Comment: Security Research Goes Proactive – The Hacker Intelligence Initiative

Insights gained by the proactive security approach are invaluable to understanding the cybercriminal enemy, says Shulman
Insights gained by the proactive security approach are invaluable to understanding the cybercriminal enemy, says Shulman
Amichai Shulman, Imperva
Amichai Shulman, Imperva

Bruce Ames, a professor of biochemistry and molecular biology at the University of California at Berkeley once wrote:

Natural pesticide carcinogens have been shown to be present in the following foods: anise, apples, bananas, basil, broccoli, brussel sprouts, cabbage, cantaloupe, carrots, cauliflower, celery, cinnamon, cloves, cocoa, coffee, comfrey tea, fennel, grapefruit juice, honeydew melon, horseradish, kale, mushrooms, mustard, nutmeg, orange juice, parsley, parsnips, peaches, black pepper, pineapples, radishes, raspberries, tarragon, and turnips. Thus, it is probable that almost every plant product in the supermarket contains natural carcinogens. The levels of the known natural carcinogens in the above plants are almost always much higher than the levels of man-made pesticides, and many are in the range of thousands to millions of parts per billion.

Ames’ point was simple: we should not focus the discussion around the existence of carcinogens – the vast majority of foods contain carcinogens. Rather, we need to concentrate on understanding what really is harmful for the consumer in order to tackle those materials known to have negative effects.

Learning a lesson from nature, security researchers are taking on a proactive approach to security. Researchers are going into the cyber underground and are studying hackers. With the insights gained from this activity, researchers can focus on what hackers want and the methods they use to carry out attacks. This knowledge provides the benefit of helping the good guys prioritize. Because security teams operate within limited budgets, keeping an eye on the opponent – rather than on the theoretical threats – allows for an effective risk assessment process.

Imperva’s research arm, the Application Defense Center (ADC), through our Hacker Intelligence Initiative (HII), is focused on tracking the latest trends in attacks, web application security and cyber-crime business models. This knowledge provides the benefit of identifying the hackers before they attack. This, in turn, allows the enhancement of security controls by blocking current attacks – before they even enter the application – and updating defenses before the next attack.

The HII gathers its data in three ways:

  1. Analyzing Imperva’s own honeypots: Similar to weather balloons that report on climate conditions, our honeypots report on the various attacks hackers perform.
  2. Monitoring discussions on hacker forums: Conducting a periodic analysis, much like tapping into the neighborhood pub, gives us an idea of a hacker’s agenda. It further allows us to perform a quantitative study of trending topics.
  3. Analyzing attacker kits: Examining these kits for developing hacking campaigns or source code for hacking software allows us to understand the changes in hacker activity.

Through the HII, security researchers are able to pinpoint some important trends taking shape in the hacker community.

1. Hackers know the value of data better than the good guys

By tapping into hacker forums, researchers can quantify that data is the #1 commodity exchanged in hacker circles. Investigating into the types of data being exchanged shows interesting trends: while the price of credit cards decreases, it is the price of user credentials to banking applications, social networks and webmail accounts that is increasing. Website access itself is also up for sale. Recently, a list of hacked US and European .gov and .mil sites was uncovered by security researchers. The list contained the details gleaned from these sites (full control or user credentials), the asking price of the hacked website (between $55 to $499), and allowed the researchers to obtain an in-depth look into the hacker’s attack methods and tools.

2. SQL injection is still the most widely used attack technique

As data is hacker currency, SQL injection remains the most popular topic discussed. Analysis of attack traffic shows that exploits of SQL injection vulnerabilities comprises the bulk of malicious traffic. Other web vulnerabilities – for example XSS and RFI – aimed at obtaining data and gaining site control take on a major slice of hacker discussions.

3. Hackers, by definition, are early adopters

Hackers are using the most recent technologies to conduct their attacks. Analyzing hacker toolkits shows how hackers are adopting cloud technologies in order to process and store fraudulently obtained data. Their backend data collection is thus ‘out-sourced’, allowing them to cut costs while investing in the development of new versions of attack tools. Social networks are used as vehicles for malware distribution where command and controls are sent to zombie machines through Facebook’s status update and Twitter tweets. More interestingly, as the number of smartphone sales surpassed the number of laptop sales this past year, this was reflected in hacker chit-chat. Mobile discussions in these forums showed a 10-fold increase in this past year alone.

4. Old threats do not die out

Familiar threats remain part of the threat landscape. As security controls scurry to keep up with the latest attack strain, hackers are re-emerging old techniques known to succeed and easy to carry out. Take, for example, the malware strain Imperva dubbed as “Boy in the Browser” (BitB). This simple malware modifies the configuration file on a victim’s computer such that the victim’s communication with a particular target is re-routed to pass via a hacker-controlled server. This was not a new technique, but researchers witnessed an increase in BitB distribution as they went undetected by most anti-malware products.

5. Automation as the pillar of the hacker industry

Automated tools is increasingly used by hackers for more successful campaigns. Mass SQL injection attacks are performed using Google as the platform of infection and distribution. Phishing and botnet kits are set up within the click of a button. The latter increase in variety and number according to current events, such as tax season, natural disasters or famous actors.

As the aforementioned points demonstrate, the insights gained by the proactive security approach are invaluable to understanding the cybercriminal enemy. These findings could not have been ascertained only by implementing a traditional security approach, which relies on reactive defenses and vulnerability research. It is time for security practitioners to introduce proactive detection in their security environment. This will allow practitioners to enhance their current controls with safety guards that stop attacks before they even enter the application.

Amichai Shulman is co-founder and CTO of Imperva, where he heads the Application Defense Center (ADC), Imperva's internationally recognized research organization focused on security and compliance. Under his direction, the ADC has been credited with the discovery of serious vulnerabilities in commercial web application and database products.

What’s hot on Infosecurity Magazine?