Organised ‘hacktivist’ attacks from groups like Anonymous can be mitigated and defended against, Tal Be’ery of Imperva has told delegates to AusCERT. However, companies that might be targets for such attacks need to understand that hacktivists are no longer primarily concerned at launching a DDoS against their target site.
Be’ery said while the threat of an “Internet blackout” by Anonymous earlier this year reinforces the stereotype that denial-of-service is the hactivists’ purpose, if they are able to successfully penetrate their target’s security, they have the ability to create much more lasting damage (for example, by deleting files or publishing business secrets).
A successful exploit, he said, “damages data availability, privacy and integrity” while DDoS merely makes a site unavailable while the attack lasts.
Hence, potential targets should consider the risk of a successful intrusion “first and foremost”, because even a successful DDoS attack is still the “last refuge” of the hacktivist.
The attack Be’ery described was launched using the “mobile LOIC” (Low Orbit Ion Cannon), with attack traffic spiking on the last two days of the attack – however, prior to the attack, Imperva had already seen precursors, both in the form of scanning traffic, but also simply by seeing itself discussed in social media feeds attributed to Anonymous.
“[Social media]can be used to set up an early warning system,” Be’era pointed out: “and it doesn’t have to be sophisticated. Even a very simple Google alert will tell you if they’re talking about you the wrong way.”
Be’ery said the company found itself, in the lead-up to the attack, seeing recoinnasance-style traffic that identified the tool being used as the Iranian Havij tool, which provides automated SQL injection and data harvesting.
“This part of the attack was conducted by a small, dedicated technical group,” Be’ery said – a common pattern, with a larger crew of DDoS volunteers being drawn in as supporters only when the first attack failed.
When the attack was escalated to DDoS, he said, it came from the “mobile” LOIC (Low Orbit Ion Cannon), which is designed to overload the target not just by flooding it with low-layer packets, but by crafting URLs designed to overload the application. This, he said, isn’t blocked by strategies that focus on TCP/IP-level denial-of-service.
The key mitigation/protection strategies Be’ery highlighted include “checking yourselves and your application vulnerabilities on Google; create blacklists; deploy a Web application firewall; and block automated traffic.”