Post on 18-Dec-2015
transcript
- CONFIDENTIAL -
Imperva protects data and Internet transactions from malicious insiders and external threats.
About Imperva Founded 2002 by Shlomo Kramer
More than 1700 Enterprise customers across:
+ Federal, state, and local government agencies
+ Hundreds of small and medium sized businesses
+ Non-profits and academic institutions.
More than 25,500 organizations across 40 countries protected by Imperva.
“Imperva is helping us protect the security
and privacy of customer data, and gain unprecedented visibility into who is
accessing this critical operational system.”
About Imperva – The Leader in Data Security
2
Database Security
Audit database access and deliver real-time protection against database attacks
File SecurityAuditing, protection and rights management for unstructured data
Web Application Security
Protection against large scale Web attacks with reputation controls, automated management and drop-in deployment
The Plot
Attack took place in 2011 over a 25 day period.
Anonymous was on a deadline to breach and disrupt a website; a proactive attempt at hacktivism.
10-15 skilled hackers. Several hundred to
thousands supporters.
3
On the Defense
Deployment line was a network firewall, IDS, WAF, web servers, network anti-DOS and anti-virus.
Imperva WAF+ SecureSphere WAF version 8.5 inline, high availability+ ThreatRadar reputation (IP Reputation)+ SSL wasn’t used, the whole website was in HTTP
4
2Recon and Application Attack
8
“Avoid strength, attack weakness: Striking where the enemy is most vulnerable.”
—Sun Tzu
Step 1A: Finding Vulnerabilities
Tool #1: Vulnerability Scanners Purpose: Rapidly find application vulnerabilities. Cost: $0-$1000 per license. The specific tools:
+ Acunetix (named a “Visionary” in a Gartner 2011 MQ)+ Nikto (open source)
9
Hacking Tools
Tool #2: Havij Purpose:
+ Automated SQL injection and data harvesting tool.
+ Solely developed to take data transacted by applications
Developed in Iran
10
Vulnerabilities of Interest
11
Day 19 Day 20 Day 21 Day 22 Day 230
500
1000
1500
2000
2500
3000
3500
4000
Directory TraversalSQL injectionDDoS reconXSS
Date
#ale
rts
SQLi
DT
XSS
US is the ‘visible’ source of most attacks
United States61.3%
United Kingdom
1.1%
Other19.2%
France2.1%
Undefined2.1% China
9.4%
Sweden4.4% United States
United KingdomOtherFranceUndefinedNetherlandsChinaSweden
During the Anonymous attack 74% of the technical attack traffic originated from anonymizing services and was detected by IP reputation.
Comparing to Lulzsec Activity
• Lulzsec was/is a team of hackers focused on breaking applications and databases.
• ‘New’ Lulzsec taking credit for recent attacks. Militarysingles.com.
• Our observations have a striking similarity to the attacks employed by Lulzsec during their campaign.
• Lulzsec used: SQL Injection, Cross-site Scripting and Remote File Inclusion (RFI/LFI). RFI
index.php
Lulzsec Activity Samples
1 infected server ≈ 3000 bot infected PC power 8000 infected servers ≈ 24 million bot infected PC power
Automation is Prevailing
In one hacker forum, one hacker claimed to have found 5012 websites vulnerable to SQLi through automation tools.
Note:
• Due to automation, hackers can be effective in small groups – i.e. Lulzsec, Anti-Sec, OpIndia, etc
• Automation also means that attacks are equal opportunity offenders. They don’t discriminate between well-known and unknown sites or agencies.
• They don’t need ‘skillz’ to steal data or DDOS.
Mitigation: AppSec 101
Code Fixing
Dork Yourself
Blacklist + IP Rep
WAF + Mitb
WAF + VA
Stop Automated Attacks
LOIC Facts
Low-Orbit Ion Canon (LOIC) Purpose:
+ DDoS+ Mobile and Javascript variations
Other variations – HOIC, GOIC, RefRef
LOIC downloads+ 2011: 381,976 + 2012 (through May 10): 374,340+ June 2012= ~98% of 2011’s downloads!
18
Anonymous and LOIC in Action
19
Day 19 Day 20 Day 21 Day 22 Day 23 Day 24 Day 25 Day 26 Day 27 Day 280
100000
200000
300000
400000
500000
600000
700000
Average Site Traffic
LOIC in Action
Tra
nsac
tions
per
Sec
ond
Application DDoS
20
The effectiveness of RefRef is due to the fact that it exploits a vulnerability in a widespread SQL service. The flaw is apparently known but not widely patched
yet. The tool's creators don't expect their attacks to work on a high-profile target more than a couple of times before being blocked, but they don't believe
organizations will rush to patch this flaw en masse before being hit.—The Hacker News, July 30, 2011
I have IPS and NGFW, am I safe?
IPS and NGFWs do not prevent web application attacks.
+ Don’t confuse “application aware marketing” with Web Application Security.
WAFs at a minimum must include the following to protect web applications:
22
• Web-App Profile• Web-App Signatures• Web-App Protocol Security• Web-App DDOS Security• Web-App Cookie Protection• Anonymous Proxy/TOR IP
Security• HTTPS (SSL) visibility
Security Policy Correlation
I have IPS and NGFW, am I safe?
IPS and NGFWs do not prevent web application attacks.
+ Don’t confuse “application aware marketing” with Web Application Security.
However, IPS and NGFWs at best only partially support the items in Red:
23
• Web-App Profile• Web-App Signatures• Web-App Protocol Security• Web-App DDOS Security• Web-App Cookie Protection• Anonymous Proxy/TOR IP
Security• HTTPS (SSL) visibility
Security Policy Correlation
24
Church of ScientologyMuslim BrotherhoodZappos.comMilitarySingles.comAmazonAustria Federal ChancellorHBGary FederalMexican Interior MinistryMexican SenateMexican Chamber of DeputiesIrish Department of JusticeIrish Department of FinanceGreek Department of JusticeEgyptian National Democratic PartySpanish PoliceOrlando Chamber of CommerceCatholic Diocese of OrlandoBay Area Rapid TransitPayPalMastercardVisa
Recent attacker targets….
US Department of JusticeUS Copyright OfficeFBIMPAAWarner BrothersRIAAHADOPIBMISOHHOffice of the AU Prime MinisterAU House of ParliamentAU Department of CommunicationsSwiss bank PostFinanceFine GaelNew Zealand ParliamentTunisia GovernmentZimbabwe GovernmentEgyptian GovernmentItauBanco de BrazilUS SenateCaixa
How many of these organizations have AV, IPS and Next Generations Firewalls?
Why are the attacks successful when these technologies claim to prevent them?