Analysis of an anonymous group attack – what to look for!

An Anonymous group attack on an internet based entity is something that needs to be understood so that you can protect yourself.   What you do not want, is to have it happen to you, no matter the reason.    It doesn’t take much for the anonymous group to turn on you, but when they do you need to be prepared.

An Anonymous group attack has it all – Social media, social engineering, black hat attackers, hacker wanna be’s and plenty of remote attack vectors.   So let’s start at the beginning.

First indications

The Anonymous group relies on social media, they need to gain traction and numbers so that they can get the required critical mass to create an internet problem for the targeted organisation.   Facebook and YouTube are used to generate both interest and direction from the many followers who will be engaged in the attack.   To do this, most of the time, they create a video on the reason for the attack (check them out on YouTube).  This also creates the required time line and tells everybody when the attack will happen, including your defence team if they are listening.

Prelim and build up

In the lead up to the attack, the social media exposure recruits the required people = FANS.   If the subject or target is of little or no interest, there are less numbers, less numbers means that the attack may not achieve critical mass and therefore will not have the desired effect.

Over the first 12 – 16 days, leading up to the attack day, there is a noticeable increase in scans on the target web presence.   These scans are looking for access to not only the front facing pages but anywhere else on the internet based system they can exploit.   They are looking for information on what type of application you are using, where and what type of database system is in place, who supplied the application and how secure the web based environment is.   This information then becomes their plan of attack which is then published using Facebook and Twitter to the major black hats so that they can further coordinate the attack.

While this is going on the “fans” are signing up and downloading the robotic attack applications, these include LOIC (not used that much), HOIC, GSIC, SQL injection and other exploit targeting applications.   Some are automated, others are semi-professional but most of them are designed as a set and forget type of attack.   The “fans” are required to sign up, download and attack on a certain day and time.

While this is happening the truly bad guys are also probing your defences, recording reactions and testing your perimeter to see what will happen when they do attack.

The main attack

A true DDOS attack is usually aimed at the data and network levels of the internet protocol model (stack), level 2 and 3 of the OSI, but the newest DDOS attacks are based at the application level (level 7 of the OSI) and can be truly devastating.   A single 15 second, targeted attack, using some of the available attack applications, in the hands of a professional black hat can take down a eCommerce site for 45 minutes.    They are very effective and very damaging, so you can understand what a concerted attack by 15,000 or more drones would do.

The drones target and exploit known vulnerabilities within the applications.   The information that they discovered during the build-up, through application scans, through social media – business Facebook pages for instance, through badly designed and insecure applications and supporting operating systems.   All that information is “GOLD” to them because from one little piece of information they can gain so much.

The true targeted attack will happen at a designated time and date and the drone attacks are all used to disguise the actual attack.   This is being done by the 15 or 20 true black hat attackers that are actually after your critical information – your user information, credit cards numbers, intellectual property or anything that they can sell on the black market.   These are the most dangerous people, the little 0.001% of the attack, the ones who actually know what they are doing and the ones who started the attack for their own benefit.

Do not underestimate this group, they know computers, they know application, they know operating systems and they know how the Internet works and how to get around most of the basic implementations of cyber security.

The aftermath

Did they get in – the final wash up will tell you – if you survived it is good for reputation and publicity and if you failed then you are just another stat on the Internet.   The attack will fail if you heed some of the warnings.   This is the point where you find out how effective your cyber security defences are, did they gain access, did they actually steal anything and did they slow down or cripple your business during the attack?   

How do you prevent an attack?

If you know that you are the target then you need to start thinking about protection.  It all comes down to the following:

  • Find out if you are a target – set up Google alerts or its equivalent, check out some of Anonymous group videos, the ones with upward of 100k views are targets that would of had major problems.
  • Always use common sense, This is the basic level of cyber security prevention.   Change default password, keep important information under good security, segregate your business, implement a need to know environment and keep your eye on your employees.
  • Patch and update, Critical for keeping the latest exploits off your system
  • Policies – implement across the business especially complex passwords, internet and BYOD.
  • Watch your audit tracks and logs.   Make sure you are reacting to the correct attack stimulus.   Track access to all critical data.
  • Do a penetration test on your system – if you can get a penetration test done on your business internet presence by a white hat hacker.   This will give you a breakdown of what would happen if you were attacked.
  • Invest in some decent application level firewalling – if you can afford it upgrade your firewall or implement an application level firewall in your infrastructure.   Cisco, Fortigate, Juniper all have application firewall systems as a component of their main firewall applications.
  • If your system is hosted or cloud based, check not only your SLA but the security level of your provider.

As a last resort disconnect the front facing component of their web site from the back end database component or put the whole thing into maintenance mode, this will buy you some time.   The front end is easy to repair, the back end systems and information are critical to your business.   Disconnecting the 2 may take you off line for 2 or 3 hours but that is so much more that trying to recover from a targeted attack.

So before you say that I have nothing that other people want or I have not had something bad to say against someone, we are all chance targets just by being on the Internet.   Advanced warning of an attack is one of your best defences, it is inexpensive, regular, requires no human intervention and with the correct search parameters very, very accurate.

Roger Smith, is an educator. Teaching students at ADFA (UNSW) and showing them how vulnerable they are to cybercrime.

He is also CEO at R & I ICT Consulting Services Pty Ltd, an Amazon #1 author on Cybercrime and founder of the SME Security Framework. He is a Consultant who specialises in inexpensive and highly effective security strategies for small and medium businesses and not for profit organisations.

He has developed and authored the SME Security Framework and the Security Policy Training Course which are considered to be the definitive guides to helping SME's protect their organisation using the principles of Technology, Management, Adaptability and Compliance.