Print Page   |   Your Cart   |   Sign In   |   Join MISAC
News & Press: General News

Cyber Security: Surviving an Anonymous Attack

Tuesday, April 7, 2015   (0 Comments)
Share |

Anonymous is an informal hacktivist/activist network operating worldwide. While there is no formal mission of the group, they tend to target government, religious and corporate websites and technology infrastructure via cyber attacks. Usually these attacks are inspired by high-profile acts of perceived injustice. Examples of retaliation include an attack on ISIS-held social media accounts, cyber attacks on the City of Ferguson in the wake of the Michael Brown shooting and attacks on Sony for attempting to stop others from hacking into the PlayStation 3 game console.

When an Anonymous attack is aimed at a city, efforts are focused on prohibiting city access to the Internet, shutting down internal processes and gathering employee personal information for later publication on the Internet. The goal is to embarrass the target and cripple its ability to function. 

As a municipal IT professional, it is important to understand how cyber attacks are executed and take proactive steps to limit risk of infiltration. Events that inspire Anonymous retaliation happen almost in real-time, making a reactive defense difficult or nearly impossible. Threats, posted via Twitter, Facebook, and/or YouTube, are generally accompanied by unrealistic demands for action, rationalizations for the attack and a date and time for the attack to begin.

At this point the clock is ticking and every municipal IT manager should turn to an already-established Incident Response Policy/Plan to prepare for the coming attack. The preparation that goes into creation of a Policy/Plan is absolutely critical to weathering any kind of attack. 

The City of Fullerton has experienced three attacks at the hands of Anonymous. Fullerton’s IT Manager, Helen Hall, has agreed to share her story to help other MISAC members prepare for a possible attack. 

In 2011, the City of Fullerton was the target of civil protest and was ultimately a victim of an Anonymous cyber attack.  The focus of the unrest and cyber attack was an officer-involved incident at the Fullerton PD that resulted in the death of a homeless man.

The cyber attack started with a threat: 
We will remove from the World Wide Web the site belonging to The City and in addition we will Black Fax and E-Mail Bomb every inbox at Fullerton. This cyber action by Anonymous will be accompanied by a protest on the ground tomorrow. 

In the case of the City of Fullerton, the IT department immediately went into defense mode, employing a wide range of strategies to protect the City and limit possible exposure. After the threat was received, the City proactively contacted a number of Internet Service Providers, letting them know about the likely imminent attacks and requesting that City services not be shut down or blocklisted due to spam.  The City also selectively deactivated their Facebook and Twitter accounts immediately. (De-activating social media until threat is over helps limit risk. Accounts do not have to be deleted, just de-activated.) The City also created a deny list of users that did not need to connect to City services and blocked them at the gateway to prevent access. Connections were also limited based on size, speed and ports/connections per second.

Knowing that typical web browsing sessions use a few kilobytes per second, a few connections to the web server and do not send large packet streams or 1,000s of open connections, Fullerton restricted abnormal connections and traffic patterns to limit possible attack vectors. 

When the attack was looming, Fullerton IT categorized the information that the public needed access to and which information it did not need. The City shut down all unnecessary services to limit attack vectors into the City network. At the same time, IT set up a decoy website to mimic the official City website. The decoy site had forensic gathering tools configured on it to monitor the traffic patterns and evaluate the attacks being issued against the City. Understanding the nature of the attacks empowered the City. The decoy site enabled the City to track any information that was successfully stolen and better understand how to defend against future attacks.

Informing all City staff was a key component of the attack response protocol. The City Manager and some higher-level staff members received details of the situation, but not all staff were privy to particulars of the attack. Spear fishing attacks against individual employees are a common attack vector for hackers, so all City staff were instructed not to open strange emails and not to take phone calls from people claiming to be from IT. During the attacks, City Hall received about forty phone calls from people claiming to be from IT trying to instruct staff on how to allow them into their computers over the phone to provide technology support. 

Fullerton IT also captured network traffic data packets of all TCP and UDP traffic for monitoring and future use. Collecting this information provided the evidence trail that would have been needed to help prosecute the hackers had they been successful. 

Finally, the City documented everything, so that once the attack concluded an assessment could be made and the Incident Response Policy updated accordingly. 

During the time of attack, the City dealt with around 100,000 events per hour, so preparation prior to attack was essential. In all three attacks, the City of Fullerton was successful in protecting the City’s technology infrastructure. 

The City has reached out to experts in the field of cyber attacks to supplement its response efforts. The City of Fullerton engaged Emagined Security to assist with the effort and Eugene Schultz Ph.D. of was brought onto the response team. 

“The question isn’t if you’re going to be attacked, it is when,” said Hall, “And you have to be prepared long before that threat email hits.” By preparing for the worst-case scenario, municipal IT professionals can drastically reduce their vulnerability. In many instances, if the expertise does not exist internally to prepare for an attack, contracting with an network and forensic security consultant may be the best option.”

Emagined Security has created a Top 15 List of Mistakes in Incidents Response that can help every municipal IT professional: 

1. Neglecting to establish an incident response effort in the first place
2. Lack of a well-defined charter
3. Failure to set up a management infrastructure for incident response
4. Neglecting to acquire necessary forensic and incident response hardware and software in advance
5. Not taking advantage of Security Information and Event Managers (SIEM) type technology to identify incidents in real-time
6. Failing to understand your intrusion detection capability
7. Failure to respond to incidents in a systematic manner
8. Neglecting to adequately test procedures
9. Failure to work cooperatively with other groups/organizations when incidents occur
10. Communication deficiencies (Internal and external)
11. Lack of top-level management support
12. Lack of technical expertise
13. Lack of forensics training
14. Failure to integrate efforts sufficiently with business continuity/disaster recovery efforts
15. Failure to automate

Due to the importance of this topic for MISAC membership, Helen Hall of the City of Fullerton and Paul Underwood of Emagined Security will present on this topic at the MISAC Annual Conference this coming fall. MISAC members interested in learning more about the attacks or security measures taken can contact Helen Hall Directly at 


Click here for a PDF of this article. 


more Calendar

7/16/2018 » 7/25/2018
Internal Consulting Skills for IT Pros

MISAC Northern Chapter Meeting

MISAC Central Chapter Meeting

2017 Annual Conference Images

Become a Member | Resources for your Agency | Blog/List Serv Conversations | Document Library | Awards Program
Association Management Software Powered by YourMembership  ::  Legal