staring at the beast - technion – israel institute of...

Amichai Shulman, CTO

Staring At The Beast

© 2012 Imperva, Inc. All rights reserved.


Today’s Presenter

Amichai Shulman – CTO Imperva

Information Security Professional for the past 20 years

Speaker at Industry Events

+ RSA, Info Security UK, Black Hat , OWASP Appsec

Lecturer on Info Security

+ Technion - Israel Institute of Technology

Former security consultant to banks & financial services firms

Leads the Application Defense Center (ADC)

+ Discovered over 20 commercial application vulnerabilities

– Credited by Oracle, MS-SQL, IBM and others

Amichai Shulman one of InfoWorld’s “Top 25 CTOs”


Agenda

3

Overview of HII

Basic Methodology

High Level Figures

Drill Down Examples

Specific Incident


Hacker Intelligence Initiative



Hacker Intelligence Initiative is focused on understanding how attackers are operating in practice

+ A different approach from vulnerability research

Data set composition

+ ~50 real world applications

+ Anonymous Proxies

+ Sporadic incident traffic

More than 18 months of data

Powerful analysis system

+ Combines analytic tools with drill down capabilities

5

HII - Hacker Intelligence Initiative



HII - Motivation

Focus on actual threats

+ Focus on what hackers want, helping good guys prioritize

+ Technical insight into hacker activity

+ Business trends of hacker activity

+ Future directions of hacker activity

Eliminate uncertainties

+ Active attack sources

+ Explicit attack vectors

+ Spam content

Devise new defenses based on real data

+ Reduce guess work

If you know the enemy and know yourself, you need not

fear the result of a hundred battles Sun Tzu – The Art of War



HII Reports

Monthly reports based on data collection and analysis

Drill down into specific incidents or attack types

2011 / 2012 reports + Remote File Inclusion

+ Search Engine Poisoning

+ The Convergence of Google and Bots

+ Anatomy of a SQLi Attack

+ Hacker Forums Statistics

+ Automated Hacking

+ Password Worst Practices

+ Dissecting Hacktivist Attacks

+ CAPCHA Analysis

http://www.imperva.com/resources/hacker_intelligence.asp


WAAR – Web Application Attack Report

Semi annual

Based on aggregated analysis of 6 / 12 months of data

Motivation

+ Pick-up trends

+ High level take outs

+ Create comparative measurements over time


Creating a Hack-O-Scope



How to Create a “hack-o-scope” (Hacker Tracker)

Threat centers are an established practice for AV companies

+ Collect potential threat vectors and detection data from actual deployments

Honeypot projects of various types

+ Workstations

+ Network layer attacks

+ Spam and Phishing

Focus on on web application attacks

+ Hard to create a compelling decoy application

+ Enterprise customers are not inclined to share attack data

10



The Good

Approach + Tap into actual application traffic

+ Single out attacks

Pros + Real target PoV

+ Compare malicious traffic to benign traffic

Cons + Mostly focused on attacks we can predict

+ Bad data-to-noise ratio

Our implementation + Use Imperva SOC and Imperva’s own IT systems

+ Rely on our WAF to single out attack

11



The Bad

Approach

+ Tap into malicious traffic

Pros

+ 100% hacker guaranteed

Cons

+ Delicate handling

Our implementation

+ Anonymous Proxies

12

To know your Enemy, you must become your Enemy Misattributed to Sun Tzu – The Art of War



The Ugly

Approach

+ Participate in hacker discussions on the web

Pros

+ Insight into “softer” evidence

Cons

+ Manual process

+ Resource consuming

Our implementation

+ Tap into some forums

+ Lookup specific “honey tokens” on Google – Find discussions around them

13


Analyzing Hacker’s Chit Chat

http://www.imperva.com/docs/HII_Monitoring_Hacker_Forums.pdf



Hacker Chit-Chat

Tap into the “neighborhood’s pub”

+ Did not follow on into IM conversations

+ Does not require personal recommendation

Analysis activity

+ Quantitative analysis of topics

+ Qualitative analysis of information being disclosed

+ Follow up on specific interesting issues

15



16

Topical Analysis by Attack



17

Topical Analysis by Content



18

Mobile Hacking Discussion


High Level Figures

19



Counting Individual Requests

On Average: 27 attacks per hour ≈ 1 attack per 2 min.

Apps under automated attack: 25,000 attacks per hour. ≈ 7 per second



Attack Distribution (Individual Requests)



Lesson #2: The “Unfab” Four

Take-away: Protect against these common attacks

These may seem obvious common attacks, but RFI and DT do not

even appear in OWASP’s top 10 list.



Retrospective

Assumptions

+ Attack requests are more or less evenly spread over time

+ Applications are more or less similar

Method

+ Count and analyze individual requests

+ Look at average over time / application

Consequence

+ “An application experiences an attack every other minute”



Contemplation

Observations

+ Attack traffic has a bursty nature

+ Applications in our data set show some outliers

Reflections

+ Do organizations really need to handle an alert every two minutes?

+ Do organizations handle a steady stream of attacks of an evenly distributed nature?



Resolution

Abandon individual requests and look at incidents

+ 30 requests (or more) within 5 mins

+ Intensity and durability

Further aggregate incidents into “battle days”

+ A day that includes at least one incident



Resolution (cont.)

Then there is the man who drowned crossing a stream with an average depth of six inches - W.I.E. Gates

+ Distribution of web attacks is asymmetric and includes rare, yet extremely meaningful, outliers

+ Security professionals who would prepare for the “average case” will be overwhelmed by the intensity of incidents when these actually happen

+ We shifted away from average into other measures like median and quartiles

+ Use Box & Whisker charts to display data – Express dispersion and skewness



Counting Incident and Battle Days

Typical

(median)

Worst-case

(max)

Battle days (over a 6 months

period) 59 141

Incidents (over a 6 months

period) 137 1383

Incident magnitude (requests

per incident) 195 8790

Incident duration (minutes) 7.70 79



Incidents and Battle Days – Frequency

An incident is expected every 3rd day

Some applications are attacked almost every day

A battle day usually includes more than a single attack

Expected frequency affects the resources an organization needs to allocate on a constant basis for handling attacks



Incidents and Battle Days - Magnitude

Typical case is ~200 requests

Average is 1 every 2 minutes

Worst case is more than 40 times that number

Affects the size of equipment an organization needs for handling attacks

Affects the capabilities required for handling incidents

+ Aggregation and summary

+ Quickly take action based on summary



Incidents and Battle Days - Frequency

0

50

100

150

200

250

300

350

SQLi RFI LFI DT XSS HTTP

am

ou

nt

of

incid

en

ts



Incidents and Battle Days - Frequency

SQL injection is the most prevailing attack type

+ As opposed to previous edition that showed XSS and DT

RFI attacks much more common than indicated by just looking at number of requests

Outliers indicate that some applications are heavily targeted by a specific type of attack

– SQLi

– HTTP (malformed requests of various types)

– DT



Predictability - Goals

Try to predict the timing of next attack / battle day based on history of attacks / battle days

We’ve showed that if an application faces an incident during a specific day, it is likely to experience more incidents that same day

+ Probably due to being part of a list distributed to attack bots

+ Maybe due to a change that made it pop on the to-do list of attack bots

Being able to predict would affect the ability to effectively allocated resources



Predictability - Method

Looked for Linear predication between battle days

Use Auto Correlation Function (ACF)

We employed Wessa, a freely available online service that performs auto-correlation



Predictability - Results

No apparent correlation over a simple time gap




Unreported, periodic, vulnerability scan


Drill Down into Details



Cross Site Scripting



Cross Site Scripting – Zoom into Search Engine Poisoning

http://HighRankingWebSite+PopularKeywords+XSS

… http://HighRankingWebSite+PopularKeywords+XSS



Cross Site Scripting – Zoom into Search Engine Poisoning

New Search Engine Indexing Cycle



41

Attack Automation – High Level View


Attack Automation – Specific Attack Types

42

Manual 2%

Automatic 98%

RFI

Manual 12%

Automatic 88%

SQLi



43

Attack Automation – Sample Tool



Skilled Hackers

+ Create more powerful tools

+ Focus not only on finding vulnerabilities but also on robust automation of their exploit (an engineering challenge)

Professional Hackers (Semi skilled)

+ Can increase their business faster and more effectively using automation

+ Puts more organizations at risk as potential targets

Unskilled Hackers

+ Increased potential of incidental damages

44

Attack Automation - Consequences



Attack Persistence - Sources

A fair amount of attack sources are persistent over time

+ Persistent source = more than 3 days of activity

+ 30% of SQLi attacks

+ 60% of RFI attacks

CONFIDENTIAL 45

1

10

100

1000

10000

0 5 10 15 20 25 30 35 40 45 50 55 60 65 70 75 80 85 90 95 100

SQ

Li

Att

ack

s (

Lo

g s

ca

le)

Activity Days



RFI Attacks

Many consistent attackers

Attack Persistence - Sources



RFI Attacks

Collect URLs that host infection script

Some URLs are being used consistently over time

Attack Persistence - Attack Vectors



Many shell URLs are used against more than one target

Attack Persistence - Attack Vectors


Specific Attack Campaign

CONFIDENTIAL 49


The Plot

50

Attack took place in 2011 over a 25 day period.

Anonymous was on a deadline to breach and disrupt a website, a proactive attempt at hacktivism.

The website was mostly informational but contained data and enabled some commerce.

The attack did not succeed.


On the Offense

51

Skilled hackers - This group, around 10 to 15 individuals per campaign, have genuine hacking experience and are quite savvy.

Nontechnical - This group can be quite large, ranging

from a few dozen to a few hundred volunteers. Directed by the skilled hackers, their role is primarily to conduct DDoS attacks by either downloading and using special software or visiting websites designed to flood victims with excessive traffic.


How They Attack: The Anonymous Attack Anatomy

52


Recruiting and Communications: An “Inspirational” Video

53


Recruiting and Communications: Social Media Helps Recruit

54


Recruiting and Communications: An Early Warning System

55


Recruiting and Communications: Example

56


Reconnaissance: Finding Vulnerabilities

57

Tool #1: Vulnerability Scanners

Purpose: Rapidly find application vulnerabilities.

Cost: $0-$1000 per license.

The specific tools:

+ Acunetix (named a “Visionary” in a Gartner 2011 MQ)

+ Nikto (open source)


Application Layer Attacks: Hacking Tools

58

Tool #2: Havij

Purpose:

+ Automated SQL injection and data harvesting tool.

+ Solely developed to take data transacted by applications

Developed in Iran


Application Layer Attacks: Vulnerabilities of Interest

59

0

500

1000

1500

2000

2500

3000

3500

4000

Day 19 Day 20 Day 21 Day 22 Day 23

#a

lert

s

Date

Directory Traversal

SQL injection

DDoS recon

XSS


DDoS: Hacking Tools

60

Low-Orbit Ion Canon (LOIC)

Purpose:

+ DDoS

+ Mobile and Javascript variations

+ Can create 200 requests per second per browser window


DDoS: Anonymous and LOIC in Action

61

0

100000

200000

300000

400000

500000

600000

700000

Day 19 Day 20 Day 21 Day 22 Day 23 Day 24 Day 25 Day 26 Day 27 Day 28

Average Site Traffic

Mobile LOIC in

Action

Tra

nsa

ction

s p

er

Da

y


DDoS: LOIC Facts

62

LOIC downloads

+ 2011: 381,976

+ 2012 (through March 19): 318,340

+ Jan 2012=83% of 2011’s downloads!

Javascript LOIC:

+ Easy to create

+ Iterates up to 200 requests per minute

+ Can be used via mobile device.


DDoS: Learning to Aim

63


DDoS: Learning to Aim

64

Meet your target URL



DDoS: Mobile Loic

65


DDoS: Mobile Loic

66

Questions

- CONFIDENTIAL -

Thank You

- CONFIDENTIAL -

staring at the beast - technion – israel institute of...

Documents