Hacktivist group Anonymous has been spreading its unique brand of chaos almost unabated for the past two years, embarrassing high-level opposition with a variety of website disruptions and data leaks. The online security community may have caught an important break, however, when security researchers from Imperva released a report earlier this week detailing its extensive surveillance campaign tracing the anatomy of a failed Anonymous attack.
The Hacker Intelligence Summary Report provides a step-by-step, full-cycle analysis of a 25-day Anonymous plot launched last year. The detailed summary touched upon everything from how the hackers pick their targets and recruit comrades to the order in which attacks strategies are phased in and which tools are favored.
"Our observations give insightful information on Anonymous, including a detailed analysis of hacking methods, as well as an examination of how social media provides a communications platform for recruitment and attack coordination," report authors explained. "Hacktivism has grown dramatically in the past year and has become a priority for security organizations worldwide. Understanding Anonymous’ attack methods will help organizations prepare if they are ever a target."
The observation period began after the targeted organization, an Imperva client, was alerted by its network intrusion system. According to the report, the web application firewall was able to not only block, but record the attacks. By analyzing the traffic logs captured during this time, researchers were able to classify the threats by category and identify patterns seen within and between attacks.
While this information is valuable in its own right, Imperva analysts extended the relevance of these data sets by chronologically pairing them with the social media behavior of Anonymous spokesmen. As a result, researchers have proclaimed the report the first "end-to-end record of a full Anonymous attack."
One of the first crucial distinctions made by Imperva analysts addressed some of the prevalent misconceptions that surround the mysterious hacking collective.
"Anonymous hackers are real people with real techniques – but they use conventional black hat methods and technologies," the report stated. "In other words, they are able to take advantage of common application vulnerabilities found in many websites, the same thing that fuels today's black market, data-driven cybercrime economy. The main innovation seen from Anonymous in the creation of many websites that perform denial of service attacks."
As expected, researchers observed a heavy reliance on tools such as Havji, an automated SQL injection utility often seen in the wild. But there were a number of surprising omissions from Anonymous' catalogue of tricks. For instance, analysts asserted that the group makes no use of malware, phishing or spearphising in its attacks. There is also only a sporadic reliance on botnets. These unique characteristics are likely a factor of the actors involved.
As Imperva analysts explained, Anonymous membership is defined by both skilled hackers and laypeople. In the observed attack, fewer than 15 advanced programmers were likely involved. However, this is often more than enough given their demonstrable skills. The rest of the attack squad is traditionally rounded out by anywhere from a few dozen to a few hundred common volunteers.
"Directed by the skilled hackers, their role is primarily to conduct DDoS (distributed denial of service) attacks by either downloading and using special software or visiting websites designed to flood victims with excessive traffic," the report stated. "The technical skills required range from very low to modest. In this incident, there was about a 10:1 ratio of laypeople to skilled hackers."
The unique strategy really begins to flesh out thanks to the ad hoc social media analyses conducted by Imperva. According to the report, the first phase of a typical Anonymous attack involves leveraging online platforms to spread the message behind a plot and recruit like-minded associates. Not surprisingly, Twitter, Facebook and YouTube were the primary hubs of activity in the campaign observed by Imperva researchers, as the group's spokesmen suggested and justified their targets to the public.
Once sufficient momentum is gathered, hackers move on to a brief reconnaissance period followed by an application attack phase. According the report, common black hat tools like Acunetix are used to scope out any potential points of network vulnerability that could facilitate data theft. Once identified, advanced hackers move in to deploy SQL injection tools to begin harvesting the sought-after information.
If these attempts fail, only then will Anonymous' lead hackers begin to recruit the assistance of laypeople for launching DDoS attacks, according to the report. This may be surprising to some, considering DDoS attacks on organizations such as PayPal have generated much of the hacker group's publicity.
With a clearer perspective on the traditional sequence of an Anonymous attack – and knowledge of many of the "off the shelf" tools perpetrators seem to rely on – the conversation logically shifts to applying the knowledge obtained to thwart future plots.
"If companies are prepared against application layer attacks and have put in place solid defenses to mitigate SQL injection, cross site scripting, local file inclusion and DDoS, then such enterprises will be well prepped against Anonymous," the report stated.
The wide range of organizations and institutions attacked by the group should encourage vigilance from all network administrators. Anonymous' unpredictable and at times convoluted motives could quickly place an unsuspecting candidate in the crosshairs. Emerging reports are already suggesting that the plot chronicled in the Imperva case study was actually a failed Anonymous attack on the Vatican.
The report also suggests a few other points of consideration for potentially vulnerable companies. Social media monitoring, for example, can be a valuable preventative strategy. As Imperva analysts noted, "hacktivism is loud by definition," and the group's brazen nature often leaves a trail of clues for savvy observers to follow.
Finally, it is important to take stock of one's most valuable assets and determine which possessions may merit the attention of hackers. In many cases, according to the report, this will be an organization's intellectual property. As Symantec can attest, losing a company's most sensitive files to the hands of cybercriminals can cause operational and reputational nightmares.
Data Security News from SimplySecurity.com by Trend Micro