Breaking Down a Hacktivist Attack

Learn How a DDoS Assault Went Down, and Was Prevented

By , May 11, 2012.
Breaking Down a Hacktivist Attack

Security firm Imperva had the opportunity to watch a hacktivist attack play out and work to mitigate the threat as it happened in real-time.

See Also: Cybersecurity, Digital Transformation and Resiliency - A Lesson for Financial Services Institutions

The repelled attack Imperva monitored and prevented was Anonymous going against the Vatican, according to published reports, but Rob Rachwald, the IT security provider's director of security, neither confirms nor denies that's the case.

Over a 25-day period, Imperva watched the attack as it played out, and was able to break it down into three phrases, which were:

  • Recruiting and Communications: "During this phase somebody decided that a target needed to be attacked," Rachwald says in an interview with Information Security Media Group's Eric Chabrow [transcript below]. What Anonymous did was post a video on YouTube which was then promoted on Twitter and Facebook, attracting thousands of viewers.
  • Reconnaissance and Application Attack: In this second phase, which took place from days 19-22, Anonymous used vulnerability scanners to find weaknesses to possibly exploit. "We saw on the first day of this there were roughly 3,000 SQL injection attempts to see if they can steal some data," Rachwald says. Ultimately, a web-application firewall was able to block the injection attempts, he says.
  • Distributed Denial of Service Attacks: In this final phase, Anonymous probed the website to see where they could consume the most resources. Eventually, a search page feature and particular search term proved that the most computation activity would occur. "Anonymous created a URL that would repeatedly ask the site to search for this term, and that was what they used with the broader group of volunteers," Rachwald explains. On a typical day of traffic for this site, there would be 15,000-17,000 visitors, but through these DDoS attacks, the second day of exploitation saw 600,000 visits.

The website was able to repel this attack because its administrators had the foresight to think about data protection, Rachwald says. "In this case they put a web-app firewall in place which was very good in terms of blocking SQL injection, also in terms of blocking some of the application DDoS attempts that were under way."

The main takeaway from viewing this case was that hacktivists aren't that difficult to stop, but it raises the question of: are you prepared? "The key thing is, are you prepared for it? Do you have the right application defense and DDoS defense in place," Rachwald says.

In the interview, Rachwald also discusses the:

  • Hierarchy of Anonymous;
  • Difficulty attributing attacks to specific hackers. Attribution, he says, "is a hard nut to crack;"
  • Cybersecurity awareness Anonymous attacks help bring to the public. "It's giving it a Bonnie-and-Clyde type of aura that the general population can get," he says.

With a dozen-plus years as an IT professional, Rachwald manages security strategy for Imperva. He previously managed product marketing and communications for Fortify, Commerce One, Intel and Coverity.

Attack Breakdown

ERIC CHABROW: Last year, the Vatican repelled an attack from Anonymous. They admitted that this occurred. I know that your company has done an analysis of a type of an attack by Anonymous. You're not saying whether or not it was to the Vatican, but can you tell us a little bit about what you've learned about Anonymous and the methods that it uses to conduct its attacks?

ROB RACHWALD: Again, we neither confirm nor deny that this was the Vatican or any other company for that matter, but we managed to watch and repel an attack during a 25-day period. What we did is we broke down the attack into basically three phases. Phase one was what we call recruiting and communications phase, so during this phase somebody decided that a target needed to be attacked. What they did is they produced the videos and those videos were placed on YouTube, and Twitter and Facebook were used to promote that. After a period of a couple of days, there were thousands and thousands of views of this specific video, and so eventually there's a critical mass where enough hackers came together and volunteered and said, "Yes, we will conduct an attack."

Follow Jeffrey Roman on Twitter: @gen_sec

  • Print
  • Tweet Like LinkedIn share
Get permission to license our content for reuse in a myriad of ways.
ARTICLE Blizzard 2015: Business Continuity Tips

As the East Coast braces for a blizzard, information security experts say organizations in the path...

Latest Tweets and Mentions

ARTICLE Blizzard 2015: Business Continuity Tips

As the East Coast braces for a blizzard, information security experts say organizations in the path...

The ISMG Network