Sucuri Webinar: How Websites Get Hacked

How WEBSITES get HACKEDWEBINAR
Tony Perez | @perezbox #AskSucuri
WEBINAR
#AskSucuri
How Websites Get Hacked

WEBINAR
TONY PEREZ
@perezbox
Tony Perez | @perezbox

WEBINAR
WHO IS THIS TALK FOR?
• Currently infected
• Have been infected
• Curious how someone hacked their website
• Curious about the various attack vectors

WEBINAR
Quick Review
The Impacts of Compromise

WEBINAR
Malware Distribution Search Engine Poisoning Spam EmailPhishing Lures
Infection Types
Defacement DDoS/Bots/Backdoors Ransomware

WEBINAR
THE IMPACTS OF COMPROMISE
Brand Website Blacklisting
Emotional Distress
Economic
Business
Visitor Compromise
Technical
SEO Impacts

WEBINAR
Website Hacks

WEBINAR
April 2016 – 1.02 Billion Websites
73%33%
CMS Powered Websites CMS Market Share

WEBINAR
The Environment
A complex ecosystem

WEBINAR
Environment
Local Machine Local Network User
Attack Surface

WEBINAR
Domain Threat Landscape
Environment
 Devices (i.e., Desktop, Notebooks, Tablets)
 Networks (i.e., Public Wifi, Insecure Networks)
 End-users (i.e., Poor administration / maintenance)
Application
Server
Infrastructure
 CMS (i.e., WordPress, Joomla!, Magento, Drupal, etc..)
 Non-CMS Applications (i.e,. Plesk, WHCMS, Cpanel, etc..)
 Multi-function environments (i.e., email / file servers, etc…)
 Web Server (i.e., Apache, NGINX, Varnish, IIS, etc…)
 Operating Systems (i.e., Linux, Windows, etc…)
 Languages (i.e., PHP, .NET, Node.js, etc…)
 Server Daemons (i.,e FTP, SFTP, SSH, etc...)
 Hosting companies
 Physical servers
 Hardware peripherals (i.e., Routers, Switches)

WEBINAR
Application Server InfrastructureEnvironment
Security Chain

WEBINAR
Types of Attacks

WEBINAR
Targeted Attacks Attacks of Opportunity
 Occurs .001% of the time
 There is a specific “target”
 How the attack will happen is unknown
 The exploit is unknown, defined by what is found
 There is enough motivation and return
 Automated / Manual
 High-level of skill / expertise
 Personal (i.e., political, competitor, hatred)
 Modus operandi for organizations
 Occurs 99.99% of the time
 Don’t have a specific “target”
 The attack is known
 The exploit is known, low-hanging fruit
 The motivation and return is dependent on mass affect
 Mostly automated
 Low-mid level skill / expertise
 Not-Personal (i.e., wrong place, wrong time)
 Modus operandi for website attacks

WEBINAR
Attack Flow

WEBINAR
Automation
• Key in today’s attacks, making it the most effective way to affect 10’s of
thousands of websites at the same time (i.e., maximum exposure and
increased potential for success)
• Introduces efficiency and effectiveness into the attack sequence, enabling less
skill adversaries (i.e., new breed of script kiddies)
• Allows bad actors to be faster to the draw targeting new software vulnerabilities
• Enabled by the development and expansion of global bot networks (botnets)

WEBINAR
Reconnaissance
Identification
Exploitation
Sustainment
Compromise
Cleanup
AutomatedTargeted

WEBINAR
Phase Targeted
Reconnaissance Scanning a specific environment
Identification
Exploitation
Sustainment
Identify the potential attack vectors
on the network
Exploit a specific weakness
based on services in
environment
Ensure attacker can continue
to get into environment
Compromise
Cleanup
Accomplish the objective
Reduce odds of detection,
cover tracks
Scanning the web for a specific
issue
Occurs in Reconnaissance phase
Exploit known weakness
Ensure attacker can continue
to get into environment
Accomplish the objective
N/A
Opportunity

WEBINAR
Phase Considerations
Reconnaissance
How are you reducing your attack
surface?
Identification
Exploitation
Sustainment
How do you know what
vulnerabilities exist?
How are you mitigating
exploitation attempts?
How do you know there are no
backdoors?
Compromise
Cleanup
How do you know if you’re
currently compromised?
Are you retaining all activity
remotely?
 Disable unused services, ports,
applications
 Vulnerability management program
(i.e., wpscan, joomlascan, etc… )
 Employ cloud-based WAF / IPS
 Employ IDS technology designed to
detect these issues
 Employ IDS technology designed to
report Indicators of Compromise (IoC)
and integrity issues
 Employ an auditing / remote retention
mechanism
Security Controls

WEBINAR
Availability
• Availability describes your websites uptime, or accessibility, to your audience.
• Some hacks don’t intend on compromising the website or it’s resources, instead
they are content with overwhelming resources and disrupting it’s availability
• Known as Denial of Service (DoS) and Distributed Denial of Service (DDoS)
attacks.
• Attackers are able to overwhelm resources on a network, drastically affects
shard hosts and small web servers, can lead to websites being disabled to save
the network

WEBINAR
Attack Vectors

WEBINAR
How Websites Get Hacked
Access Control Software Vulnerabilities
Cross-site
Contamination
Third-Party
Integrations
Hosting

WEBINAR
Access Control
• Refers to how access is restricted to specific areas, places, or things.
• Websites access control extends to all applications that provide some form of
access to the web environment:
• CMS Administration panel
• Hosting Administration Panel
• Server Access Nodes (i.e., FTP, SFTP, SSH)
• When thinking about access control, think beyond the website. application.
• Attacks to access control come in he form of Brute Force attacks.

WEBINAR
Software Vulnerabilities
• Refers to bugs in code that can be abused to perform nefarious acts. They
include things like:
• SQL Injection (SQLi), Cross-Site Scripting (XSS), Remote Code Execution (RCE), Remote File Inclusion (RFI), etc.…
• Familiarize yourself with the Open Web Application Security Project (OWASP),
specifically the OWASP Top 10.
• CMS applications struggle with vulnerabilities in their extensible parts (i.e.,
plugins, themes, extension, modules, etc…)

WEBINAR
Cross-site Contamination
• Refers to the lateral movement an attacker makes once in the web server.
• This is referred to as an internal attack, not an external one. An attacker is able
to gain entry into the web server via a vulnerable site, then use that to leap frog
into all other websites on the web server.
• It’s often the contributing factor to a number of reinfections, website owners
focus on the website affected and the symptoms, but spend little time looking at
the websites that show no external signs of compromise.
• Rampant in environments that do not employ functional isolation on the web
server, and employ improper permissions and configurations.

WEBINAR
Third-Party Integrations
• Third-party integration refer to a number of things, the most prevalent affecting
security is the integration of ads and their associated ad networks.
• These integrations are introducing a weak link into the security chain, where ad
networks are attacked and used to penetrate unsuspecting websites -
malvertising
• Malvertising is the act of manipulate ads to distribute malware, often in the form
of malicious redirects and drive-by-downloads
• Exceptionally difficult to detect because of their conditional nature, and the fact
that they are outside of the website environment

WEBINAR
Hosting
• It’s been a long time since there has been a mass-compromise of a large
shared-hosting provider (circa 2011)
• The issues with hosts today revolve around hosts that aren’t really hosts;
organizations that try to offer a complete solution – marketing / development /
security / hosting / SEO, etc..
• Inexperienced service providers that introduce confusion and noise to an already crowded
marketplace
• They know enough to be dangerous, but rarely house the in-house skills or knowledge
• Contribute to a number of cross-site contamination issues due to poor configurations

WEBINAR
Thinking Website Security
How to improve your website security posture

WEBINAR
Security is not a static state,
it’s a continuous process.

WEBINAR

WEBINAR
Technology will never replace your
responsibility as a website owner.

WEBINAR
Security is not a Do It Yourself (DIY) project.

WEBINAR
Q & A
Tweet us @SucuriSecurity using #AskSucuri

WEBINAR
THANK YOU!

Sucuri Webinar: How Websites Get Hacked

Empfohlen

Empfohlen

Weitere ähnliche Inhalte

Was ist angesagt?

Was ist angesagt? (20)

Andere mochten auch

Andere mochten auch (20)

Ähnlich wie Sucuri Webinar: How Websites Get Hacked

Ähnlich wie Sucuri Webinar: How Websites Get Hacked (20)

Mehr von Sucuri

Mehr von Sucuri (14)

Kürzlich hochgeladen

Kürzlich hochgeladen (20)

Sucuri Webinar: How Websites Get Hacked