Upload
aaron-bedra
View
1.296
Download
0
Tags:
Embed Size (px)
DESCRIPTION
This is a presentation on how to approach analyzing web application security.
Citation preview
RepsheetA Behavior Based Approach to Web Application
Security
Aaron BedraApplication Security LeadBraintree Payments
Wednesday, July 10, 13
Right now, your web applications are being
attacked
Wednesday, July 10, 13
And it will happen again, and again, and
again
Wednesday, July 10, 13
But not always in the way you think
Wednesday, July 10, 13
Let’s take a look at typical application security measures
Wednesday, July 10, 13
User Requests
Web Server
Application Environment
Wednesday, July 10, 13
Wednesday, July 10, 13
roland : 12345
Wednesday, July 10, 13
roland : 12345
Wednesday, July 10, 13
And we go on with our day
Wednesday, July 10, 13
How many of you stop there?
Wednesday, July 10, 13
It’s time to start asking more questions
Wednesday, July 10, 13
But remember…
Wednesday, July 10, 13
Don’t impact user experience!
Wednesday, July 10, 13
???
Wednesday, July 10, 13
• Signature based detection
• Anomaly detection
• Reputational intelligence
• Action
• Repsheet
Wednesday, July 10, 13
Signatures
Wednesday, July 10, 13
Mod Security
Wednesday, July 10, 13
Web Application Firewall
Wednesday, July 10, 13
Rule based detection
Wednesday, July 10, 13
Allows you to block or alert if traffic matches a
signature
Wednesday, July 10, 13
Improved by the OWASP Core Rule Set
Wednesday, July 10, 13
A great tool to add to your stack
Wednesday, July 10, 13
Works with Apache, nginx, and IIS
Wednesday, July 10, 13
Works well with Apache
Wednesday, July 10, 13
Like most signature based tools it requires
tuning
Wednesday, July 10, 13
And has a high possibility of false
positives
Wednesday, July 10, 13
Great for helping with 0-day attacks
Wednesday, July 10, 13
Favor alerting over blocking in most
scenarios
Wednesday, July 10, 13
User Requests
Web Server
ModSecurity
Application Environment
Wednesday, July 10, 13
Anomalies
Wednesday, July 10, 13
10.20.253.8 - - [23/Apr/2013:14:20:21 +0000] "POST /login HTTP/1.1" 200 267"-" "Mozilla/5.0 (Windows NT 6.1; WOW64; rv:8.0) Gecko/20100101 Firefox/8.0" "77.77.165.233"
Wednesday, July 10, 13
10.20.253.8 - - [23/Apr/2013:14:20:22 +0000] "POST /users/king-roland/credit_cards HTTP/1.1" 302 2085 "-" "Mozilla/5.0 (Windows NT 6.1; WOW64; rv:8.0) Gecko/20100101 Firefox/8.0" "77.77.165.233"
Wednesday, July 10, 13
10.20.253.8 - - [23/Apr/2013:14:20:23 +0000] "POST /users/king-roland/credit_cards HTTP/1.1" 302 2083 "-" "Mozilla/5.0 (Windows NT 6.1; WOW64; rv:8.0) Gecko/20100101 Firefox/8.0" "77.77.165.233"
Wednesday, July 10, 13
10.20.253.8 - - [23/Apr/2013:14:20:24 +0000] "POST /users/king-roland/credit_cards HTTP/1.1" 302 2085 "-" "Mozilla/5.0 (Windows NT 6.1; WOW64; rv:8.0) Gecko/20100101 Firefox/8.0" "77.77.165.233"
Wednesday, July 10, 13
What do you see?
Wednesday, July 10, 13
I see a website getting carded
Wednesday, July 10, 13
???
Wednesday, July 10, 13
Play by play
Wednesday, July 10, 13
10.20.253.8 - - [23/Apr/2013:14:20:21 +0000] "POST /login HTTP/1.1" 200 267"-" "Mozilla/5.0 (Windows NT 6.1; WOW64; rv:8.0) Gecko/20100101 Firefox/8.0" "77.77.165.233"
Login Request
Wednesday, July 10, 13
10.20.253.8 - - [23/Apr/2013:14:20:22 +0000] "POST /users/king-roland/credit_cards HTTP/1.1" 302 2085 "-" "Mozilla/5.0 (Windows NT 6.1; WOW64; rv:8.0) Gecko/20100101 Firefox/8.0" "77.77.165.233"
Add credit card to account #11 sec delay
Wednesday, July 10, 13
10.20.253.8 - - [23/Apr/2013:14:20:23 +0000] "POST /users/king-roland/credit_cards HTTP/1.1" 302 2083 "-" "Mozilla/5.0 (Windows NT 6.1; WOW64; rv:8.0) Gecko/20100101 Firefox/8.0" "77.77.165.233"
1 sec delayAdd credit card to account #2
FF 8 on Windows 7 or Bot?
Wednesday, July 10, 13
10.20.253.8 - - [23/Apr/2013:14:20:24 +0000] "POST /users/king-roland/credit_cards HTTP/1.1" 302 2085 "-" "Mozilla/5.0 (Windows NT 6.1; WOW64; rv:8.0) Gecko/20100101 Firefox/8.0" "77.77.165.233"
1 sec delayAdd credit card to account #3
FF 8 on Windows 7 or Bot?
Plovdiv Bulgaria
Wednesday, July 10, 13
And this continues…
Wednesday, July 10, 13
10,000 more times
Wednesday, July 10, 13
Those were the only requests that IP address
made
Wednesday, July 10, 13
Aside from the number of requests what else
gave it away?
Wednesday, July 10, 13
5%5%4%
27% 59%
GET POST HEAD PUT DELETE
Wednesday, July 10, 13
HTTP method distribution is
important
Wednesday, July 10, 13
When an actor deviates significantly, there must
be a reason!
Wednesday, July 10, 13
Let’s talk GeoIP
Wednesday, July 10, 13
Adding GeoIP information is
generically useful
Wednesday, July 10, 13
But it also helps in the face of an attack
Wednesday, July 10, 13
It can help protect you and your users
Wednesday, July 10, 13
Scenario
Wednesday, July 10, 13
King Roland gets his GMail account hacked
Wednesday, July 10, 13
Hacker sends a password reset request
to your server
Wednesday, July 10, 13
Normally, you would email the reset
Wednesday, July 10, 13
Unless...
Wednesday, July 10, 13
You realize that King Roland always logs in
from Druidia
Wednesday, July 10, 13
But the hacker is requesting the reset from Spaceball City
Wednesday, July 10, 13
Instead of sending the reset, you now ask
some questions
Wednesday, July 10, 13
And hopefully protect King Roland from
further bad actions
Wednesday, July 10, 13
GeoIP detection also helps you block traffic
from unwanted countries
Wednesday, July 10, 13
User Requests
Web Server
ModSecurity
Application Environment
GeoIP
Wednesday, July 10, 13
Other Anomalies
• Request Rate
• TCP Fingerprint vs. User Agent
• Account Create/Delete/Subscribe
• Anything you can imagine
Wednesday, July 10, 13
What do they have in common?
Wednesday, July 10, 13
Does the behavior fit an equation?
Wednesday, July 10, 13
If so, your detection is simple
Wednesday, July 10, 13
Request rate > Threshold
Wednesday, July 10, 13
TCP fingerprint != User Agent
Wednesday, July 10, 13
But the HTTP method deviation is harder
Wednesday, July 10, 13
100% GET requests with a known UA (e.g.
Google) is ok
Wednesday, July 10, 13
100% POST requests is not
Wednesday, July 10, 13
But it’s not always that simple
Wednesday, July 10, 13
Scenario
Wednesday, July 10, 13
A high rate of account create requests are coming from a single
address
Wednesday, July 10, 13
Is it a NATted IP or a fraud/spam bot?
Wednesday, July 10, 13
We have patterns and data…
Wednesday, July 10, 13
What’s the next step?
Wednesday, July 10, 13
Quantitative Analysis
Wednesday, July 10, 13
Quantitative Analysis
Wednesday, July 10, 13
Quantitative AnalysisSecurity as a Data Science Probelm
Wednesday, July 10, 13
We can apply some machine learning to the data in an attempt to
classify it
Wednesday, July 10, 13
Classifier
???
User Requests
Web Server
ModSecurity
Application Environment
GeoIP
Wednesday, July 10, 13
This is where a lot of the value comes from
Wednesday, July 10, 13
And combined with signature detection
helps correlate attack events
Wednesday, July 10, 13
But you still need a way to keep track of it all
Wednesday, July 10, 13
Reputational Intelligence
Wednesday, July 10, 13
Who’s naughty and who’s really naughty
Wednesday, July 10, 13
Built up from the tools/techniques mentioned
previously
Wednesday, July 10, 13
Provides local reputation
Wednesday, July 10, 13
You can also purchase external reputation
feeds
Wednesday, July 10, 13
The combination gives you solid awareness of
bad actors
Wednesday, July 10, 13
Reputational Intelligence
External Reputation
Classifier
???
User Requests
Web Server
ModSecurity
Application Environment
GeoIP???
Wednesday, July 10, 13
Action
Wednesday, July 10, 13
So now you have a ton of new information
Wednesday, July 10, 13
What do you do with it?
Wednesday, July 10, 13
Options• Block the traffic
• Honeypot the attacker
• Modify your response
• Attack back
• Contact the authorities
Wednesday, July 10, 13
Blocking the traffic is straight forward
Wednesday, July 10, 13
Block at the web server level (403)
Wednesday, July 10, 13
Block at the firewall level
Wednesday, July 10, 13
Both have advantages/disadvantages
Wednesday, July 10, 13
Honeypots are much more interesting
Wednesday, July 10, 13
LB
LB LB
Engine
Fake Real
DB DBPartial Replication
Wednesday, July 10, 13
When you honeypot, the attacker doesn’t know they’ve been
caught
Wednesday, July 10, 13
And it allows you to study their behavior
Wednesday, July 10, 13
And update your approach to preventing
attacks
Wednesday, July 10, 13
But all of this requires a way to manage state
and act on bad behavior
Wednesday, July 10, 13
Reputational Intelligence
External Reputation
Classifier
???
User Requests
Web Server
ModSecurity
Application Environment
GeoIP???
State
State
Where do you act?
Here?
Wednesday, July 10, 13
Repsheet
Wednesday, July 10, 13
Reputation Engine
Wednesday, July 10, 13
Redis
Repsheet Backend
External Reputation
Feeds
User Requests
Web Server
ModSecurity
Application Environment
GeoIP
Repsheet
Wednesday, July 10, 13
Redis
Repsheet Backend
External Reputation
Feeds
User Requests
Web Server
ModSecurity
Application Environment
GeoIP
Repsheet
Wednesday, July 10, 13
Redis
Repsheet Backend
External Reputation
Feeds
User Requests
Web Server
ModSecurity
Application Environment
GeoIP
Repsheet
Recorder
Wednesday, July 10, 13
Redis
Repsheet Backend
External Reputation
Feeds
User Requests
Web Server
ModSecurity
Application Environment
GeoIP
Repsheet
Managed State
Recorder
Wednesday, July 10, 13
Redis
Repsheet Backend
External Reputation
Feeds
User Requests
Web Server
ModSecurity
Application Environment
GeoIP
Repsheet
Managed State
ActorRecorder
Wednesday, July 10, 13
Redis
Repsheet Backend
External Reputation
Feeds
User Requests
Web Server
ModSecurity
Application Environment
GeoIP
Repsheet
Managed State
Classifier, Feed Integration,
Learning Models
ActorRecorder
Wednesday, July 10, 13
Wednesday, July 10, 13
Wednesday, July 10, 13
Repsheet helps put everything together
Wednesday, July 10, 13
Web server module records activity and
looks for offenders in the cache
Wednesday, July 10, 13
It listens to ModSecurity and adds offending IPs to it’s list
Wednesday, July 10, 13
It provides notification and/or blocking of
offenders
Wednesday, July 10, 13
Blocking happens at the web server level
Wednesday, July 10, 13
But you can send the Repsheet data to your firewall for TCP level
blocking
Wednesday, July 10, 13
Notification sends headers to the
downstream application
Wednesday, July 10, 13
Which allows each app to chose how it is going
to respond
Wednesday, July 10, 13
For instance, show a captcha on signup if
Repsheet alerts
Wednesday, July 10, 13
Back end looks at the recorded data for bad
behavior
Wednesday, July 10, 13
And updates the cache when it finds offenders
Wednesday, July 10, 13
You can supply your own learning models
for the data
Wednesday, July 10, 13
github.com/repsheet/repsheet
Wednesday, July 10, 13
Summary
Wednesday, July 10, 13
There are lots of indicators of attack in
your traffic
Wednesday, July 10, 13
Build up a system that can capture the data
and sort good from bad
Wednesday, July 10, 13
Tools
• ModSecurity
• GeoIP
• Custom rules (velocity triggers, fingerprinting, device id, etc)
• Custom behavioral classification
• Repsheet
Wednesday, July 10, 13
And Remember…
Wednesday, July 10, 13
Wednesday, July 10, 13
Questions?
Wednesday, July 10, 13