Embed Size (px)
Citation preview
Bio– AdrianWinckles• Director of Cyber Security, Networking & Big Data Research Group,Anglia Ruskin University, Cambridge.
• OWASP Activities– OWASP Cambridge Chapter Leader,– OWASP Europe Board Member– Project Leader – OWASP Web Honeypot Project– Project Leader – OWASP Application Security Curriculum Project
• Chair Cambridge Cluster of the UK Cyber Security Forum.• Vice Chair of the BCS Cyber Forensics Special Interest Group.
IntroductiontoHoneypots• Acomputersystemsetuptodetectorlureattacks.• Honeypottypes:
– Production(detect)– Research(lure)
• Honeypotinteractiontypes:– Low- emulatedservices,limitedtonoemulatedlogincapability(lowrisk).– Medium- emulatedservices,emulatedlogin,emulatedcommands.– High- Actualservices,systemlogins,andcommands(veryrisky).
IntroductionstoHoneypots(cont’d)• Aproductionhoneypothasnolegitimatebusinesspurposeandshouldneverseeanytraffic,unless...– Somethingismisconfiguredonthenetwork– Someoneismaliciousonthenetwork
Honeypotlogsarelowvolumeandhighvalue
WhyOWASPWebHoneypots(Part1)?
• SectorfocusisonHTTP(S)today• AccordingtoCAIDA,(Center forAppliedInternetDataAnalysis)webis~85%oftotalinternettraffic.
• 92%ofvulnerabilitiesnowintheapplication(NIST/Gartner)
WhyWebHoneypots?
WhyOWASPWebHoneypots(Part2)?• FocusisonHTTP(S)today• AccordingtoCAIDA,(CenterforAppliedInternetDataAnalysis)webis~85%oftotalinternettraffic.
• 92%ofvulnerabilitiesnowintheapplication(NIST/Gartner)• Webarchitectureiscomplicated• Italsomeanscomplicatedattacksareacceptable• Attacksthatwillonlyworkon0.01%ofusersarevaluable
TheWebisComplicated
WhyOWASPWebHoneypots(Part3)?• FocusisonHTTP(S)Today• Specialcareneedstobetakenhere• AccordingtoCAIDA,(CenterforAppliedInternetDataAnalysis)webis~85%oftotal
internettraffic• Asaresultwebarchitectureiscomplicated• Italsomeanscomplicatedattacksareacceptable• Attacksthatwillonlyworkon0.01%ofusersarevaluable• Diversityofattacksishighaswell(numberofvariations)
– Attackeronserver/Attackeronclient– Attackeronclientviaserver– Attackeronserverviaserver– Attackeronintermediary
Whatdowewanttocapture?
• ThinkaboutusingexistingtoolssothatyoucancatchautomatedwebattacktoolsthatarescanningIPnetworkrangeslookingforwebports.
• Insteadofdevelopinganddeployinganentirelynewhoneypotwebserverorapplication,wecaneasilyreusetheexistinglegitimatewebserverplatform’sorganisations arealreadyrunning.
ConsidertheWAF- WebApplicationFirewall• WAFsComeinmultipledifferentforms
TheWAFasaHoneypotorProbe?
• WAFsComeinmultipledifferentforms• Canbeplacedinseveralplacesonthenetwork
• Inline• Out-of-line• Loadbalancermirrorport• Onthewebserver
• DifferentTechnologies• Signatures• Heuristics
• OftendrivenbyPCIrequirements,asit’sanapprovedsecuritycontrol
• WhatisthedifferencebetweenanIDSversusWAF?
ModSecurity - AnOpenSourceWebApplicationFirewall
• ProbablythemostpopularWAF– Designedin2002– Currentlyonversion2.9.1withversion3.0intheworks
• DesignedtobeopenandsupportstheOWASPCoreRuleSet– Firstdevelopedin2009– AnOWASPprojectmeanttoprovidefreegenericrulestoModSecurity users
– CRSv3.0nowdeployed
ModSecurity’s ApacheRequestCycleHooks
< A generic, plug-n-play set of WAF rules< Choose your mode of operation
4 Standard vs. Anomaly Scoring< Detection Categories:
4 Protocol Validation4 Malicious Client Identification4 Generic Attack Signatures4 Known Vulnerabilities Signatures4 Trojan/Backdoor Access4 Outbound Data Leakage4 Anti-Virus and DoS utility scripts
WhatistheOWASPCoreRuleSet(CRS)?
CRS Traditional Detection Mode – Birth of a Honeypot Probe
< IDS/IPS mode with “self-contained” rules< Like HTTP itself – the rules are stateless
4 No intelligence is shared between rules4 If a rule triggers, it will execute a disruptive/logging action
< Easier for the new user to understand< Not optimal from a rules management perspective (handling false
positives/exceptions)< Not optimal from a security perspective
4 Not every site has the same risk tolerance4 Lower severity alerts are largely ignored
Event Logging - Standard vs. Correlated Events
< Standard mode4 Rules log event data to both the Apache error_log and the ModSecurity
Audit log can be relayed using mlogc http/json< Correlated mode
4 Basic rules are considered reference events and do not directly log to the Apache error_log
4 Correlation rules in the logging phase analyze inbound/outbound events and generate special events
4 modsecurity_crs_60_correlation.conf
Modsecurity Log Collector (mlogc) – Event Logging
ProjectAims&Objectives
• TheOWASPHoneypotProjectprovides:– Real-time,detailedWebApplicationAttackData– ThreatReportstothecommunity
• Whatdoweneed– Volunteerstorunhoneypots/probesintheirnetwork– Contributor’stotheproject
Target Site WASC Honeypot Sensor
Inbound Attack for Target Site
ProjectArchitectureAttacker
1=1/../../Session ID =UX8serwderakvcx
Script%23%.aspHacker.exe123
Payload
ModSecurity Inspects HTTP Payload and Identifies it as an Attack
WASC Analyst
Central Logging HostModSecurity Management Appliance
Honeypot Sends 200 Status Code
Mlogc json/http log
Normal web comms
WASC Honeypot Sensor
WASC Honeypot Sensor
WASC Honeypot Sensor
Attacker
VM Based WAF Probes
Automated Web Attacks using OWASP ZAP
-mlogcHTTP audit log data
Audit data passed to PHP script and logged to MySQL
Project Test BedAudit Console (Apache Webserver)
Distributed Probes Model
Ongoing&FutureWork
• SetupProofofConcepttounderstandhowModSecuritybaed Honeypot/Probeinteractswithareceivingconsole(developaVMand/orDockerbasedtestsolutiontostorelogsfrommultipleprobes)DONE
• Evaluateconsoleoptionstovisualise threatdatareceivedfromModSecurityHoneypots/probesinModSecurity AuditConsole,WAF-FLE,Fluentandbespokescriptsforsingleandmultipleprobes.Ongoing
• DevelopamechanismtoconvertfromstoredMySQLtoJSONformat.• ProvideamechanismtoconvertModSecurity mlogc auditlogoutputintoJSON
format.• Provideamechanismtoconvertmlogc auditlogoutputdirectlyintoELK
(ElasticSearch/Logstash/Kibana)tovisualise thedata.
Ongoing&FutureWork(cont’d)• Provideamechanism toforwardhonestoutputintothreatintelligenceformatsuch
asSTIXusingsomethingliketheMISPproject(https://www.misp-project.org)toshareThreatdatacomingfromtheHoneypotsmakingiteasytoexport/importdatafromformatssuchasSTIXandTAXII.,mayrequireuseofconcurrentlogsinaformatthatMISPcandealwith.
• ConsidernewalternativesforlogtransferincludingtheuseofMLOGC-NGorotherpossibleapproaches.
• DevelopanewVMbasedhoneypot/robebasedonCRSv3.0.• Developnewalternativesmallfootprinthoneypot/probeformatsutilising Docker
&RaspberryPi.• Developmachinelearningapproachtoautomaticallybeabletoupdatetherule
setbeingusedbytheprobebasedoncyberthreatintelligencereceived.
AnyQuestions?
