#OpUSA Lessons Learned

Like many other security companies, we’ve been tracking #OpUSA. Prior to the event (May 7, 2013), we didn’t anticipate that this operation would garner much support given the lack of attention it received in the community (as depicted in the graph below).

 

 

OpUSA Twitter Mentions.png

 

We anticipated that the attacks would be similar to what the financial industry has already experienced over the last several months dealing with #OpAbabil. In fact, we felt that the most notable actor in this operation would be the Cyber Fighters. The moment we learned that the Cyber Fighters backed out of the operation, we felt strongly that this operation would be for the most part a failure. Failing to hack or disrupt the high profile targets and financial companies listed as targets.  So far, these predictions have been accurate.

 

While #OpUSA has shown signs of life here and there, most of the interest around the event has tapered off. So now is a good time to ask some important questions:

 

  • Did your company prepare for #OpUSA?
  • How much time and resources were spent handling this threat?
  • Is there such a thing as being overly prepared?
  • How can you predict the impact of the next threat?

 

Attacks from actors such as the Cyber Fighters have proven to be very real and have a significant impact. If a target is not prepared, they will most likely feel the effects of a DDoS attack at the very least. While the attacks are not necessarily new, they are difficult to defend against. If you don’t have the right mix of experience, products and partnerships, now is a good time to revisit your security posture.

 

The guidance provided by the government to mitigate threats such as #OpUSA are summarized below:

 

  1. Compromised hosts should be wiped and restored to a known good image. Users and administrators should be vigilant about applying the latest patches and anti-virus updates. An infected host endangers the availability, confidentiality,and integrity of data on networks. 
  2. DEP – Data Execution Prevention (DEP) should be enabled where ever possible (to help prevent buffer overflow exploits).
  3. Defend against compromised CA and web site certificates. 
  4. Have layers of defense to mitigate phishing and drive-by downloads.
  5. Make sure strong authentication has been enforced wherever possible and limit remote access.
  6. Harden your infrastructure. For instance: remove unused network interfaces, keep gear patched, ensure strong authentication, limit management access to internal devices, etc.
  7. Be prepared to minimize the effect of SQLi and XSS attacks.
  8. Verify that firewall rules are tuned and that unused rules are removed for both IPv6 and v4 networks.

 

In addition to the federal recommendations, we recommend the following (high level summary):

 

  1. Make sure to use a CDN for external web presence. CDN's help mitigate  DDoS threats substantially.
  2. Be prepared ahead of time. Work with your up-stream Internet provider to ensure they can redirect and scrub DDoS related traffic or be prepared to redirect traffic to a company such as Prolexic.
  3. Ensure that all DDoS features are tuned and enabled across all security and infrastructure devices. Firewalls, routers, IPS, gateways, etc.  Each of these has a part in defending against the attack and each have specific strengths.
  4. Be prepared to identify and block zero day threats.
  5. Using your visibility solutions, vigilantly monitor for exfiltration and anomalous behavior. Expect that someone will penetrate your perimeter.

 

Even though #OpUSA was a failure, it's a good indicator of the potential threats that could soon come. Review your defense posture and be prepared for the next threat that could be real.

 

 

Comments
HPSR-FI_Team | ‎05-13-2013 12:29 PM
Leave a Comment

We encourage you to share your comments on this post. Comments are moderated and will be reviewed
and posted as promptly as possible during regular business hours

To ensure your comment is published, be sure to follow the Community Guidelines.

Be sure to enter a unique name. You can't reuse a name that's already in use.
Be sure to enter a unique email address. You can't reuse an email address that's already in use.
Type the characters you see in the picture above.Type the words you hear.
Search
Showing results for 
Search instead for 
Do you mean 
About the Author


Follow Us
The opinions expressed above are the personal opinions of the authors, not of HP. By using this site, you accept the Terms of Use and Rules of Participation