A Blueprint for Web Attack Survival

2,873
-1

Published on

Is your organization prepared to face a large-scale attack from hacktivists or cybercriminals? This webinar provides a step-by-step plan to protect web applications using proven strategies from application security consultants that have been on the front lines of attack. This presentation from Imperva and WhiteHat Security outlines the steps your organization can take to implement a comprehensive strategy for repelling web attacks. This presentation will (1) describe the modern attack methods and tools used by hacktivists and cybercriminals (2) explain the processes and technologies you can use to safeguard your website (3) help you prioritize security efforts and identify security tips and tricks you might have overlooked.

Published in: Technology
0 Comments
2 Likes
Statistics
Notes
  • Be the first to comment

No Downloads
Views
Total Views
2,873
On Slideshare
0
From Embeds
0
Number of Embeds
9
Actions
Shares
0
Downloads
82
Comments
0
Likes
2
Embeds 0
No embeds

No notes for slide

A Blueprint for Web Attack Survival

  1. 1. © 2013 Imperva, Inc. All rights reserved. Blueprint for Web Attack Survival Confidential1 Kasey Cross, Sr. Manager, Web Security, Imperva Nick Silver, Sr. Solutions Architect, WhiteHat Security
  2. 2. © 2013 Imperva, Inc. All rights reserved. Agenda Confidential2 §  Application Threatscape §  Solutions to Mitigate Web Attacks
  3. 3. © 2013 Imperva, Inc. All rights reserved. Presenters Confidential3 §  Kasey Cross •  Senior Product Marketing Manager at Imperva •  Frequent speaker at industry events •  Managed SecureSphere WAF product line for 8 years §  Nick Silver •  Sr. Solutions Architect at WhiteHat Security
  4. 4. © 2013 Imperva, Inc. All rights reserved. Application Threatscape Confidential4 Web Application Vulnerabilities and Threats
  5. 5. © 2013 Imperva, Inc. All rights reserved. Industry Averages for 2012 Confidential5
  6. 6. © 2013 Imperva, Inc. All rights reserved. Confidential6 The average number of days in a year a website is exposed to at least one serious* vulnerability
  7. 7. © 2013 Imperva, Inc. All rights reserved. Industrialization of Hacking and Automation Researching Vulnerabilities Developing Exploits Growing Botnets Exploiting Targets Consuming Direct Value: PII, CCN Command & Control Malware Distribution Phishing & spam DDoS Growing Botnets and Exploiting Vulnerabilities Selecting Targets via Search Engines Templates & Kits Centralized Management Roles Optimization Automation Confidential7
  8. 8. © 2013 Imperva, Inc. All rights reserved. Hacktivism Attack Targets and Methods 2010 Now 2011 2012 2013 Titanic Takeover Tuesday Operation Payback HTTP Flood “Abibil Assassin” (Vertigo & KamiNa variants) & attack to login page from 54 countries Confidential8
  9. 9. © 2013 Imperva, Inc. All rights reserved. Distributed Denial of Service Threats Confidential9 §  74% of organizations received a DDoS attack in past year1 §  Many DDoS attacks are launched by botnets, because of scale •  Toolkits automate DDoS attacks •  Botnets for rent from $50 - $2K §  DDoS attacks are moving up the stack •  Less expensive; requires few attackers •  Bypasses network security measures DDoS Attack Tool 1 ”The Trends and Changing Landscape of DDoS Threats and Protection,” Forrester Research
  10. 10. © 2013 Imperva, Inc. All rights reserved. Commercialized DDoS §  Customer satisfaction guarantee! Confidential10
  11. 11. © 2013 Imperva, Inc. All rights reserved. Commercialized DDoS §  Customer satisfaction guarantee! Confidential11
  12. 12. © 2013 Imperva, Inc. All rights reserved. Step-by-Step Instructions to Survive a Web Attack Confidential12
  13. 13. © 2013 Imperva, Inc. All rights reserved. 1. Understand the Threat Actor Confidential13 §  Identify the attack source: •  Research their attack techniques and tools §  Hacktivism: •  Monitor social media, Twitter, Facebook, and YouTube •  Identify DDoS attack tools and “booster packs” §  Cybercrime: •  Talk to peers in your industry about attack sources and tools •  Read hacker intelligence reports and security research 13
  14. 14. © 2013 Imperva, Inc. All rights reserved. 2. Develop a Security Response Plan Confidential14 §  Organize an incident response team •  IT security personnel, networking, and application development teams •  Assign 24x7 coverage §  Create a Red Team •  Security engineers that will look for vulnerabilities •  Evaluate all potential risks including, application, network, end- user, social engineering, and even physical threats 14
  15. 15. © 2013 Imperva, Inc. All rights reserved. §  DNS and Internet Service Providers §  DDoS Protection Services §  Relevant security consultants Little Black Book of Contacts Confidential15 §  IT security managers §  IT operations managers §  Networking operators §  Application developers §  Database administrators §  Legal §  Executive management Gather the names, phone numbers, and email addresses of: INTERNALEXTERNAL
  16. 16. © 2013 Imperva, Inc. All rights reserved. Document Network and Server Information Confidential16 §  Gather IP address and network info for: •  Web servers •  Databases •  DNS servers •  Network firewalls •  Web application firewalls •  Database firewalls •  Routers and switches •  Disaster recovery networks §  Develop network architecture diagrams 16 Security Tip: Keep network information and contact lists secure
  17. 17. © 2013 Imperva, Inc. All rights reserved. Notify Management & Set Up a War Room Confidential17 §  Inform Executive Management of the threat §  Consider warning employees •  Notify users of potential downtime (for DDoS) •  Educate employees about phishing •  Prepare IT for social engineering threats §  Establish a War Room •  “Ground zero” for planning and communications 17
  18. 18. © 2013 Imperva, Inc. All rights reserved. 3. Locate and Assess Servers and Apps Confidential18 §  Scan your network to identify all assets (cloud and local) •  Classify assets by information and brand sensitivity to identify high risk landscapes •  Prioritize efforts to based on risk levels §  Secure database access •  Scan DBs for vulnerabilities or configuration flaws •  Remove any default or unnecessary user accounts •  Disable unneeded services 18
  19. 19. © 2013 Imperva, Inc. All rights reserved. Perform Vulnerability Assessments Confidential19 §  Perform vulnerability assessments •  Scan both Network and Application Layers •  Scan all known Web Assets •  Scan Concurrently and Continuously •  Analyze application functionality for DDoS attack potential and Business Logic based exploits •  Implement assessment practice across the entire SDLC 19 Design" Development" QA" Production"
  20. 20. © 2013 Imperva, Inc. All rights reserved. 4. Application, Network & End-Point Controls Confidential2020 Anti Virus Network Security Database Security Install anti-virus and anti-malware software on servers. Make sure definition files are up to date. Block all unnecessary ports with the firewall. Configure the IPS to block high and critical violations. Configure your database firewall to block unauthorized SQL queries, limit access, and virtually patch vulnerabilities.
  21. 21. © 2013 Imperva, Inc. All rights reserved. Ratchet Up Web App Firewall Protection Confidential21 §  Review and tune the web application profile •  Review acceptable characters & parameter value lengths •  Compare the profile to vulnerability scan results §  Tighten profile policies to block based on profile violations 21 Directories URLs
  22. 22. © 2013 Imperva, Inc. All rights reserved. Block Web Attacks and Attack Sources Confidential22
  23. 23. © 2013 Imperva, Inc. All rights reserved. WAF Policies to Stop App DDoS Attacks Confidential23 §  Create policies that block: •  High rates of requests in a short period of time by IP address, by user, and by session •  Known malicious IP addresses, anonymous proxies, and Tor networks •  Users that request many files with extensions like “.pdf”, “.mp3” or “.mp4” in a short period of time •  Users that download large amounts of data •  Users that initiate multiple requests that cause extremely slow web server responses 23 DDoS Preparation Tip Make sure you can manage your security products from an out-of- band network
  24. 24. © 2013 Imperva, Inc. All rights reserved. While app DDoS attacks target Web servers & databases network DDoS attacks target your Internet connection Stopping Network DDoS Threats Confidential2424 Web Servers and Databases
  25. 25. © 2013 Imperva, Inc. All rights reserved. While app DDoS attacks target Web servers & databases network DDoS attacks target your Internet connection Stopping Network DDoS Threats Confidential2525 Web Servers and Databases
  26. 26. © 2013 Imperva, Inc. All rights reserved. While app DDoS attacks target Web servers & databases network DDoS attacks target your Internet connection Stopping Network DDoS Threats Confidential2626 Web Servers and Databases To prevent network DDoS attacks, look at DDoS mitigation services that stop attacks before they reach your network
  27. 27. © 2013 Imperva, Inc. All rights reserved. While app DDoS attacks target Web servers & databases network DDoS attacks target your Internet connection Stopping Network DDoS Threats Confidential2727 Web Servers and Databases To prevent network DDoS attacks, look at DDoS mitigation services that stop attacks before they reach your network
  28. 28. © 2013 Imperva, Inc. All rights reserved. §  Continuously monitor alerts from security and network devices and from performance monitoring tools §  If attacks are coming from a specific geographic area, create policies to block requests from that area §  If you can detect which URLs bots are targeting, create bot mitigation rules that block bots from accessing those URLs §  Monitor social media, hacker forums, IRC chat rooms, and sites that list website defacements 5. Security Procedures When Under Attack Confidential2828
  29. 29. © 2013 Imperva, Inc. All rights reserved. Stop DDoS Attacks that Target Databases Confidential29 §  Attackers often target search, login & registration pages §  Create custom policies to block the attacks •  Block an excessive number of failed logins •  Block multiple successful logins from the same user 29 Number of Occurrences Failed Login
  30. 30. © 2013 Imperva, Inc. All rights reserved. 6. Conduct a Post Mortem of the Attack Confidential30 §  Review the impact of the attack §  Analyze alert logs from your WAF, SIEM, & network monitoring tools §  Answer the following questions: •  Did you suffer any downtime during the attack? •  Was any sensitive data compromised? •  What security technologies and processes were in place? Were they effective? •  What improvements can be made in the future? 30
  31. 31. © 2013 Imperva, Inc. All rights reserved. Solutions to Prepare For and Stop Web Attacks Confidential31
  32. 32. © 2013 Imperva, Inc. All rights reserved. Secure SDLC with WhiteHat Sentinel Confidential3232 Design" Development" QA" Production" Sentinel Source (SAST)" Computer- based training (CBT)" Sentinel PL (DAST)" Sentinel BE, SE, and PE (DAST)" Sentinel Mobile"
  33. 33. © 2013 Imperva, Inc. All rights reserved. Complete Solution (DAST) Confidential3333
  34. 34. © 2013 Imperva, Inc. All rights reserved. Confidential3434 Complete Solution (Source)
  35. 35. © 2013 Imperva, Inc. All rights reserved. Imperva Web Application Security Solutions Confidential35 SecureSphere Web Application Firewall Accurate, automated protection against online threats Incapsula •  Scalable, easy to use, cloud-based DDoS and Web application firewall service
  36. 36. © 2013 Imperva, Inc. All rights reserved. Known Attackers Bots Web Attacks Undesirable Countries Web Fraud App DDoS Scrapers Phishing Sites Comment Spammers Vulnerabilities Web Apps SecureSphere Complete Protection Against Web Threats Confidential36
  37. 37. © 2013 Imperva, Inc. All rights reserved. Imperva and WhiteHat are offering a free 30-day trial. Register at: http://reg.whitehatsec.com/imperva Are Your Web Applications Secure? Confidential3737
  38. 38. © 2013 Imperva, Inc. All rights reserved. #ImpervaChat Confidential38 §  What: Twitter Chat §  When: Tues., Oct. 1st @ 10am-11am (PDT) §  Where: #ImpervaChat §  Co Moderators: •  Barry Shteiman, Senior Security Strategist, Imperva §  @bshteiman •  Kasey Cross, Senior Manager of Web Security Solutions, Imperva §  @kaseycross Best Practices for Surviving a Web Attack
  39. 39. © 2013 Imperva, Inc. All rights reserved. www.imperva.com 39 Confidential
  1. A particular slide catching your eye?

    Clipping is a handy way to collect important slides you want to go back to later.

×