Who: Anonymous - a politically motivated group of hacktivists (mostly US and UK based).
What: Multiple Operations have been named by various groups, the primary two are OpNov5th and OpVendetta. These Operations may involve Denial of Service and website defacement attacks directed at Government facilities around the world.
When: Circa November 5th 2013.
Why: November 5th is the anniversary for activists and hacktivists to gather online and in public to protest Government. It is known to Anonymous members as “Guy Fawkes day”.
Members of the hacktivist group Anonymous, based out of the US and the UK, have publicly stated they will target "all" government facilities across the globe in support of the ‘Occupy’ movement. Anonymous calls this a day of "global civil disobedience", or more specifically a day of civil disobedience and social activism through peaceful protest.
The date November 5th is significant for members of Anonymous due to the film and comic book "V for Vendetta" where Guy Fawkes, a freedom-loving terrorist, attempts to destroy an authoritarian government in the United Kingdom.
There are limited details regarding the specific tools that will be used as part of this operation. Based on previous observations the attacks will most likely leverage multiple attack vectors, including Denial of Service, Web Application Exploits, and Website Defacement. Known Anonymous hacktivist DoS/DDoS tools such as LOIC, HOIC, and Slowloris will likely be used.
Possible attack vectors include:
- Bandwidth Saturation – Utilizing as much bandwidth as possible with DoS/DDoS attacks.
- Vulnerable Software Exploitation – Exploiting vulnerable systems with well-known or old vulnerabilities, resulting in website defacement.
- Resource Starvation – Flooding web servers with a large number of connections or never ending data streams that slowly overwhelm the target webserver.
Public announcements by these groups are often used as a means to gain notoriety or media attention and can be of highly volatile credibility. These attacks are typically low scale consisting of DDoS activity against publicly accessible webservers, website defacement efforts, or data exploitation. Symantec MSS does take these threats seriously and has detection in place.
SOC DETECTION CAPABILITIES:
Response measures have been taken in order to provide MSS customers with early warning and potential escalations for successful exploitations related to this threat. Emergency response signatures may generate false positives and will undergo tuning to ensure enhanced accuracy as further details are made available; however, given the nature of the threat, it is prudent to be overly cautious about alerting to potentially related activity. Please contact the SOC’s Analysis team if you have any questions or concerns related to this detection or wish to discuss having such signatures disabled or otherwise adjusted to meet your organization’s needs.
MSS SOC ANALYTICS DETECTION
Anomalous Traffic Detection
- Advanced Monitoring only
High Orbit Ion Cannon (HOIC) Tool
- NetScreen IDP 3.x
- Palo Alto Networks Firewall
Low Orbit Ion Cannon (LOIC) Tool
- Symantec AV
- Palo Alto Networks Firewall
- McAfee AV
- ISS Sensor
- Snort Alerts
MITIGATION STRATEGIES AND RECOMMENDATIONS:
- Symantec recommends customers use a layered approach to securing their environment, utilizing the latest Symantec technologies, including enterprise-wide security monitoring from Edge to Endpoint.
- Discuss DoS/DDoS mitigation strategies with your upstream provider and ensure they are aware of this threat.
- Ensure your IT and IT Security staff are prepared and know what they need to do in the event of attack.
- Ensure all operating systems and public facing machines have the latest security patches and antivirus definitions.
- Ensure all web servers are patched, configured to minimize the impact of DoS/DDoS attacks, and hardened against external threats.
- Utilize Web Application Firewalls as a front-line defense against attacks.
- Utilize DDoS Protection services.