Automated Hacking Tools - Meet the New Rock Stars in the Cyber Underground

Automated Hacking Tools: The New Rock Stars in the Cyber Underground

© 2012 Imperva, Inc. All rights reserved.



Context for HII Reports Introducing Automated Hacking

+ Quantifying Automation + Hacking Automation Use Cases + Sample Tools

Analyzing Real World Data Detection and Mitigation Questions and Answers

2

Agenda



Speaker at Industry Events + RSA, Sybase Techwave, Info Security UK, Black Hat

Lecturer on Info Security + Technion - Israel Institute of Technology

Former Security Consultant to Banks and Financial Services Firms Leads the Application Defense Center (ADC)

+ Discovered over 20 commercial application vulnerabilities

– Credited by Oracle, MS-SQL, IBM and others

Presenter: Amichai Shulman – CTO Imperva

Amichai Shulman one of InfoWorld’s “Top 25 CTOs”



Hacker Intelligence Initiative is focused at understanding how attackers are operating in practice

+ A different approach from vulnerability research

Data set composition + ~50 real world applications + Anonymous Proxies

More than 18 months of data Powerful analysis system

+ Combines analytic tools with drill down capabilities

4

HII Report Context


Introducing Automated Hacking

5



6

Quantifying Automation


Quantifying Automation

7

Manual 2%

Automatic 98%

RFI

12%

88%

SQLi

Manual

Automatic



Automation affects the magnitude of the threat posed by hacking

8

Hacking Automation Use Cases

Honeypot.org: The Social Dynamics of Hacking

https://honeynet.org/files/Holt and Kilger - KYE - The Social Dynamics of Hacking.pdf



Skilled Hackers + Create more powerful tools + Focus not only on finding vulnerabilities but also on robust

automation of their exploit (an engineering challenge)

Professional Hackers (Semi-skilled) + Can increase their business faster and more effectively using

automation + Puts more organizations at risk as potential targets

Unskilled Hackers + Increased potential of incidental damages

9




Botnets + A step further in the evolution of automated hacking + Rather than automating a task it is automation of the entire

operation

Includes all steps of the operation + Target selection + Probing + Exploit

10




Search engine hacking + Discovery phase + Mostly botnet based today

General scanners + Probing of chosen targets

Focused on attack type Focused on individual vulnerability

+ Exist as standalone tools and botnet modules

11

Automated Hacking Tools



High-end + Slick GUI (point and

click) + Evasion techniques + State of the art attack

vectors

Havij + Focused on SQL

Injection attacks + Used in attacks by

Lulzsec and Anonymous

12



13




Professional + Command line + Ready for

instrumentation

SQLmap + Focused on SQL

Injection

FIMAP + Focused on Remote

File Include

14



15




WhiteHat flipping sides + Tools aimed at

vulnerability scanning + Automation is essential for

continuous testing of large and complex web applications

+ Inherently easier to operate

Nikto + Public domain,

low end Nessus

+ Public domain (some versions), very friendly GUI

Acunetix + Powerful

commercial tool, stolen licenses are shared among hackers

16


Analyzing Real World Data

17



The type of automation is tightly related to the nature of the vulnerability to be exploited

SQL Injection + Tools that focus on an individual application at a time + High volume, high rate traffic generated against a single

application

RFI + Tools that try to cover as many applications as possible + Low volume traffic when watching a single application

Search Engine Hacking + Need to bypass search engine restrictions + Highly distributed botnets

Type of Automation


Type of Automation

19



RFI Attacks Many sources attack more than one target

Type of Automation



A fair amount of attack sources are persistent over time + Persistent source = more than 3 days of activity + 30% of SQLi attacks + 60% of RFI attacks

21

Persistence of Sources

CONFIDENTI

1

10

100

1000

10000

0 5 10 15 20 25 30 35 40 45 50 55 60 65 70 75 80 85 90 95 100

SQLi

Att

acks

(Lo

g sc

ale)

Activity Days



RFI Attacks Many consistent attackers

Persistence of Sources



RFI Attacks Collect URLs that host infection script Some URLs are being used consistently over time

Persistence of Attack Vectors



Many shell URLs are used against more than one target

Persistence of Attack Vectors


Country of Origin

SQLi

Country Hosts % of Hosts

USA 3994 80

China 355 7

United Kingdom 75 2

Russian Federation 49 1

Canada 40 1

Republic of Korea 33 1

Germany 31 1

Brazil 29 1

India 28 1

France 24 1

SQLi

Country Hosts % of Hosts

China 98 30

USA 78 24

Netherlands 9 3

Morocco 8 2

Egypt 7 2

Luxemburg 7 2

Brazil 7 2

France 7 2

Indonesia 6 2

Russian Federation 6 2

25

Most attack sources are in the US Most high rate automation sources are in China!


Detection and Mitigation

26



Motivation + Automated hacking accounts for a large portion of attack traffic + Being able to detect malicious automation dramatically reduces

the stress on other mechanisms designed to detect specific attacks

Challenge + Hard to implement WITHIN applications as automation can be

applied against each and every part of the application or the underlying application server

General



Passive Methods + Watch network traffic “as-is” + Non intrusive, do not affect user experience

Traffic Shape Indicators + We measure suspicious requests (rather than ALL requests) + Measured attributes

– Rate – Rate change (ramp-up speed) – Volume

+ Difficult to measure in an inherently noisy source (NAT) Request Shape Indicators

+ Missing headers + Mismatch between headers and location

28

Detecting Automated Hacking - Passive


Detecting Automated Hacking - Passive

29



Introduce changes into the server response + Test client’s reaction to changes + May affect user experience – use with care + Verify type of user agent

Browsers support Javascript and an appropriate DOM + Client is expected to complete some computation + Application / GW can validate the computed value

Browsers comply with HTML tags (IMG, IFRAME) + Client is expected to access resource referenced by embedded

tags + Failure to access the resources implies that client is an

automated script

30

Detecting Automated Hacking - Active



Detected automation feeds into building fingerprints of tools and reputation data for sources

Leveraged when data is collected within a community Recent regulatory changes endorse the concept of

community Drop requests matching fingerprints or coming from ill

reputed sources

31

Mitigation - Wisdom of the Crowds



Introduce changes to the response that require a true browser user-agent before letting any further requests within a session

+ Application / GW keeps sending the test for any request not in a validated session

+ A session is validated only if user-agent responds properly

Introduce changes to the response that (based on the previous enforcement) introduce client side latency

+ Challenge the client to solve a mathematical riddle

+ Partial hash collisions are a good example

32

Mitigation – Challenges and Metering



Introduce CAPTCHA or other test to tell apart a human operator from a script

33

Mitigation (cont.)



Automation is ruling the threat landscape + It accounts for the lion share of attack traffic

Automation is used in various forms + In depth scanning / attack of a single target

+ Wide breadth scanning / attack of multiple applications

+ Distributed scanning / attack of single / multiple applications

34

Summary



Detection and mitigation are essential for reducing noise and focusing resources on the most complex attacks

Detection and mitigation are most effectively deployed out side of the application

Detection and mitigation must include a combination of passive and active measures

Detection and mitigation are best utilized within a community that can generate reputation data

35

Summary (cont.)



Webinar Materials

Post-Webinar Discussions

Answers to Attendee Questions

Webinar Recording Link Webinar Slides

Join Our LinkedIn Group, Imperva Data Security Direct for…

http://www.linkedin.com/groups/Imperva-Data-Security-Direct-3849609

http://www.linkedin.com/groups/Imperva-Data-Security-Direct-3849609

www.imperva.com

- CONFIDENTIAL -