Dissecting a Hacktivist Attack
Step-By-Step Breakdown of a DDOS Assault
Security firm Imperva had the opportunity to watch a hacktivist attack play out and work to mitigate the threat as it happened in real-time.
The repelled attack Imperva monitored and prevented was Anonymous going against the Vatican, according to published reports, but Rob Rachwald, the IT security provider's director of security, neither confirms nor denies that's the case.
Over a 25-day period, Imperva watched the attack as it played out, and was able to break it down into three phrases, which were:
- Recruiting and Communications: "During this phase somebody decided that a target needed to be attacked," Rachwald says in an interview with Information Security Media Group's Eric Chabrow [transcript below]. What Anonymous did was post a video on YouTube which was then promoted on Twitter and Facebook, attracting thousands of viewers.
- Reconnaissance and Application Attack: In this second phase, which took place from days 19-22, Anonymous used vulnerability scanners to find weaknesses to possibly exploit. "We saw on the first day of this there were roughly 3,000 SQL injection attempts to see if they can steal some data," Rachwald says. Ultimately, a web-application firewall was able to block the injection attempts, he says.
- Distributed Denial of Service Attacks: In this final phase, Anonymous probed the website to see where they could consume the most resources. Eventually, a search page feature and particular search term proved that the most computation activity would occur. "Anonymous created a URL that would repeatedly ask the site to search for this term, and that was what they used with the broader group of volunteers," Rachwald explains. On a typical day of traffic for this site, there would be 15,000-17,000 visitors, but through these DDoS attacks, the second day of exploitation saw 600,000 visits.
The website was able to repel this attack because its administrators had the foresight to think about data protection, Rachwald says. "In this case they put a web-app firewall in place which was very good in terms of blocking SQL injection, also in terms of blocking some of the application DDoS attempts that were under way."
The main takeaway from viewing this case was that hacktivists aren't that difficult to stop, but it raises the question of: are you prepared? "The key thing is, are you prepared for it? Do you have the right application defense and DDoS defense in place," Rachwald says.
In the interview, Rachwald also discusses the:
- Hierarchy of Anonymous;
- Difficulty attributing attacks to specific hackers. Attribution, he says, "is a hard nut to crack;"
- Cybersecurity awareness Anonymous attacks help bring to the public. "It's giving it a Bonnie-and-Clyde type of aura that the general population can get," he says.
With a dozen-plus years as an IT professional, Rachwald manages security strategy for Imperva. He previously managed product marketing and communications for Fortify, Commerce One, Intel and Coverity.
ERIC CHABROW: Last year, the Vatican repelled an attack from Anonymous. They admitted that this occurred. I know that your company has done an analysis of a type of an attack by Anonymous. You're not saying whether or not it was to the Vatican, but can you tell us a little bit about what you've learned about Anonymous and the methods that it uses to conduct its attacks?
ROB RACHWALD: Again, we neither confirm nor deny that this was the Vatican or any other company for that matter, but we managed to watch and repel an attack during a 25-day period. What we did is we broke down the attack into basically three phases. Phase one was what we call recruiting and communications phase, so during this phase somebody decided that a target needed to be attacked. What they did is they produced the videos and those videos were placed on YouTube, and Twitter and Facebook were used to promote that. After a period of a couple of days, there were thousands and thousands of views of this specific video, and so eventually there's a critical mass where enough hackers came together and volunteered and said, "Yes, we will conduct an attack."
That takes us into second phase, which we call the reconnaissance and application attack phase. This by the way was days 19-22 and of course the recruiting and communications phase was day 1-18. During this application attack phase, essentially what they did is they used vulnerability scanners - specifically they used Acunetix and an open-source vulnerability scanner called Nikto - and what they were trying to do is find vulnerabilities to possibly exploit. We saw on the first day of this there were roughly 3,000 SQL injection attempts to see if they can steal some data. Then they used a third tool called Havij. Havij was something that was developed in Iran. It's designed to exploit SQL injection vulnerabilities. So where vulnerability scanners will find a vulnerability, Havij will actually exploit it and perform the actual data harvesting.
This is important if you take a step back and look at it from a higher level. This is important because what this tells you is hacktivists start by trying to steal data, because they recognize the lesson from Sony which is, if you managed to take data, what's going to happen is you're going to really, really hurt that company. Now in this case, from day 19-22 the application attack failed, and this particular instance, the Imperva web app firewall actually managed to block all of this stuff. So, they had zero success in terms of trying to take data.
Now that takes us to our last phase, which is the most prominent and well-known aspect of Anonymous which is DDoS. In this case, what happened was they were trying to probe the website to see where you could consume the most resources. There was a search page actually and certain terms caused a lot more computation intensity on the side of the site that was being attacked. So what Anonymous did is they created a URL that would repeatedly ask the site to search for this term, and that was what they used with the broader group of volunteers along with the Low Orbit Ion Cannon - or LOIC - to try to exploit this site. Normal traffic was roughly 15,000-17,000 visitors per day. During the two days of the DDoS attempt, they had half a million and then on the second day of DDoS it was 600,000, so roughly 28-34 times more traffic then they normally would expect. Those are the three phases and those are a couple of things that we observed.
CHABROW: Okay, so you say the site was not taken down. And that's because of?
RACHWALD: Well, I think in this case there was a security consulting organization that wasn't quite sure what to expect so they had the foresight to think about data protection. In this case they put a web app firewall in place which was very good in terms of blocking SQL injection, also in terms of blocking some of the application DDoS attempts that were under way.
CHABROW: I speak to a lot of people here at the RSA Conference and they're talking about protecting the data. It seems to be less of an emphasis on perimeter defense. How is that as a strategy?
RACHWALD: That's an excellent question because unfortunately perimeter defense would have been absolutely useless. Let's take a step back here and look at what the methods were. First of all, they were doing SQL injections so that antivirus by definition doesn't help with that. These hackers were using the exact same methods that private hackers are using with some key exceptions. Number one being there was no malware, or number two being there was no spear phishing. Take antivirus completely off the table because it's not going to do much.
Second, in terms of a network firewall or intrusion prevention system, these tools simply would not have recognized that this attack was going on. On the contrary, they would have seen perhaps a spike in traffic and that's about it. In order to understand and repel an application attack, you have to understand how that application works. What is the normal way that application behaves, and when you see an aberration in that behavior then you know that something is fishy and you want to at least inspect it and possibly even block it as well.
The Impact of Anonymous
CHABROW: The kind of damage that Anonymous does, how crucial is that in the whole scope of IT security?
RACHWALD: What we learned here is that they had a couple of sophisticated hackers, but in general this is not terribly difficult to stop. It's just a matter of: are you prepared? The question a lot of people should be asking themselves is how many other incidents like this are there where Anonymous was stopped? That doesn't make for a very sexy headline, "Oh, Anonymous blocked at a particular location." It doesn't fly all the time. So when they're successful, that makes headlines. The key thing is, are you prepared for it? Do you have the right application defense and DDoS defense in place, because we've learned here this is their typical way of approaching it. It's not a terribly difficult thing to do, so at most they should be a nuisance.
The Anonymous Hierarchy
CHABROW: What have you learned about the structure of the Anonymous hierarchy?
RACHWALD: What we learned is that there are essentially two groups of people involved in the hacking. You had a skilled group which is approximately 10-15 individuals who were fairly savvy. They followed very much the same application attack that processed that a lot of private hackers do when they try to steal data. Then there's a second group which was mostly volunteers who were not very technically savvy at all. In fact, the New York Times had a great quote from somebody who has been following Anonymous and he said, "It's a handful of geniuses with a legion of idiots." This is somewhat consistent with what we saw. In this case, there were a handful of fairly savvy hackers who also managed to recruit a couple of hundred, up to a thousand or so maybe, volunteers who helped perform the DDoS. But aside from that, they didn't really fill out any personality survey so we really can't say anything about them personally.
CHABROW: Do you suspect that the leaders of this organization know one another?
RACHWALD: They behave in a very similar fashion so I can't say conclusively, but I think it's a fairly safe bet that they have worked together in some other fashion, at least some subset have worked together and possibly know each other personally.
CHABROW: There have been a series of arrests and periodically you hear arrests of so-called Anonymous members. Are these the troops and not the leaders, do you know?
RACHWALD: I don't know. I hope it's the leaders, but I can't say at this point.
CHABROW: A perplexing problem in IT security is attribution, understanding who's attacking you. Is that still a very hard nut to crack?
RACHWALD: It is. In fact, in this case, one of the things that characterize some of the more advanced hackers is a very careful and methodical use of onion routers to cover up their tracks.
CHABROW: What was that term you used?
RACHWALD: Onion router.
CHABROW: I'm not familiar with that.
RACHWALD: An onion router, also know as TOR - The Onion Router - is on the Internet and basically if you route your traffic through an onion router it will scramble your IP address so that when you visit a site, you don't have an IP address. So about a third of the traffic was coming from onion routers and in fact it was the fact that onion routers were used that helped us repel a lot of the attacks because we knew that by default most of the traffic coming from an onion router was probably malicious traffic. So right off the bat, we just stopped the barbarians at the gate knowing where they're coming from.
CHABROW: You could argue that some of the damage that Anonymous has created for people and organizations - especially when personally identifiable information and other kinds of sensitive information is exposed - for the most part, a lot of experts consider them more of a thorn in the neck. Is there a certain awareness that Anonymous is bringing to the general public that may help IT security?
RACHWALD: I actually think that Anonymous is helping security in many ways, because it's highlighting the issue and its giving it sort of a Bonnie-and-Clyde type aura that the general population can get. But the question is will security organizations react well? Will security vendors react in an effective fashion? What I think this episode proved is that, to your point, Anonymous is a thorn, but thorns can be painful if you're not ready.