1. How WEBSITES get HACKEDWEBINAR
Tony Perez | @perezbox #AskSucuri
WEBINAR
Tony Perez | @perezbox #AskSucuri
#AskSucuri
How Websites Get Hacked
2. How WEBSITES get HACKEDWEBINAR
Tony Perez | @perezbox #AskSucuri
WEBINAR
Tony Perez | @perezbox #AskSucuri
TONY PEREZ
@perezbox
Tony Perez | @perezbox
3. How WEBSITES get HACKEDWEBINAR
Tony Perez | @perezbox #AskSucuri
WEBINAR
Tony Perez | @perezbox #AskSucuri
WHO IS THIS TALK FOR?
• Currently infected
• Have been infected
• Curious how someone hacked their website
• Curious about the various attack vectors
4. How WEBSITES get HACKEDWEBINAR
Tony Perez | @perezbox #AskSucuri
WEBINAR
Tony Perez | @perezbox #AskSucuri
Quick Review
The Impacts of Compromise
5. How WEBSITES get HACKEDWEBINAR
Tony Perez | @perezbox #AskSucuri
WEBINAR
Tony Perez | @perezbox #AskSucuri
Malware Distribution Search Engine Poisoning Spam EmailPhishing Lures
Infection Types
Defacement DDoS/Bots/Backdoors Ransomware
6. How WEBSITES get HACKEDWEBINAR
Tony Perez | @perezbox #AskSucuri
WEBINAR
Tony Perez | @perezbox #AskSucuri
THE IMPACTS OF COMPROMISE
Brand Website Blacklisting
Emotional Distress
Economic
Business
Visitor Compromise
Technical
SEO Impacts
7. How WEBSITES get HACKEDWEBINAR
Tony Perez | @perezbox #AskSucuri
WEBINAR
Tony Perez | @perezbox #AskSucuri
Website Hacks
8. How WEBSITES get HACKEDWEBINAR
Tony Perez | @perezbox #AskSucuri
WEBINAR
Tony Perez | @perezbox #AskSucuri
April 2016 – 1.02 Billion Websites
73%33%
CMS Powered Websites CMS Market Share
9. How WEBSITES get HACKEDWEBINAR
Tony Perez | @perezbox #AskSucuri
WEBINAR
Tony Perez | @perezbox #AskSucuri
The Environment
A complex ecosystem
10. How WEBSITES get HACKEDWEBINAR
Tony Perez | @perezbox #AskSucuri
WEBINAR
Tony Perez | @perezbox #AskSucuri
Environment
Local Machine Local Network User
Attack Surface
12. How WEBSITES get HACKEDWEBINAR
Tony Perez | @perezbox #AskSucuri
WEBINAR
Tony Perez | @perezbox #AskSucuri
Application Server InfrastructureEnvironment
Security Chain
13. How WEBSITES get HACKEDWEBINAR
Tony Perez | @perezbox #AskSucuri
WEBINAR
Tony Perez | @perezbox #AskSucuri
Types of Attacks
14. How WEBSITES get HACKEDWEBINAR
Tony Perez | @perezbox #AskSucuri
WEBINAR
Tony Perez | @perezbox #AskSucuri
Targeted Attacks Attacks of Opportunity
Occurs .001% of the time
There is a specific “target”
How the attack will happen is unknown
The exploit is unknown, defined by what is found
There is enough motivation and return
Automated / Manual
High-level of skill / expertise
Personal (i.e., political, competitor, hatred)
Modus operandi for organizations
Occurs 99.99% of the time
Don’t have a specific “target”
The attack is known
The exploit is known, low-hanging fruit
The motivation and return is dependent on mass affect
Mostly automated
Low-mid level skill / expertise
Not-Personal (i.e., wrong place, wrong time)
Modus operandi for website attacks
15. How WEBSITES get HACKEDWEBINAR
Tony Perez | @perezbox #AskSucuri
WEBINAR
Tony Perez | @perezbox #AskSucuri
Attack Flow
16. How WEBSITES get HACKEDWEBINAR
Tony Perez | @perezbox #AskSucuri
WEBINAR
Tony Perez | @perezbox #AskSucuri
Automation
• Key in today’s attacks, making it the most effective way to affect 10’s of
thousands of websites at the same time (i.e., maximum exposure and
increased potential for success)
• Introduces efficiency and effectiveness into the attack sequence, enabling less
skill adversaries (i.e., new breed of script kiddies)
• Allows bad actors to be faster to the draw targeting new software vulnerabilities
• Enabled by the development and expansion of global bot networks (botnets)
17. How WEBSITES get HACKEDWEBINAR
Tony Perez | @perezbox #AskSucuri
WEBINAR
Tony Perez | @perezbox #AskSucuri
Reconnaissance
Identification
Exploitation
Sustainment
Compromise
Cleanup
AutomatedTargeted
18. How WEBSITES get HACKEDWEBINAR
Tony Perez | @perezbox #AskSucuri
WEBINAR
Tony Perez | @perezbox #AskSucuri
Phase Targeted
Reconnaissance Scanning a specific environment
Identification
Exploitation
Sustainment
Identify the potential attack vectors
on the network
Exploit a specific weakness
based on services in
environment
Ensure attacker can continue
to get into environment
Compromise
Cleanup
Accomplish the objective
Reduce odds of detection,
cover tracks
Scanning the web for a specific
issue
Occurs in Reconnaissance phase
Exploit known weakness
Ensure attacker can continue
to get into environment
Accomplish the objective
N/A
Opportunity
19. How WEBSITES get HACKEDWEBINAR
Tony Perez | @perezbox #AskSucuri
WEBINAR
Tony Perez | @perezbox #AskSucuri
Phase Considerations
Reconnaissance
How are you reducing your attack
surface?
Identification
Exploitation
Sustainment
How do you know what
vulnerabilities exist?
How are you mitigating
exploitation attempts?
How do you know there are no
backdoors?
Compromise
Cleanup
How do you know if you’re
currently compromised?
Are you retaining all activity
remotely?
Disable unused services, ports,
applications
Vulnerability management program
(i.e., wpscan, joomlascan, etc… )
Employ cloud-based WAF / IPS
Employ IDS technology designed to
detect these issues
Employ IDS technology designed to
report Indicators of Compromise (IoC)
and integrity issues
Employ an auditing / remote retention
mechanism
Security Controls
20. How WEBSITES get HACKEDWEBINAR
Tony Perez | @perezbox #AskSucuri
WEBINAR
Tony Perez | @perezbox #AskSucuri
Availability
• Availability describes your websites uptime, or accessibility, to your audience.
• Some hacks don’t intend on compromising the website or it’s resources, instead
they are content with overwhelming resources and disrupting it’s availability
• Known as Denial of Service (DoS) and Distributed Denial of Service (DDoS)
attacks.
• Attackers are able to overwhelm resources on a network, drastically affects
shard hosts and small web servers, can lead to websites being disabled to save
the network
21. How WEBSITES get HACKEDWEBINAR
Tony Perez | @perezbox #AskSucuri
WEBINAR
Tony Perez | @perezbox #AskSucuri
Attack Vectors
22. How WEBSITES get HACKEDWEBINAR
Tony Perez | @perezbox #AskSucuri
WEBINAR
Tony Perez | @perezbox #AskSucuri
How Websites Get Hacked
Access Control Software Vulnerabilities
Cross-site
Contamination
Third-Party
Integrations
Hosting
23. How WEBSITES get HACKEDWEBINAR
Tony Perez | @perezbox #AskSucuri
WEBINAR
Tony Perez | @perezbox #AskSucuri
Access Control
• Refers to how access is restricted to specific areas, places, or things.
• Websites access control extends to all applications that provide some form of
access to the web environment:
• CMS Administration panel
• Hosting Administration Panel
• Server Access Nodes (i.e., FTP, SFTP, SSH)
• When thinking about access control, think beyond the website. application.
• Attacks to access control come in he form of Brute Force attacks.
24. How WEBSITES get HACKEDWEBINAR
Tony Perez | @perezbox #AskSucuri
WEBINAR
Tony Perez | @perezbox #AskSucuri
Software Vulnerabilities
• Refers to bugs in code that can be abused to perform nefarious acts. They
include things like:
• SQL Injection (SQLi), Cross-Site Scripting (XSS), Remote Code Execution (RCE), Remote File Inclusion (RFI), etc.…
• Familiarize yourself with the Open Web Application Security Project (OWASP),
specifically the OWASP Top 10.
• CMS applications struggle with vulnerabilities in their extensible parts (i.e.,
plugins, themes, extension, modules, etc…)
25. How WEBSITES get HACKEDWEBINAR
Tony Perez | @perezbox #AskSucuri
WEBINAR
Tony Perez | @perezbox #AskSucuri
Cross-site Contamination
• Refers to the lateral movement an attacker makes once in the web server.
• This is referred to as an internal attack, not an external one. An attacker is able
to gain entry into the web server via a vulnerable site, then use that to leap frog
into all other websites on the web server.
• It’s often the contributing factor to a number of reinfections, website owners
focus on the website affected and the symptoms, but spend little time looking at
the websites that show no external signs of compromise.
• Rampant in environments that do not employ functional isolation on the web
server, and employ improper permissions and configurations.
26. How WEBSITES get HACKEDWEBINAR
Tony Perez | @perezbox #AskSucuri
WEBINAR
Tony Perez | @perezbox #AskSucuri
Third-Party Integrations
• Third-party integration refer to a number of things, the most prevalent affecting
security is the integration of ads and their associated ad networks.
• These integrations are introducing a weak link into the security chain, where ad
networks are attacked and used to penetrate unsuspecting websites -
malvertising
• Malvertising is the act of manipulate ads to distribute malware, often in the form
of malicious redirects and drive-by-downloads
• Exceptionally difficult to detect because of their conditional nature, and the fact
that they are outside of the website environment
27. How WEBSITES get HACKEDWEBINAR
Tony Perez | @perezbox #AskSucuri
WEBINAR
Tony Perez | @perezbox #AskSucuri
Hosting
• It’s been a long time since there has been a mass-compromise of a large
shared-hosting provider (circa 2011)
• The issues with hosts today revolve around hosts that aren’t really hosts;
organizations that try to offer a complete solution – marketing / development /
security / hosting / SEO, etc..
• Inexperienced service providers that introduce confusion and noise to an already crowded
marketplace
• They know enough to be dangerous, but rarely house the in-house skills or knowledge
• Contribute to a number of cross-site contamination issues due to poor configurations
28. How WEBSITES get HACKEDWEBINAR
Tony Perez | @perezbox #AskSucuri
WEBINAR
Tony Perez | @perezbox #AskSucuri
Thinking Website Security
How to improve your website security posture
29. How WEBSITES get HACKEDWEBINAR
Tony Perez | @perezbox #AskSucuri
WEBINAR
Tony Perez | @perezbox #AskSucuri
Security is not a static state,
it’s a continuous process.
30. How WEBSITES get HACKEDWEBINAR
Tony Perez | @perezbox #AskSucuri
WEBINAR
Tony Perez | @perezbox #AskSucuri
31. How WEBSITES get HACKEDWEBINAR
Tony Perez | @perezbox #AskSucuri
WEBINAR
Tony Perez | @perezbox #AskSucuri
Technology will never replace your
responsibility as a website owner.
32. How WEBSITES get HACKEDWEBINAR
Tony Perez | @perezbox #AskSucuri
WEBINAR
Tony Perez | @perezbox #AskSucuri
33. How WEBSITES get HACKEDWEBINAR
Tony Perez | @perezbox #AskSucuri
WEBINAR
Tony Perez | @perezbox #AskSucuri
Security is not a Do It Yourself (DIY) project.
34. How WEBSITES get HACKEDWEBINAR
Tony Perez | @perezbox #AskSucuri
WEBINAR
Tony Perez | @perezbox #AskSucuri
35. How WEBSITES get HACKEDWEBINAR
Tony Perez | @perezbox #AskSucuri
WEBINAR
Tony Perez | @perezbox #AskSucuri
Q & A
Tweet us @SucuriSecurity using #AskSucuri
36. How WEBSITES get HACKEDWEBINAR
Tony Perez | @perezbox #AskSucuri
WEBINAR
Tony Perez | @perezbox #AskSucuri
THANK YOU!