Upload
alert-logic
View
133
Download
0
Embed Size (px)
Citation preview
PROTECTING AGAINST WEB APP ATTACKS
Stephen Coty
Chief Security Evangelist, Alert Logic
Threats by Customer Environment
CMS Specific Attacks
• OpenSource Platforms
• High concentration of vulnerabilities within these web frameworks
• High usage and easy asset visibility via web search
• Availability of automated exploit kits combined with advanced search queries via simple
methods like Google Dorks
SQL Injection Last 60 Days - 091217
Profile - Inj3ct0r Team
Vulnerabilities
+ Change
+ Shortage
Complexity of defending web applications and workloads
Risks are moving up the stack
1. Wide range of attacks at every
layer of the stack
2. Rapidly changing codebase can
introduces unknown vulnerabilities
3. Exposure inherited from 3rd party
development tools
4. Extreme shortage of cloud and
application security expertise
Web App
AttacksOWASP
Top 10
Platform /
Library
Attacks
System /
Network
Attacks
Perimeter & end-point security tools
fail to protect cloud attack surface
Web Apps
Server-side Apps
App Frameworks
Dev Platforms
Server OS
Hypervisor
Databases
Networking
Cloud Management
Web Application Security
Web Apps
Server-side Apps
App Frameworks
Dev Platforms
Server OS
Hypervisor
Databases
Networking
Cloud Management
Web Application Vulnerability Example
CVE-1999-0278 – in IIS, remote attackers can obtain source code for ASP files by appending “::$DATA” to the URL
Patch MS98-003
Web Apps
Server-side Apps
App Frameworks
Dev Platforms
Server OS
Hypervisor
Databases
Networking
Cloud Management
HACKER RECON METHODS
Hacker Recon Methods
Crawling Target Website
Mass Vulnerability Crawl
Open Forums
Dark Web
Web Apps
Server-side Apps
App Frameworks
Dev Platforms
Server OS
Hypervisor
Databases
Networking
Cloud Management
Crawling Target Website
• Manual- Browse the website as a normal user
- Gather email addresses, related domains and domain info
- Web application code languageo Revision
o Plug-ins
- Web server OS
- User input pages
- Directory structure
- Backend systems
• Software tools- Find hidden forms, software version, js files, links and comments
Targeted Attacks
• Scanning IP Internet Assets
• Application/Network Vulnerability Scan
• Careers Page
• Research Technologies
• Social Media Profiling
• Phishing Email
• Escalate Privileges
• Maintain Access
• Exfiltration of Data
Attacks of Opportunity
• Vulnerability Database Monitoring
• Block Network Vulnerability Scanning
• Google Dorking
• Shodan
• Application Vulnerability Scan
Mass Vulnerability Crawl - Example
• Google Dorking – (aka Google hacking) Uses the search engine to find difficult information using complex, detailed search queries
- Plug in search string to find vulnerable websites
- Some have preset search strings
- Search results are dynamic
- Timing is everything
o Target system could be patched
o Other hackers got there first
Open Forums – Example
Open Forums - Example
• Vulnerability details
- Date reported
- Type of vulnerability
- Platform impacted
- Author (not shown)
- Verification (time permitting)
- Link to infected application (some)
Targeted - Dark Web
• Encrypted network
• Restricted access between Tor servers and clients
• Collection of DBs and communication channels
• Hidden from conventional search engines
• Shares some features with Open Forums
• More advanced resources and tools
FROM WEB APPS TO PRIVILEGED ACCESS
Privileged Access For Your Resources
• Mostly Corporate Espionage and State Sponsored
- Utilize Current Access to the Environment
- Create Remote Access Services
- Create Temporary Storage
- Create Scheduler
- Open Security Groups for Transmissions
- Utilize Current Access to the Environment
- Receive and Deliver Data Regularly
Privileged Access For Your Data
• Code analysis
- Account information
o Usernames and passwords
o Plain text or hashed
- Software tools
o Web search
o Scan to identify
• Usernames & passwords
o Brute force to crack encryption
o Throttle tools to avoid detection
o Offline may be an option
Privileged Access To Target Your Customers
• Session Hijacking
- Obfuscated code
o Embedded in images
o Mouse-over techniques
- Proxy replay
- Malicious binary
- Session cookies
- Java script injection
- Cross-site scripting
- Routine system maintenance
- Bind shell
REMEDIATION STRATEGIES
Secure Your Code
• Test inputs that are open to the Internet
• Add delays to your code to confuse bots
• Use encryption when you can
• Test libraries
• Scan plugins
• Scan your code after every update
• Limit privileges
• DevSecOps
Create Access Management Policies
• Identify data infrastructure that requires access
• Define roles and responsibilities
• Simplify access controls
• Key Management System (KMS)
• Continually audit access
• Start with a least privilege access model
IDENTITY and ACCESS
MANAGEMENT
Adopt a Patch Management Approach
• Constantly scan all production systems
• Compare reported vulnerabilities to production infrastructure
• Classify the risk based on vulnerability and likelihood
• Test patches before you release into production
• Setup a regular patching schedule
• Keep informed, follow bugtraqer
• Golden Images
• Reference Architecture, Formation Templates
Understand Your Service Providers Security Model
Azure Platform Services
Security & Manageme
nt
Azure Infrastructure Services
Web Apps
MobileApps
APIManagement
APIApps
LogicApps
NotificationHubs
Content DeliveryNetwork (CDN)
MediaServices
HDInsight MachineLearning
StreamAnalytics
DataFactory
EventHubs
MobileEngagement
ActiveDirectory
Multi-FactorAuthentication
Portal
Key Vault
BiztalkServices
HybridConnections
ServiceBus
StorageQueues
Store /Marketplace
HybridOperations
Backup
StorSimple
SiteRecovery
Import/Export
SQLDatabase
DocumentDB
RedisCache
Search
Tables
SQL DataWarehouse
Azure AD Connect Health
AD PrivilegedIdentity Management
OperationalInsights
CloudServices
Batch Remote App
ServiceFabric Visual Studio
ApplicationInsights
Azure SDK
Team Project
VM Image Gallery& VM Depot
Azure SecurityCenter
Automation
Understand Your Service Providers Security Model
Security Management and Monitoring Strategy
• Monitoring for malicious activity
• Scanning Services
• Forensic investigations
• Compliance needs
• System performance
• All sources of log data is collected
• Data types (OS, CMS, DB, Web)
• WAF
• Correlation logic
• IAM behavior
• IDS Network traffic
• FIM Logs
• Focused security research
• Security content creation
• Review process
• Live monitoring
Follow our Research & Stay Informed on the Latest Vulnerabilities
Blog
https://www.alertlogtic.com/resources/blog
Newsletter
https://www.alertlogic.com/weekly-threat-report/
Cloud Security Report
https://www.alertlogic.com/resources/cloud-security-report/
Zero Day Magazine
https://www.alertlogic.com/zerodaymagazine/
@AlertLogic @StephenCoty @_PaulFletcher
Websites to follow:
• http://www.securityfocus.com
• http://www.exploit-db.com
• http://seclists.org/fulldisclosure/
• http://www.securitybloggersnetwork.com/
• http://cve.mitre.org/
• http://nvd.nist.gov/