block source of recent malicious activity
+ Enhance attack signatures with content from recent attacks
+ Identify sustainable attack platforms– Anonymous proxies
– TOR relays
– Active bots
+ Identify references from compromised servers
+ Introduce reputation based controls
36
ImpervaProtecting the data that drives business
37
Imperva background
Imperva’s mission is simple:Protect the data that drives business
The leader in a new category:Data Security
HQ in Redwood Shores CA; Global Presence
+ Installed in 50+ Countries
1,200+ direct customers; 25,000+ cloud users
+ 3 of the top 5 US banks
+ 3 of the top 10 financial services firms
+ 3 of the top 5 Telecoms
+ 2 of the top 5 food & drug stores
+ 3 of the top 5 specialty retailers
+ Hundreds of small and medium businesses
Usage
Audit
Access
Control
Rights
Management
Attack
Protection
Reputation
Controls
Virtual
Patching
Imperva: Our story in 60 seconds
Webinar materials
40
Post-Webinar Discussions
Answers to Attendee Questions
Webinar Recording Link
Much more…
Get LinkedIn to Imperva Data Security Direct for…
Questions
41