Sony, News Corp and NATO. What do these organisations have in common? They have all been targeted by the hacktivist super group, Anonymous.
However, these attacks could have been avoided, or at least the impact reduced, with monitoring of social media and installation of Web application firewalls, according to one security expert. Speaking at SecureSydney 2012, Imperva Australia and New Zealand principal security architect, Paul Steen, walked delegates through the timeline of an Anonymous attack on one of its customers which took place in 2011. For security reasons, he did not name the company.
In-depth: Information security 2011 Research Report.
The company’s website was subjected to numerous application attacks followed by an estimated 500,000 to 600,000 distributed denial of service (DDoS) attempts over approximately four days.
According to Steen, Anonymous was unsuccessful in its attempts to crack the website and, fortunately, the organisation knew the attack was coming before it happened.
“They rang us up and said there was evidence on the internet that Anonymous would be targeting us,” he says.
According to Steen, there are four steps organisations can take to avoid appearing on the Anonymous hit list.
Monitor social media
“Follow yourself on Google and set up alerts on Google to notify you when your organisation pops up in communication across the internet on sites such as Twitter,” he says.
“You need to be proactively monitoring so you know when an attack is coming.”
Even though Anonymous has been very successful at attacking numerous organisations, it virtually always announce that it is coming on social networking sites such as Twitter, says Steen.
According to Steen, application security is important. This should include Web application firewalls (WAFs), vulnerability assessment and code reviews.
“Every attack that Anonymous has mounted where data has been stolen is through the Web application," he says.
Prepare for DDoS attacks
“Anonymous typically likes to steal data and then take down the website if they can,” he says.
“Analyse the alert messages generated by your security device and read the logs. We often have plenty of security devices deployed but no one is paying attention to the devices.”
Internet protocol (IP) reputation
According to Imperva’s monitoring of the attack on its customer, a high percentage of the skilled hackers were operating from an unknown IP source.
“They were using anonymous proxies so by having security in place that identifies and can give you information on the IP reputation, you can mitigate this problem before the attack even takes place,” Steen says.
Finally, he adds that Anonymous are “opportunists” and will go after an organisation that is vulnerable. “If it’s interesting, then they attack the organisation and then after the fact make up some cause of why they did it,” he says.
Follow Hamish Barwick on Twitter: @HamishBarwick
Follow CIO Australia on Twitter: @CIO_Australia