Hi and thank you, wherever you may be today. I’d like to welcome you all to this webinar which is part of BrightTALK’s Next Generation Network Security summit. The subject of today’s webinar is hacktivism and insiders, and I’m going to talk about some change in the motivation and different attack vectors between the two groups.
Much of what I’ll be talking about today is sourced from the Symantec Internet Security Threat Reports and their web-focused companion, the Website Security Threat Reports; also, a number of other reports from the Symantec Security Response team; and a variety of other internal results produced by Symantec. And I’ve got some links at the end of the presentation so that you can find out a little bit more, download the various reports and study some of the subjects that I’m going to cover.Here’s the agenda for today (see right-hand image). I’m going to start off with a brief introduction, moving into hacktivism, then taking a look at some common targets, vectors and methods. I’ll then touch upon remediation and ways to protect your organization before tying up with various information sources, where you need to go next for more information. So, starting off – what’s a hacktivist? Well, hacktivism involves groups of hackers who deface websites of political parties and the like in order to express their outrage. This outrage is often accommodated with demands and justice for those who have been perceived to be forgotten, mistreated or exploited. The motivation for hacktivism far outstrips cyber espionage and cyber warfare, and it’s a very-very close second to cybercrime. I think one of the best examples of old-school hacktivism was shared with me by a college lecturer who described the blockade of a high street bank (see right-hand image) over their links to apartheid by students in the late 1970s and early 1980s. It was a great example of a denial-of-service attack, whereby the protesters barricaded bank branches and blocked the entrance to the bank. More recently, hacktivism has broken the protests in more ways than one. Hacktivism and its perpetrators, hacktivists, are notoriously difficult to pin down. Are they legitimate, hacktivists and protestors, or simple criminal groups or individuals? Are they after money, or are they ideologically motivated? The simple answer is we don’t really know. More likely, they could be any of these things. Although there are fairly high-profile groups such as Anonymous, LulzSec and Antisec, they frequently claim responsibility for data breaches. These groups are entirely open, meaning that anyone can claim to act on their behalf, and proving the attribution is therefore relatively difficult. In fact, there was a situation around Anonymous back in 2012, when an individual claiming to be a member of the group stole the records of 10,000 women from an abortion provider shortly after Anonymous took credit for an attack on the Vatican (see left-hand image). This openness makes it almost impossible to assess how extensive such groups are and what threat they actually pose, and what hacktivist groups tend to be broadly united by a libertarian distrust of government, a belief in networks, the free systems and a mistrust of intellectual property laws. Their methods are wholly unpredictable.
Well, hacktivism appears first in the mid to late 90s. It began with the defacement of websites, and it has become, with the establishment of groups such as Anonymous, more politically engaged, more ambitious, and more sinister. 58% of all data theft in 2011 was tied to hacktivist groups, stealing more data than any other actor motivated by everything from greed to ideological aspects. In the latest version of data breach report, however, the percentage of confirmed data breaches deployed by hacktivists in 2012 is on par, but the amount of data they stole was substantially less, shifting from data theft to other forms of attacks such as distributed denial-of-service attacks.
So, while some hacktivists break into systems to steal data for their own game, others use brute-force and DDoS attacks to shut down target websites for ideological reasons. The motives and methods of hacktivists can be seen to be in constant flux. The mistake, however, is to think that this lack of consistency and unity makes hacktivism a lesser threat. This very ability makes it harder to detect, harder to predict, and a real challenge to defend against. If anything, hacktivism is a more dangerous threat because of its very unpredictability.So, let’s take a look at what happens (see right-hand image). The feature of the Internet that makes it such an amazing tool for communicating across the globe with billions and billions of people can also provide a means for disgruntled people to voice their opinions, send messages of unity at great speed, and also coordinate electronic attacks; the development of widespread methods of DDoS toolkits, which we have actually seen being used as a diversionary tactic to distract from discovery of the real threats, potentially any attempts to stop it; and malware toolkits such as the BlackHole kit; and the re-emergence of the Redkit exploits – a bit more on Redkit in just a few moments.
In fact, an interesting point here is that cyber criminals are even using a business model known as ‘malware as a service’, where exploit kits offer extra services to customers in addition to the exploit kit itself. Combined with the ease of use and the ability to globally distribute them in minutes – this effectively means that an entire country can, in theory, mobilize a group of dedicated attackers, numbering in the millions, in a relatively short space of time.