With command-and-control servers out in the open and key players in the hacking industry behind bars, are the tables beginning to turn on the underground world of cybercrime? Today's security practitioners are taking an aggressive approach to data security and applying defenses that stop hackers in their tracks. This proactive approach to security has uncovered ground-breaking hacker activities, including: full-fledged attack campaigns (XSS and server-generated DDoS), data collections that contain millions of consumer passwords, and cloud-based technologies used by hackers. This webinar featuring Imperva Director of Security Strategy, Rob Rachwald, provides insight into the following: 1) techniques utilized by the security community to tap into hacker activity, 2) research on hacking campaigns, such as the recent Lulzsec attacks 3) technologies, methods, and models driving the business of cybercrime 4) recommendations for effective security controls to protect against next generation attacks.

1. Cyber Vigilantes:
Turning the Tables on Hackers
Rob Rachwald, Director of Security Strategy, Imperva
July 27, 2011

2. Agenda
 The state of cyber security
+ Reality check #1: Hackers know the value of data
+ Reality check #2: Hackers, by definition, are early adopters
+ Reality check #3: Organizations have more vulnerabilities than
time or resources can manage
 Four ways to catch the predator
+ Monitor communications
+ Understand the business model
+ Conduct technical attack analysis
+ Analyze traffic via honeypots
 About Imperva
 Q&A session
2

3. Today’s Presenter
Rob Rachwald, Dir. of Security Strategy, Imperva
 Research
+ Directs security strategy
+ Works with the Imperva Application Defense Center
 Security experience
+ Fortify Software and Coverity
+ Helped secure Intel’s supply chain software
+ Extensive international experience in Japan, China, France, and
Australia
 Thought leadership
+ Presented at RSA, InfoSec, OWASP, ISACA
+ Appearances on CNN, SkyNews, BBC, NY Times, and USA Today
 Graduated from University of California, Berkeley
3

4. Cyber Vigilantes:
4

5. Cyber security today
Hacking has become industrialized.
Attack techniques and vectors are
changing at an ever rapid pace.
Attack tools and platforms are
evolving.
5

6. Reality Check #1:
Hackers know the value of data better
than the good guys
6

7. Data is hacker currency

8. Website access up for sale
8

9. Website access up for sale
9 - CONFIDENTIAL -

10. Reality Check #2:
Hackers, by definition, are early adopters
10

11. Mobile (in)security
Hacker Forum Discussion  Hacker interest in
Analysis
mobile has increased
 Consider 4000+
1800
1600 272
mentions in the past
1400
1200 233
245
year versus only 400
1000 901
nokia
800
511 iphone
from 12+ months ago
600 815
android
400 257
522
200 408
171 126
40
0
Last 3 3 to 6 6 to 9 a year ago
months months months and older
ago ago
Source: Imperva Application Defense Center Research
11

12. Reality Check #3:
The good guys have more vulnerabilities than
time or resources can manage
12

13. WhiteHat Security Top 10 for 2010
Percentage likelihood of a Web site having at least
one vulnerability sorted by class
13

14. Studying hackers – Why this helps
 Focus on what hackers want helps the good guys
prioritize
+ Technical insight into hacker activity
+ Business trends in hacker activity
+ Future directions of hacker activity
 Eliminate uncertainties
+ Active attack sources
+ Explicit attack vectors
+ Spam content
 Focus on actual threats
 Devise new defenses based on real data reducing guess
work

15. Approach #1:
Monitoring communications
15

16. Method: Hacker forums
 Tap into the neighborhood pub
 Analyze activity
+ Quantitative analysis of topics
+ Qualitative analysis of information being disclosed
+ Follow up on interesting issues
16

17. SQL injection = Most popular topic
Source: Imperva Application Defense Center Research

18. Non-SQL injection exploits
Exploits (non-SQL injection)
Anonymity 6% Other
8%
Shellcode LFI / RFI
26% 9%
Day 0
17% Hacked Sites
XSS 17%
17%

19. I believe in…
19

20. Approach #2:
Understanding hacker business models
20

21. Example: Rustock
21

22. Lessons from the RSA Breach
“…according to interviews with several
security experts who keep a close eye on
these domains, the Web sites in question
weren’t merely one-time attack staging
grounds: They had earned a reputation
as launch pads for the same kind of
attacks over at least a 12 month period
prior to the RSA breach disclosure.”
Source: http://krebsonsecurity.com/2011/05/rsa-among-dozens-of-firms-breached-by-zero-day-attacks
22

23. Spy Eye vs. Zeus
 When installing SpyEye
there is a “Kill Zeus”
capability…
+ If chosen, it checks for the
installation of the Zeus
Trojan and uninstalls before
installing SpyEye
 Towards the end of
October, the bot code
developers of SpyEye and
Zeus bots were showing
signs of a merger
23

24. Approach #3:
Technical attack analysis
24

25. Getting into command-and-control servers

26. No honor among thieves

27. Automated attacks
 Botnets
 Mass SQL injection
attacks
 Google dorks

28. And you can monitor trendy attacks

29. Approach #4:
Traffic analysis via honeypots
29

30. Example: DDoS 2.0
30

31. HTTP request caught a ToR honeypot
+ POST /.dos/function.php HTTP/1.1
+ User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US;
rv:1.9.2.3) Gecko/20100409 Gentoo Firefox/3.6.3
+ Parameters
– ip=82.98.255.161&time=100&port=80
31

32. Scale – probably thousands
 Google shows
hundreds
 Probably only the tip
of the iceberg
32

33. Impact: Who was brought down?
 Only saw it launched against one server
+ IP was Dutch hosting provider
 But there is likely more
+ We only see a fraction of the general traffic on our honeypot
+ This is only one implementation of DoS
 Impact?
+ Depends on the hosting Web server bandwidth
+ A cable modem user typically has a 384Kbs upstream
+ Web host in data center can have 1Gbps pipe
 1 server = 3000 bots
33

34. Conclusions
34

35. Conclusions
 Time to get proactive
+ Scan Google for Dorks with respect to your application
– Dorks and tools are available on the net
+ Search Google for Honey Tokens
– Distinguishable credentials or credential sets
– Specific distinguishable character strings
+ Watch out for name popping in the wrong forums…
 Deploy reputation-based services
 Fight automation
+ CAPTCHA
+ Adaptive authentication
+ Access rate control
+ Click rate control
35

36. Conclusions
 Application security meets proactive security
+ Quickly identify and block source of recent malicious activity
+ Enhance attack signatures with content from recent attacks
+ Identify sustainable attack platforms
– Anonymous proxies
– TOR relays
– Active bots
+ Identify references from compromised servers
+ Introduce reputation based controls
36

37. Imperva
Protecting the data that drives business
37

38. Imperva background
Imperva’s mission is simple:
Protect the data that drives business
The leader in a new category:
Data Security
HQ in Redwood Shores CA; Global Presence
+ Installed in 50+ Countries
1,200+ direct customers; 25,000+ cloud users
+ 3 of the top 5 US banks
+ 3 of the top 10 financial services firms
+ 3 of the top 5 Telecoms
+ 2 of the top 5 food & drug stores
+ 3 of the top 5 specialty retailers
+ Hundreds of small and medium businesses

39. Imperva: Our story in 60 seconds
Attack Usage
Protection Audit
Virtual Rights
Patching Management
Reputation Access
Controls Control

40. Webinar materials
Get LinkedIn to
Imperva Data Security Direct for…
Answers to
Post-Webinar
Attendee
Discussions
Questions
Webinar
Much more…
Recording Link
40

41. Questions
41