Anatomy of an Web Application Attack

June 2012

Terry Ray – VP WW Security Engineering

- CONFIDENTIAL -

Imperva protects data and Internet transactions from malicious insiders and external threats.

About Imperva Founded 2002 by Shlomo Kramer

More than 1700 Enterprise customers across:

+ Federal, state, and local government agencies

+ Hundreds of small and medium sized businesses

+ Non-profits and academic institutions.

More than 25,500 organizations across 40 countries protected by Imperva.

“Imperva is helping us protect the security

and privacy of customer data, and gain unprecedented visibility into who is

accessing this critical operational system.”

About Imperva – The Leader in Data Security

2

Database Security

Audit database access and deliver real-time protection against database attacks

File SecurityAuditing, protection and rights management for unstructured data

Web Application Security

Protection against large scale Web attacks with reputation controls, automated management and drop-in deployment

The Plot

Attack took place in 2011 over a 25 day period.

Anonymous was on a deadline to breach and disrupt a website; a proactive attempt at hacktivism.

10-15 skilled hackers. Several hundred to

thousands supporters.

3

On the Defense

Deployment line was a network firewall, IDS, WAF, web servers, network anti-DOS and anti-virus.

Imperva WAF+ SecureSphere WAF version 8.5 inline, high availability+ ThreatRadar reputation (IP Reputation)+ SSL wasn’t used, the whole website was in HTTP

4

1Recruiting and Communications

5

An “Inspirational” Video & Social Communication

6

Setting Up An Early Warning System

7

2Recon and Application Attack

8

“Avoid strength, attack weakness: Striking where the enemy is most vulnerable.”

—Sun Tzu

Step 1A: Finding Vulnerabilities

Tool #1: Vulnerability Scanners Purpose: Rapidly find application vulnerabilities. Cost: $0-$1000 per license. The specific tools:

+ Acunetix (named a “Visionary” in a Gartner 2011 MQ)+ Nikto (open source)

9

Hacking Tools

Tool #2: Havij Purpose:

+ Automated SQL injection and data harvesting tool.

+ Solely developed to take data transacted by applications

Developed in Iran

10

Vulnerabilities of Interest

11

Day 19 Day 20 Day 21 Day 22 Day 230

500

1000

1500

2000

2500

3000

3500

4000

Directory TraversalSQL injectionDDoS reconXSS

Date

#ale

rts

SQLi

DT

XSS

US is the ‘visible’ source of most attacks

United States61.3%

United Kingdom

1.1%

Other19.2%

France2.1%

Undefined2.1% China

9.4%

Sweden4.4% United States

United KingdomOtherFranceUndefinedNetherlandsChinaSweden

During the Anonymous attack 74% of the technical attack traffic originated from anonymizing services and was detected by IP reputation.

Comparing to Lulzsec Activity

• Lulzsec was/is a team of hackers focused on breaking applications and databases.

• ‘New’ Lulzsec taking credit for recent attacks. Militarysingles.com.

• Our observations have a striking similarity to the attacks employed by Lulzsec during their campaign.

• Lulzsec used: SQL Injection, Cross-site Scripting and Remote File Inclusion (RFI/LFI). RFI

index.php

Lulzsec Activity Samples

1 infected server ≈ 3000 bot infected PC power 8000 infected servers ≈ 24 million bot infected PC power

Automation is Prevailing

In one hacker forum, one hacker claimed to have found 5012 websites vulnerable to SQLi through automation tools.

Note:

• Due to automation, hackers can be effective in small groups – i.e. Lulzsec, Anti-Sec, OpIndia, etc

• Automation also means that attacks are equal opportunity offenders. They don’t discriminate between well-known and unknown sites or agencies.

• They don’t need ‘skillz’ to steal data or DDOS.

Mitigation: AppSec 101

Code Fixing

Dork Yourself

Blacklist + IP Rep

WAF + Mitb

WAF + VA

Stop Automated Attacks

3Application DDoS

17

LOIC Facts

Low-Orbit Ion Canon (LOIC) Purpose:

+ DDoS+ Mobile and Javascript variations

Other variations – HOIC, GOIC, RefRef

LOIC downloads+ 2011: 381,976 + 2012 (through May 10): 374,340+ June 2012= ~98% of 2011’s downloads!

18

Anonymous and LOIC in Action

19

Day 19 Day 20 Day 21 Day 22 Day 23 Day 24 Day 25 Day 26 Day 27 Day 280

100000

200000

300000

400000

500000

600000

700000

Average Site Traffic

LOIC in Action

Tra

nsac

tions

per

Sec

ond

Application DDoS

20

The effectiveness of RefRef is due to the fact that it exploits a vulnerability in a widespread SQL service. The flaw is apparently known but not widely patched

yet. The tool's creators don't expect their attacks to work on a high-profile target more than a couple of times before being blocked, but they don't believe

organizations will rush to patch this flaw en masse before being hit.—The Hacker News, July 30, 2011

4Non-Mitigations

21

I have IPS and NGFW, am I safe?

IPS and NGFWs do not prevent web application attacks.

+ Don’t confuse “application aware marketing” with Web Application Security.

WAFs at a minimum must include the following to protect web applications:

22

• Web-App Profile• Web-App Signatures• Web-App Protocol Security• Web-App DDOS Security• Web-App Cookie Protection• Anonymous Proxy/TOR IP

Security• HTTPS (SSL) visibility

Security Policy Correlation

I have IPS and NGFW, am I safe?

IPS and NGFWs do not prevent web application attacks.

+ Don’t confuse “application aware marketing” with Web Application Security.

However, IPS and NGFWs at best only partially support the items in Red:

23

• Web-App Profile• Web-App Signatures• Web-App Protocol Security• Web-App DDOS Security• Web-App Cookie Protection• Anonymous Proxy/TOR IP

Security• HTTPS (SSL) visibility

Security Policy Correlation

24

Church of ScientologyMuslim BrotherhoodZappos.comMilitarySingles.comAmazonAustria Federal ChancellorHBGary FederalMexican Interior MinistryMexican SenateMexican Chamber of DeputiesIrish Department of JusticeIrish Department of FinanceGreek Department of JusticeEgyptian National Democratic PartySpanish PoliceOrlando Chamber of CommerceCatholic Diocese of OrlandoBay Area Rapid TransitPayPalMastercardVisa

Recent attacker targets….

US Department of JusticeUS Copyright OfficeFBIMPAAWarner BrothersRIAAHADOPIBMISOHHOffice of the AU Prime MinisterAU House of ParliamentAU Department of CommunicationsSwiss bank PostFinanceFine GaelNew Zealand ParliamentTunisia GovernmentZimbabwe GovernmentEgyptian GovernmentItauBanco de BrazilUS SenateCaixa

How many of these organizations have AV, IPS and Next Generations Firewalls?

Why are the attacks successful when these technologies claim to prevent them?

5Demo

25