Foresight, an Israeli cyber-security firm, last week started to offer a new service, called Defacement Mitigator, which replaces a site with the original content as soon as the site is compromised. This means that, even if hackers breach a site and plant their messages, nobody will ever know about it, thereby eliminating the “reward” hacktivists seek — attention.
For hackers trying to make a political statement, commonly known as “hacktivists,” compromising a site is not enough. The objective is to spread the statement, as well as show other hackers what they’ve done. The site administrator’s savvy and the site’s popularity are among the factors which determine how long a hacked site will stay online. Most administrators will replace the hacked content with a backup of the content that is supposed to be there as soon as they know about the breach.
Thanks to hacker archive sites such as Zone-H, hackers only need a few minutes to cash in on fame and glory. Hackers submit screenshots of their “work” to Zone-H, which duly records the name of the hacker crew, their country of origin and a copy of the hacked site. The archive records hackers’ accomplishments for posterity, preserving them online after the hacked site is fixed. In March 2014, a typical month, said Zone-H, more than 150,000 defacement attacks took place.
Defacement Mitigator denies hackers the reward of recognition for their accomplishments altogether. The system is based on Foresight’s web security solution, which classifies elements of a web site according to the likelihood of their being breached, creating clones of the site that most users utilize. Compromised versions of a site are instantly replaced with a clean version, with users and hackers none the wiser as to what happened behind the scenes, the company said.
The Foresight platform analyzes and maps a website in order to understand content and how transactions are conducted. The system differentiates between a site’s “business logic” — data such as names, credit card numbers and passwords that could comprise anything — and its “presentation layer” — the static content and the predictable requests, such as the choices on a drop-down menu. With the site’s characteristics thus separated, the system develops a security policy based on a “smart white list” of easily duplicated safe actions.
Clones of the presentation layer, which constitutes the vast majority of the content for most sites, are created and placed in Foresight’s security cloud. When users visit the site, they are presented with one of the clones. The system checks all transactions to see if they are legitimate and blocks suspicious requests. If a hacker finds a back door to a site, the Foresight system will detect it, instantly drop the now-compromised version of the site and replace it with one of the clones.
The only time a user engages with the “real” site is when a business logic transaction is attempted — when a user tries to enter a username and password, for example. Because they connect with databases, those requests need to be directly on the site, but they still have to go through Foresight’s tough exhaustive mitigation technology before being allowed to proceed. Here, too, the system is ready with an instant backup if anything seems out of place.
With the Defacement Mitigator, Foresight extended its services to cover all sites, even those that do not require user interaction. The system is installed in dozens of mid-to-large size organizations in the retail, financial services, government and other sectors around the world.
According to Netanel Otni, head of IT infrastructure for the Weizmann Institute of Science, “Our site was hit by attack shortly after Foresight was up. Our site manager pressed a button to change the DNS and the site was automatically redirected to the cloud replica. At that point, traffic and visitors were directed to the replica versus the defaced site, which performed at optimal levels given its cloud elasticity. After seeing the success of Defacement Mitigator, we have upgraded to Foresight’s complete web security platform.”
The bottom line for site owners is that they are insured against breaches because breached sites are immediately replaced, so no one knows that the breach happened. For hacktivists, the system is the ultimate nightmare; if a hacktivists vandalized a site and no one saw, does it count? Not as far as Zone-H is concerned. With Defacement Mitigator, hacktivists might have to figure out another way to get their names in lights.