Lessons learned from Anonymous and Operation Last Resort

Activists that have links to Anonymous were able to gain access to U.S. government computers through a software flaw on the outdated Adobe ColdFusion platform. This left many agencies vulnerable to penetration and attackers were left undiscovered for almost 12 months.

The motive behind Operation Last Resort was fueled in part by the suicide of Aaron Swartz, co-developer of Reddit and Internet activist. Swartz faced multiple charges for what federal prosecutors said was illegally downloading academic journals from a digital depository known as Journal Storage or JSTOR for short. Swartz took his own life shortly after he learned that the prosecution would not accept his lawyer’s plea bargain.

According to the national database on Common Vulnerabilities and Exposures, the Adobe Cold Fusion software package has 66 known vulnerabilities associated with the software package, which need to be mitigated. Some of these vulnerabilities allows attackers to obtain administrator-console access via unknown vectors, allows remote attackers to hijack web sessions via unspecified vectors, or allows remote attackers to cause a DoS by sending many crafted parameters.

The amount of vulnerabilities is unusually high amount for a specific system. Although it has been reported that eight ColdFusion hacks were used during Operation Last Resort, it is safe to assume at least one of the 66 vulnerabilities was in play.

Organizations need to be aware that the risk profile of their applications and security perimeter devices has substantially changed for the worse. Dramatic changes need to occur immediately and often in order to align these risks with satisfactory controls. The two major considerations or pieces of work that need to be incorporated are as follows:

Consideration #1 – Architecting the Perimeter for Attack Mitigation
Traditional network border devices are no longer sufficient to provide protection. Organizations must look at their security posture and take an in-depth approach in order to fully prepare for attacks. Part of this is to employ an anti-DDoS security strategy that alerts and mitigates all attack traffic at the very edge of the organizational network.

The solution should incorporate:

  • Notification and alerting mechanism
  • Sufficient network perimeter defenses to absorb network-based DDoS attacks
  • Ability to discriminate between legitimate and illegitimate traffic
  • Ability to quickly identify known threats & risks
  • Ability to gain a “bird’s eye view” – a logging/correlation system to collect detailed attack data and produce reports on the fly.

Consideration #2 – The Need for Complementary Security Technologies
As was widely reported during WikiLeak’s Operation Payback, MasterCard and Visa both suffered debilitating outages from this attack. It was also reported they had intrusion prevention tools and firewalls in place which alone were not adequate. However, there were a few organizations which fared remarkably better. Lessons can be drawn from the contrasting technologies.

We have learned that to successfully mitigate against these types of attacks, the deployment of multiple security tools is essential. The following technologies have proven invaluable in repealing these types of attacks and need to be resident in the perimeter of any business network:

  • Anti-DoS and DDoS attack tools (at the network and application layers)
  • Network behavioral analysis tools with real-time signature writing capabilities
  • Intrusion prevention systems
  • Application-level active defense mechanisms such as challenge and response
  • Active emergency counter-attack strategies (Smart Hands/Man-in-the-Loop Capability).

Most of the severely affected organizations appeared to have had inadequate protections against internet-borne attacks, most notably, DoS and DDoS protection. It is recognized that many organizations are not using DoS protection at all and somehow subscribe to the notion that in today’s always-on and interconnected economy that “availability’ isn’t that important.

The second key technology ingredient required is behavior analysis, which is geared toward finding “anomalous’ activity and can distinguish legitimate from illegitimate traffic and mitigate the nefarious nature of the latter. In today’s world, the new threats are coming at you masquerading as legitimate users and your defenses need to see past these cyber masks.

The lessons we can learn from Operation Last Resort is that this well coordinated cyber attack is an existential threat to many of the federal agencies that were targeted, and it has threatened the fidelity and integrity of the network security that was put in place to protect. We can also deduce that traditional network border devices are no longer sufficient to provide protection of an organization and the comeuppance of application-level threats.

Part of a new security strategy is employing powerful “attack detection and mitigation systems” which include, among many things, anti-DDoS to keep applications up and resilient. These technologies are not the technologies we all think of as tried-and-true. No longer is the firewall the key vanguard protector. The IPS is no longer adequate to find masquerading and marauding actors hidden behind “legitimate’ signatures. Today’s attack mitigation systems require technology to unmask automated digital armies cloaked as legitimate connections, and unearth the nefarious and deadly “slow’ attacks.

As other breaches have not been made public and the exact number of computer systems that were hacked into is not yet known, the FBI stated in a memo that this is a “widespread problem that should be addressed.”

Given the severity of this breach on our government’s network, it can safely be assumed that legislators will continue to drive prescriptive steps in order to bolster network security and impose greater sentences in order to deter hackers. After all, if these strong and heavily fortified U.S. government computers fell victim to this breach, how can more “ill-prepared” industries such as healthcare providers, educational institutions as well energy and manufacturing, be prepared without dramatic and quick change to their security programs? Who is next? One has to ask themselves if they’re ready for such attacks. If not, then when?