Post on 31-Mar-2018
© 2012 Imperva, Inc. All rights reserved.
Today’s Presenter
Amichai Shulman – CTO Imperva
Information Security Professional for the past 20 years
Speaker at Industry Events
+ RSA, Info Security UK, Black Hat , OWASP Appsec
Lecturer on Info Security
+ Technion - Israel Institute of Technology
Former security consultant to banks & financial services firms
Leads the Application Defense Center (ADC)
+ Discovered over 20 commercial application vulnerabilities
– Credited by Oracle, MS-SQL, IBM and others
Amichai Shulman one of InfoWorld’s “Top 25 CTOs”
© 2012 Imperva, Inc. All rights reserved.
Agenda
3
Overview of HII
Basic Methodology
High Level Figures
Drill Down Examples
Specific Incident
© 2012 Imperva, Inc. All rights reserved.
© 2012 Imperva, Inc. All rights reserved.
Hacker Intelligence Initiative is focused on understanding how attackers are operating in practice
+ A different approach from vulnerability research
Data set composition
+ ~50 real world applications
+ Anonymous Proxies
+ Sporadic incident traffic
More than 18 months of data
Powerful analysis system
+ Combines analytic tools with drill down capabilities
5
HII - Hacker Intelligence Initiative
© 2012 Imperva, Inc. All rights reserved.
© 2012 Imperva, Inc. All rights reserved.
HII - Motivation
Focus on actual threats
+ Focus on what hackers want, helping good guys prioritize
+ Technical insight into hacker activity
+ Business trends of hacker activity
+ Future directions of hacker activity
Eliminate uncertainties
+ Active attack sources
+ Explicit attack vectors
+ Spam content
Devise new defenses based on real data
+ Reduce guess work
If you know the enemy and know yourself, you need not
fear the result of a hundred battles Sun Tzu – The Art of War
© 2012 Imperva, Inc. All rights reserved.
© 2012 Imperva, Inc. All rights reserved.
HII Reports
Monthly reports based on data collection and analysis
Drill down into specific incidents or attack types
2011 / 2012 reports + Remote File Inclusion
+ Search Engine Poisoning
+ The Convergence of Google and Bots
+ Anatomy of a SQLi Attack
+ Hacker Forums Statistics
+ Automated Hacking
+ Password Worst Practices
+ Dissecting Hacktivist Attacks
+ CAPCHA Analysis
© 2012 Imperva, Inc. All rights reserved.
WAAR – Web Application Attack Report
Semi annual
Based on aggregated analysis of 6 / 12 months of data
Motivation
+ Pick-up trends
+ High level take outs
+ Create comparative measurements over time
© 2012 Imperva, Inc. All rights reserved.
© 2012 Imperva, Inc. All rights reserved.
How to Create a “hack-o-scope” (Hacker Tracker)
Threat centers are an established practice for AV companies
+ Collect potential threat vectors and detection data from actual deployments
Honeypot projects of various types
+ Workstations
+ Network layer attacks
+ Spam and Phishing
Focus on on web application attacks
+ Hard to create a compelling decoy application
+ Enterprise customers are not inclined to share attack data
10
© 2012 Imperva, Inc. All rights reserved.
© 2012 Imperva, Inc. All rights reserved.
The Good
Approach + Tap into actual application traffic
+ Single out attacks
Pros + Real target PoV
+ Compare malicious traffic to benign traffic
Cons + Mostly focused on attacks we can predict
+ Bad data-to-noise ratio
Our implementation + Use Imperva SOC and Imperva’s own IT systems
+ Rely on our WAF to single out attack
11
© 2012 Imperva, Inc. All rights reserved.
© 2012 Imperva, Inc. All rights reserved.
The Bad
Approach
+ Tap into malicious traffic
Pros
+ 100% hacker guaranteed
Cons
+ Delicate handling
Our implementation
+ Anonymous Proxies
12
To know your Enemy, you must become your Enemy Misattributed to Sun Tzu – The Art of War
© 2012 Imperva, Inc. All rights reserved.
© 2012 Imperva, Inc. All rights reserved.
The Ugly
Approach
+ Participate in hacker discussions on the web
Pros
+ Insight into “softer” evidence
Cons
+ Manual process
+ Resource consuming
Our implementation
+ Tap into some forums
+ Lookup specific “honey tokens” on Google – Find discussions around them
13
© 2012 Imperva, Inc. All rights reserved.
Analyzing Hacker’s Chit Chat
© 2012 Imperva, Inc. All rights reserved.
© 2012 Imperva, Inc. All rights reserved.
Hacker Chit-Chat
Tap into the “neighborhood’s pub”
+ Did not follow on into IM conversations
+ Does not require personal recommendation
Analysis activity
+ Quantitative analysis of topics
+ Qualitative analysis of information being disclosed
+ Follow up on specific interesting issues
15
© 2012 Imperva, Inc. All rights reserved.
© 2012 Imperva, Inc. All rights reserved.
16
Topical Analysis by Attack
© 2012 Imperva, Inc. All rights reserved.
© 2012 Imperva, Inc. All rights reserved.
17
Topical Analysis by Content
© 2012 Imperva, Inc. All rights reserved.
© 2012 Imperva, Inc. All rights reserved.
18
Mobile Hacking Discussion
© 2012 Imperva, Inc. All rights reserved.
© 2012 Imperva, Inc. All rights reserved.
Counting Individual Requests
On Average: 27 attacks per hour ≈ 1 attack per 2 min.
Apps under automated attack: 25,000 attacks per hour. ≈ 7 per second
© 2012 Imperva, Inc. All rights reserved.
© 2012 Imperva, Inc. All rights reserved.
Attack Distribution (Individual Requests)
© 2012 Imperva, Inc. All rights reserved.
© 2012 Imperva, Inc. All rights reserved.
Lesson #2: The “Unfab” Four
Take-away: Protect against these common attacks
These may seem obvious common attacks, but RFI and DT do not
even appear in OWASP’s top 10 list.
© 2012 Imperva, Inc. All rights reserved.
© 2012 Imperva, Inc. All rights reserved.
Retrospective
Assumptions
+ Attack requests are more or less evenly spread over time
+ Applications are more or less similar
Method
+ Count and analyze individual requests
+ Look at average over time / application
Consequence
+ “An application experiences an attack every other minute”
© 2012 Imperva, Inc. All rights reserved.
© 2012 Imperva, Inc. All rights reserved.
Contemplation
Observations
+ Attack traffic has a bursty nature
+ Applications in our data set show some outliers
Reflections
+ Do organizations really need to handle an alert every two minutes?
+ Do organizations handle a steady stream of attacks of an evenly distributed nature?
© 2012 Imperva, Inc. All rights reserved.
© 2012 Imperva, Inc. All rights reserved.
Resolution
Abandon individual requests and look at incidents
+ 30 requests (or more) within 5 mins
+ Intensity and durability
Further aggregate incidents into “battle days”
+ A day that includes at least one incident
© 2012 Imperva, Inc. All rights reserved.
© 2012 Imperva, Inc. All rights reserved.
Resolution (cont.)
Then there is the man who drowned crossing a stream with an average depth of six inches - W.I.E. Gates
+ Distribution of web attacks is asymmetric and includes rare, yet extremely meaningful, outliers
+ Security professionals who would prepare for the “average case” will be overwhelmed by the intensity of incidents when these actually happen
+ We shifted away from average into other measures like median and quartiles
+ Use Box & Whisker charts to display data – Express dispersion and skewness
© 2012 Imperva, Inc. All rights reserved.
© 2012 Imperva, Inc. All rights reserved.
Counting Incident and Battle Days
Typical
(median)
Worst-case
(max)
Battle days (over a 6 months
period) 59 141
Incidents (over a 6 months
period) 137 1383
Incident magnitude (requests
per incident) 195 8790
Incident duration (minutes) 7.70 79
© 2012 Imperva, Inc. All rights reserved.
© 2012 Imperva, Inc. All rights reserved.
Incidents and Battle Days – Frequency
An incident is expected every 3rd day
Some applications are attacked almost every day
A battle day usually includes more than a single attack
Expected frequency affects the resources an organization needs to allocate on a constant basis for handling attacks
© 2012 Imperva, Inc. All rights reserved.
© 2012 Imperva, Inc. All rights reserved.
Incidents and Battle Days - Magnitude
Typical case is ~200 requests
Average is 1 every 2 minutes
Worst case is more than 40 times that number
Affects the size of equipment an organization needs for handling attacks
Affects the capabilities required for handling incidents
+ Aggregation and summary
+ Quickly take action based on summary
© 2012 Imperva, Inc. All rights reserved.
© 2012 Imperva, Inc. All rights reserved.
Incidents and Battle Days - Frequency
0
50
100
150
200
250
300
350
SQLi RFI LFI DT XSS HTTP
am
ou
nt
of
incid
en
ts
© 2012 Imperva, Inc. All rights reserved.
© 2012 Imperva, Inc. All rights reserved.
Incidents and Battle Days - Frequency
SQL injection is the most prevailing attack type
+ As opposed to previous edition that showed XSS and DT
RFI attacks much more common than indicated by just looking at number of requests
Outliers indicate that some applications are heavily targeted by a specific type of attack
– SQLi
– HTTP (malformed requests of various types)
– DT
© 2012 Imperva, Inc. All rights reserved.
© 2012 Imperva, Inc. All rights reserved.
Predictability - Goals
Try to predict the timing of next attack / battle day based on history of attacks / battle days
We’ve showed that if an application faces an incident during a specific day, it is likely to experience more incidents that same day
+ Probably due to being part of a list distributed to attack bots
+ Maybe due to a change that made it pop on the to-do list of attack bots
Being able to predict would affect the ability to effectively allocated resources
© 2012 Imperva, Inc. All rights reserved.
© 2012 Imperva, Inc. All rights reserved.
Predictability - Method
Looked for Linear predication between battle days
Use Auto Correlation Function (ACF)
We employed Wessa, a freely available online service that performs auto-correlation
© 2012 Imperva, Inc. All rights reserved.
© 2012 Imperva, Inc. All rights reserved.
Predictability - Results
No apparent correlation over a simple time gap
© 2012 Imperva, Inc. All rights reserved.
© 2012 Imperva, Inc. All rights reserved.
Predictability - Results
© 2012 Imperva, Inc. All rights reserved.
© 2012 Imperva, Inc. All rights reserved.
Predictability - Results
Unreported, periodic, vulnerability scan
© 2012 Imperva, Inc. All rights reserved.
© 2012 Imperva, Inc. All rights reserved.
Cross Site Scripting
© 2012 Imperva, Inc. All rights reserved.
© 2012 Imperva, Inc. All rights reserved.
Cross Site Scripting – Zoom into Search Engine Poisoning
http://HighRankingWebSite+PopularKeywords+XSS
… http://HighRankingWebSite+PopularKeywords+XSS
© 2012 Imperva, Inc. All rights reserved.
© 2012 Imperva, Inc. All rights reserved.
Cross Site Scripting – Zoom into Search Engine Poisoning
New Search Engine Indexing Cycle
© 2012 Imperva, Inc. All rights reserved.
© 2012 Imperva, Inc. All rights reserved.
41
Attack Automation – High Level View
© 2012 Imperva, Inc. All rights reserved.
Attack Automation – Specific Attack Types
42
Manual 2%
Automatic 98%
RFI
Manual 12%
Automatic 88%
SQLi
© 2012 Imperva, Inc. All rights reserved.
© 2012 Imperva, Inc. All rights reserved.
43
Attack Automation – Sample Tool
© 2012 Imperva, Inc. All rights reserved.
© 2012 Imperva, Inc. All rights reserved.
Skilled Hackers
+ Create more powerful tools
+ Focus not only on finding vulnerabilities but also on robust automation of their exploit (an engineering challenge)
Professional Hackers (Semi skilled)
+ Can increase their business faster and more effectively using automation
+ Puts more organizations at risk as potential targets
Unskilled Hackers
+ Increased potential of incidental damages
44
Attack Automation - Consequences
© 2012 Imperva, Inc. All rights reserved.
© 2012 Imperva, Inc. All rights reserved.
Attack Persistence - Sources
A fair amount of attack sources are persistent over time
+ Persistent source = more than 3 days of activity
+ 30% of SQLi attacks
+ 60% of RFI attacks
CONFIDENTIAL 45
1
10
100
1000
10000
0 5 10 15 20 25 30 35 40 45 50 55 60 65 70 75 80 85 90 95 100
SQ
Li
Att
ack
s (
Lo
g s
ca
le)
Activity Days
© 2012 Imperva, Inc. All rights reserved.
© 2012 Imperva, Inc. All rights reserved.
RFI Attacks
Many consistent attackers
Attack Persistence - Sources
© 2012 Imperva, Inc. All rights reserved.
© 2012 Imperva, Inc. All rights reserved.
RFI Attacks
Collect URLs that host infection script
Some URLs are being used consistently over time
Attack Persistence - Attack Vectors
© 2012 Imperva, Inc. All rights reserved.
© 2012 Imperva, Inc. All rights reserved.
Many shell URLs are used against more than one target
Attack Persistence - Attack Vectors
© 2012 Imperva, Inc. All rights reserved.
The Plot
50
Attack took place in 2011 over a 25 day period.
Anonymous was on a deadline to breach and disrupt a website, a proactive attempt at hacktivism.
The website was mostly informational but contained data and enabled some commerce.
The attack did not succeed.
© 2012 Imperva, Inc. All rights reserved.
On the Offense
51
Skilled hackers - This group, around 10 to 15 individuals per campaign, have genuine hacking experience and are quite savvy.
Nontechnical - This group can be quite large, ranging
from a few dozen to a few hundred volunteers. Directed by the skilled hackers, their role is primarily to conduct DDoS attacks by either downloading and using special software or visiting websites designed to flood victims with excessive traffic.
© 2012 Imperva, Inc. All rights reserved.
Recruiting and Communications: An “Inspirational” Video
53
© 2012 Imperva, Inc. All rights reserved.
Recruiting and Communications: Social Media Helps Recruit
54
© 2012 Imperva, Inc. All rights reserved.
Reconnaissance: Finding Vulnerabilities
57
Tool #1: Vulnerability Scanners
Purpose: Rapidly find application vulnerabilities.
Cost: $0-$1000 per license.
The specific tools:
+ Acunetix (named a “Visionary” in a Gartner 2011 MQ)
+ Nikto (open source)
© 2012 Imperva, Inc. All rights reserved.
Application Layer Attacks: Hacking Tools
58
Tool #2: Havij
Purpose:
+ Automated SQL injection and data harvesting tool.
+ Solely developed to take data transacted by applications
Developed in Iran
© 2012 Imperva, Inc. All rights reserved.
Application Layer Attacks: Vulnerabilities of Interest
59
0
500
1000
1500
2000
2500
3000
3500
4000
Day 19 Day 20 Day 21 Day 22 Day 23
#a
lert
s
Date
Directory Traversal
SQL injection
DDoS recon
XSS
© 2012 Imperva, Inc. All rights reserved.
DDoS: Hacking Tools
60
Low-Orbit Ion Canon (LOIC)
Purpose:
+ DDoS
+ Mobile and Javascript variations
+ Can create 200 requests per second per browser window
© 2012 Imperva, Inc. All rights reserved.
DDoS: Anonymous and LOIC in Action
61
0
100000
200000
300000
400000
500000
600000
700000
Day 19 Day 20 Day 21 Day 22 Day 23 Day 24 Day 25 Day 26 Day 27 Day 28
Average Site Traffic
Mobile LOIC in
Action
Tra
nsa
ction
s p
er
Da
y
© 2012 Imperva, Inc. All rights reserved.
DDoS: LOIC Facts
62
LOIC downloads
+ 2011: 381,976
+ 2012 (through March 19): 318,340
+ Jan 2012=83% of 2011’s downloads!
Javascript LOIC:
+ Easy to create
+ Iterates up to 200 requests per minute
+ Can be used via mobile device.
© 2012 Imperva, Inc. All rights reserved.
© 2012 Imperva, Inc. All rights reserved.
DDoS: Mobile Loic
65