As we shut the door on 2011 and begin the planning efforts for 2012, I can’t help but be astonished on how effective the Group Anonymous attacks have been. Vast majorities of targeted organizations have been left licking their wounds and posthumously responding to numerous queries on what happened and why they weren’t protected.
In fact, so august are the perpetrators of these effective attacks that they have gotten used to just suggesting that they are going to be angry at an organization in order to get their desired behavioral changes. This was most notable recently when they put Sony, GoDaddy and Nintendo on their target lists for supporting the proposed US Privacy Act (SOPA) only to have each of these companies publically change their positions to reduce the risk of attacks.
So, given the efficacy of Group Anonymous and other Hacktivist organizations over the past year, I thought I would take a stab at highlighting the top six key attributes Anonymous looks to exploit in targeted victims and have listed the attributes below:
1. Failure to consider Security-Related Availability Threats. Every certified information security professional understands the principle that ALL security related activities need to be accomplished in pursuit of one or more of the following principles: Confidentiality (e.g. Privacy), Integrity and / or Availability. That is security is DRIVEN by one or more of these principles. It is also no secret that over the past ten years that nearly all security professionals have become intimately engaged with the concepts, theorems and infrastructures required to protect organizations from Privacy and / or Confidentiality leaks, however most of these security professionals have never either thought about or experienced an Availability-based security problem. This Availability-based threat, or what we call “Attacks” is largely a foreign concept as requiring different behavior, infrastructure, reporting and actions. Therein lies the problem and opportunity for Hacktivists! Group Anonymous loves the fact that scores of security professionals fail to realize just how vulnerable their organization is to an outage from simple volumetric threats!
2. Overreliance on Cloud / ISP Scrubbing Capabilities. “Sign up with your telecom provider and done” has been the philosophy for so many organizations for years that the idea of scrubbing enterprise-level data centers has been a remote concept. In fact, so many companies have considered DDoS a check box fulfilled by their Internet Service Providers (ISPs) that they paid very little attention to both the complexity or severity of the threat until recently. Well, instead of technically illustrating how insufficient cloud-based DDoS scrubbing is in today’s world, I will leave with you the illustrations of legions of organizations who were both customers of ISP scrubbers and today have suffered some, at the very least, embarrassing, and the very worst, business debilitating outages and loss of institutional product and service integrity.
3. Never tested internal Availability Protections / Vulnerabilities. “Conduct the Vulnerability Assessment without Causing being Service-Disrupting”…..that’s the verbiage most contracts use when letting a contract being signed with information security consultants. In other words, conduct a vulnerability assessment; however please don’t evaluate our ‘availability’ vulnerabilities. Everyone knows that for years organizations have been testing their control infrastructure in almost every way imaginable. They have been conducting technical assessments such as Penetration Tests, Network and Application Vulnerability Assessments, Code Reviews, Architecture Engineering Assessments, etc. They have also tested compliance against regulations and best practices such as GLBA, HIPAA, SOX, PCI, ISO 27001/2, HIPAA HiTECH, etc. However, what most people don’t realize is that nearly all of the results of these tests were evaluating security programs and models against threats represented by integrity and confidentiality based attacks, not availability attacks. In fact, to prove this point even further, most modern day vulnerability scanners have either removed ‘invasive’ or availability-based scans from their initial scan profiles, or have made the scans very difficult to launch by a lay person. This has resulted in a mass of organizations who are blissfully ignorantly to the vulnerabilities associated with availability attacks (e.g. Malformed UDP floods, Dictionary Attacks, Brute-Force Attacks, HTTP POST attacks, etc) and the probability of success of said attacks.
4. Inability to Triage Attack for effective matching of priority-matched mitigation. As illustrated in the graphic below, attacks come in multiple layers and frequently in complex (e.g. many vulnerabilities packaged into one lengthy attack). Although most ISPs and Service Providers have established models to ‘scrub their pipes’ most enterprise security models do not adhere to this model and instead are set up to address each attack sequentially and without a priority assessment to properly allocate resources. Group Anonymous knows that enterprises suffer from this ‘volumetric’ attack profile and frequently bury numerous vulnerabilities into attacks with the assumptions that normal enterprises cannot distinguish between the attack types (e.g. SYN ACK floods with a SQL injection attack – ref: Sony Attacks)
5. Over reliance on tools – not talent (Static Perimeter Protection Model). We all know that tools will eventually fail us – they don’t quickly evolve to match changed landscape. As with all tools, the assumptions which go into the model are often the first attack vector for a perpetrator. For example, if the enterprise does Data Loss Prevention, well then, just encrypt the traffic and this way you get around the data scrubbing model. When dealing with integrity or confidentiality a company has the luxury of after-action analysis and forensics, however when dealing with ‘Availability-based ‘attacks, organizations don’t have the luxury of long-drawn out forensics analysis. The capability to determine what is going well, and what is not going well needs to be determined in real time which means that the deployed detection and mitigation tool set needs to be closely aligned with expert technicians and engineers who can properly configure and reconfigure the tools to avoid and disrupt emerging and changing threat landscapes. Moreover, as illustrated in the slide below, expert skills in the “availability security” disciplines of Network Behavioral Analysis, DDoS Prevention, and Web Application Firewalls are in serious deficits. Hacktivists around the world understand this concept and bank on companies having no intelligent resources to counteract their advancing and evolving techniques. Organizations require instant access to a team of supremely talented individuals – – something we call our Emergency Response Team (ERT)!
6. Failure to recognize / understand Application-Layer threats. Application-level is Pandora’s box for Hacktivists. Just to give you a quick example of the types of understanding of the complexity of application-layer threats, the following is a list of the questions in which all application-layer security professionals must have on hand AFTER reviewing application vulnerabilities and protection mechanisms about their applications at all times to ensure proper AVAILABILITY of their operations:
- How many web serversweb applications?
- What type of web applications?
- How many active connections?
- What are the current idle time settings for every web application?
- How Many Transactions per Second?
- Is acceleration such as a caching used?
- Does the web sites are public or via CDN?
- What is the required CPS?
- Does the application leverage caching or not?
- Is a response check needed (e.g. Safe Reply filter)?
Group Anonymous understands how difficult it is to not only assess the vulnerabilities to a website, but also to run the website in a secure manner without making the site susceptible to a DDoS attack!