AusCERT 2012 Day 2: “You can survive” a hacktivist attack: Tal Be’ery

Organised ‘hacktivist’ attacks from groups like Anonymous can be mitigated and defended against, Tal Be’ery of Imperva has told delegates to AusCERT. However, companies that might be targets for such attacks need to understand that hacktivists are no longer primarily concerned at launching a DDoS against their target site.

Be’ery said while the threat of an “Internet blackout” by Anonymous earlier this year reinforces the stereotype that denial-of-service is the hactivists’ purpose, if they are able to successfully penetrate their target’s security, they have the ability to create much more lasting damage (for example, by deleting files or publishing business secrets).

A successful exploit, he said, “damages data availability, privacy and integrity” while DDoS merely makes a site unavailable while the attack lasts.

Hence, potential targets should consider the risk of a successful intrusion “first and foremost”, because even a successful DDoS attack is still the “last refuge” of the hacktivist.

The attack Be’ery described was launched using the “mobile LOIC” (Low Orbit Ion Cannon), with attack traffic spiking on the last two days of the attack – however, prior to the attack, Imperva had already seen precursors, both in the form of scanning traffic, but also simply by seeing itself discussed in social media feeds attributed to Anonymous.

“[Social media]can be used to set up an early warning system,” Be’era pointed out: “and it doesn’t have to be sophisticated. Even a very simple Google alert will tell you if they’re talking about you the wrong way.”

Be’ery said the company found itself, in the lead-up to the attack, seeing recoinnasance-style traffic that identified the tool being used as the Iranian Havij tool, which provides automated SQL injection and data harvesting.

“This part of the attack was conducted by a small, dedicated technical group,” Be’ery said – a common pattern, with a larger crew of DDoS volunteers being drawn in as supporters only when the first attack failed.

When the attack was escalated to DDoS, he said, it came from the “mobile” LOIC (Low Orbit Ion Cannon), which is designed to overload the target not just by flooding it with low-layer packets, but by crafting URLs designed to overload the application. This, he said, isn’t blocked by strategies that focus on TCP/IP-level denial-of-service.

The key mitigation/protection strategies Be’ery highlighted include “checking yourselves and your application vulnerabilities on Google; create blacklists; deploy a Web application firewall; and block automated traffic.”


Follow @CSO_Australia and sign up to the CSO Australia newsletter.

Join the CSO newsletter!

Error: Please check your email address.

More about CERT AustraliaGoogleImperva

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by Richard Chirgwin

Latest Videos

  • 150x50

    CSO Webinar: Will your data protection strategy be enough when disaster strikes?

    Speakers: - Paul O’Connor, Engagement leader - Performance Audit Group, Victorian Auditor-General’s Office (VAGO) - Nigel Phair, Managing Director, Centre for Internet Safety - Joshua Stenhouse, Technical Evangelist, Zerto - Anthony Caruana, CSO MC & Moderator

    Play Video

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

More videos

Blog Posts

Market Place