Repsheet: A Behavior Based Approach to Web Application Security
Upcoming SlideShare
Loading in...5
×
 

Repsheet: A Behavior Based Approach to Web Application Security

on

  • 1,210 views

This is a presentation on how to approach analyzing web application security.

This is a presentation on how to approach analyzing web application security.

Statistics

Views

Total Views
1,210
Views on SlideShare
1,204
Embed Views
6

Actions

Likes
0
Downloads
18
Comments
0

1 Embed 6

https://twitter.com 6

Accessibility

Categories

Upload Details

Uploaded via as Adobe PDF

Usage Rights

© All Rights Reserved

Report content

Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
  • Full Name Full Name Comment goes here.
    Are you sure you want to
    Your message goes here
    Processing…
Post Comment
Edit your comment

Repsheet: A Behavior Based Approach to Web Application Security Repsheet: A Behavior Based Approach to Web Application Security Presentation Transcript

  • Repsheet A Behavior Based Approach to Web Application Security Aaron Bedra Application Security Lead Braintree Payments Wednesday, July 10, 13
  • Right now, your web applications are being attacked Wednesday, July 10, 13
  • And it will happen again, and again, and again Wednesday, July 10, 13
  • But not always in the way you think Wednesday, July 10, 13
  • Let’s take a look at typical application security measures Wednesday, July 10, 13
  • User Requests Web Server Application Environment Wednesday, July 10, 13
  • Wednesday, July 10, 13
  • roland : 12345 Wednesday, July 10, 13
  • roland : 12345 Wednesday, July 10, 13
  • And we go on with our day Wednesday, July 10, 13
  • How many of you stop there? Wednesday, July 10, 13
  • It’s time to start asking more questions Wednesday, July 10, 13
  • But remember… Wednesday, July 10, 13
  • Don’t impact user experience! Wednesday, July 10, 13
  • ??? Wednesday, July 10, 13
  • • Signature based detection • Anomaly detection • Reputational intelligence • Action • Repsheet Wednesday, July 10, 13
  • Signatures Wednesday, July 10, 13
  • Mod Security Wednesday, July 10, 13
  • Web Application Firewall Wednesday, July 10, 13
  • Rule based detection Wednesday, July 10, 13
  • Allows you to block or alert if traffic matches a signature Wednesday, July 10, 13
  • Improved by the OWASP Core Rule Set Wednesday, July 10, 13
  • A great tool to add to your stack Wednesday, July 10, 13
  • Works with Apache, nginx, and IIS Wednesday, July 10, 13
  • Works well with Apache Wednesday, July 10, 13
  • Like most signature based tools it requires tuning Wednesday, July 10, 13
  • And has a high possibility of false positives Wednesday, July 10, 13
  • Great for helping with 0-day attacks Wednesday, July 10, 13
  • Favor alerting over blocking in most scenarios Wednesday, July 10, 13
  • User Requests Web Server ModSecurity Application Environment Wednesday, July 10, 13
  • Anomalies Wednesday, July 10, 13
  • 10.20.253.8 - - [23/Apr/2013:14:20:21 +0000] "POST /login HTTP/1.1" 200 267"-" "Mozilla/ 5.0 (Windows NT 6.1; WOW64; rv:8.0) Gecko/ 20100101 Firefox/8.0" "77.77.165.233" Wednesday, July 10, 13
  • 10.20.253.8 - - [23/Apr/2013:14:20:22 +0000] "POST /users/king-roland/credit_cards HTTP/ 1.1" 302 2085 "-" "Mozilla/5.0 (Windows NT 6.1; WOW64; rv:8.0) Gecko/20100101 Firefox/ 8.0" "77.77.165.233" Wednesday, July 10, 13
  • 10.20.253.8 - - [23/Apr/2013:14:20:23 +0000] "POST /users/king-roland/credit_cards HTTP/ 1.1" 302 2083 "-" "Mozilla/5.0 (Windows NT 6.1; WOW64; rv:8.0) Gecko/20100101 Firefox/ 8.0" "77.77.165.233" Wednesday, July 10, 13
  • 10.20.253.8 - - [23/Apr/2013:14:20:24 +0000] "POST /users/king-roland/credit_cards HTTP/ 1.1" 302 2085 "-" "Mozilla/5.0 (Windows NT 6.1; WOW64; rv:8.0) Gecko/20100101 Firefox/ 8.0" "77.77.165.233" Wednesday, July 10, 13
  • What do you see? Wednesday, July 10, 13
  • I see a website getting carded Wednesday, July 10, 13
  • ??? Wednesday, July 10, 13
  • Play by play Wednesday, July 10, 13
  • 10.20.253.8 - - [23/Apr/2013:14:20:21 +0000] "POST /login HTTP/1.1" 200 267"-" "Mozilla/ 5.0 (Windows NT 6.1; WOW64; rv:8.0) Gecko/ 20100101 Firefox/8.0" "77.77.165.233" Login Request Wednesday, July 10, 13
  • 10.20.253.8 - - [23/Apr/2013:14:20:22 +0000] "POST /users/king-roland/credit_cards HTTP/ 1.1" 302 2085 "-" "Mozilla/5.0 (Windows NT 6.1; WOW64; rv:8.0) Gecko/20100101 Firefox/ 8.0" "77.77.165.233" Add credit card to account #1 1 sec delay Wednesday, July 10, 13
  • 10.20.253.8 - - [23/Apr/2013:14:20:23 +0000] "POST /users/king-roland/credit_cards HTTP/ 1.1" 302 2083 "-" "Mozilla/5.0 (Windows NT 6.1; WOW64; rv:8.0) Gecko/20100101 Firefox/ 8.0" "77.77.165.233" 1 sec delay Add credit card to account #2 FF 8 on Windows 7 or Bot? Wednesday, July 10, 13
  • 10.20.253.8 - - [23/Apr/2013:14:20:24 +0000] "POST /users/king-roland/credit_cards HTTP/ 1.1" 302 2085 "-" "Mozilla/5.0 (Windows NT 6.1; WOW64; rv:8.0) Gecko/20100101 Firefox/ 8.0" "77.77.165.233" 1 sec delay Add credit card to account #3 FF 8 on Windows 7 or Bot? Plovdiv Bulgaria Wednesday, July 10, 13
  • And this continues… Wednesday, July 10, 13
  • 10,000 more times Wednesday, July 10, 13
  • Those were the only requests that IP address made Wednesday, July 10, 13
  • Aside from the number of requests what else gave it away? Wednesday, July 10, 13
  • 5% 5% 4% 27% 59% GET POST HEAD PUT DELETE Wednesday, July 10, 13
  • HTTP method distribution is important Wednesday, July 10, 13
  • When an actor deviates significantly, there must be a reason! Wednesday, July 10, 13
  • Let’s talk GeoIP Wednesday, July 10, 13
  • Adding GeoIP information is generically useful Wednesday, July 10, 13
  • But it also helps in the face of an attack Wednesday, July 10, 13
  • It can help protect you and your users Wednesday, July 10, 13
  • Scenario Wednesday, July 10, 13
  • King Roland gets his GMail account hacked Wednesday, July 10, 13
  • Hacker sends a password reset request to your server Wednesday, July 10, 13
  • Normally, you would email the reset Wednesday, July 10, 13
  • Unless... Wednesday, July 10, 13
  • You realize that King Roland always logs in from Druidia Wednesday, July 10, 13
  • But the hacker is requesting the reset from Spaceball City Wednesday, July 10, 13
  • Instead of sending the reset, you now ask some questions Wednesday, July 10, 13
  • And hopefully protect King Roland from further bad actions Wednesday, July 10, 13
  • GeoIP detection also helps you block traffic from unwanted countries Wednesday, July 10, 13
  • User Requests Web Server ModSecurity Application Environment GeoIP Wednesday, July 10, 13
  • Other Anomalies • Request Rate • TCP Fingerprint vs. User Agent • Account Create/Delete/Subscribe • Anything you can imagine Wednesday, July 10, 13
  • What do they have in common? Wednesday, July 10, 13
  • Does the behavior fit an equation? Wednesday, July 10, 13
  • If so, your detection is simple Wednesday, July 10, 13
  • Request rate > Threshold Wednesday, July 10, 13
  • TCP fingerprint != User Agent Wednesday, July 10, 13
  • But the HTTP method deviation is harder Wednesday, July 10, 13
  • 100% GET requests with a known UA (e.g. Google) is ok Wednesday, July 10, 13
  • 100% POST requests is not Wednesday, July 10, 13
  • But it’s not always that simple Wednesday, July 10, 13
  • Scenario Wednesday, July 10, 13
  • A high rate of account create requests are coming from a single address Wednesday, July 10, 13
  • Is it a NATted IP or a fraud/spam bot? Wednesday, July 10, 13
  • We have patterns and data… Wednesday, July 10, 13
  • What’s the next step? Wednesday, July 10, 13
  • Quantitative Analysis Wednesday, July 10, 13
  • Quantitative Analysis Wednesday, July 10, 13
  • Quantitative Analysis Security as a Data Science Probelm Wednesday, July 10, 13
  • We can apply some machine learning to the data in an attempt to classify it Wednesday, July 10, 13
  • Classifier ??? User Requests Web Server ModSecurity Application Environment GeoIP Wednesday, July 10, 13
  • This is where a lot of the value comes from Wednesday, July 10, 13
  • And combined with signature detection helps correlate attack events Wednesday, July 10, 13
  • But you still need a way to keep track of it all Wednesday, July 10, 13
  • Reputational Intelligence Wednesday, July 10, 13
  • Who’s naughty and who’s really naughty Wednesday, July 10, 13
  • Built up from the tools/ techniques mentioned previously Wednesday, July 10, 13
  • Provides local reputation Wednesday, July 10, 13
  • You can also purchase external reputation feeds Wednesday, July 10, 13
  • The combination gives you solid awareness of bad actors Wednesday, July 10, 13
  • Reputational Intelligence External Reputation Classifier ??? User Requests Web Server ModSecurity Application Environment GeoIP ??? Wednesday, July 10, 13
  • Action Wednesday, July 10, 13
  • So now you have a ton of new information Wednesday, July 10, 13
  • What do you do with it? Wednesday, July 10, 13
  • Options • Block the traffic • Honeypot the attacker • Modify your response • Attack back • Contact the authorities Wednesday, July 10, 13
  • Blocking the traffic is straight forward Wednesday, July 10, 13
  • Block at the web server level (403) Wednesday, July 10, 13
  • Block at the firewall level Wednesday, July 10, 13
  • Both have advantages/ disadvantages Wednesday, July 10, 13
  • Honeypots are much more interesting Wednesday, July 10, 13
  • LB LB LB Engine Fake Real DB DBPartial Replication Wednesday, July 10, 13
  • When you honeypot, the attacker doesn’t know they’ve been caught Wednesday, July 10, 13
  • And it allows you to study their behavior Wednesday, July 10, 13
  • And update your approach to preventing attacks Wednesday, July 10, 13
  • But all of this requires a way to manage state and act on bad behavior Wednesday, July 10, 13
  • Reputational Intelligence External Reputation Classifier ??? User Requests Web Server ModSecurity Application Environment GeoIP ??? State State Where do you act? Here? Wednesday, July 10, 13
  • Repsheet Wednesday, July 10, 13
  • Reputation Engine Wednesday, July 10, 13
  • Redis Repsheet Backend External Reputation Feeds User Requests Web Server ModSecurity Application Environment GeoIP Repsheet Wednesday, July 10, 13
  • Redis Repsheet Backend External Reputation Feeds User Requests Web Server ModSecurity Application Environment GeoIP Repsheet Wednesday, July 10, 13
  • Redis Repsheet Backend External Reputation Feeds User Requests Web Server ModSecurity Application Environment GeoIP Repsheet Recorder Wednesday, July 10, 13
  • Redis Repsheet Backend External Reputation Feeds User Requests Web Server ModSecurity Application Environment GeoIP Repsheet Managed State Recorder Wednesday, July 10, 13
  • Redis Repsheet Backend External Reputation Feeds User Requests Web Server ModSecurity Application Environment GeoIP Repsheet Managed State ActorRecorder Wednesday, July 10, 13
  • Redis Repsheet Backend External Reputation Feeds User Requests Web Server ModSecurity Application Environment GeoIP Repsheet Managed State Classifier, Feed Integration, Learning Models ActorRecorder Wednesday, July 10, 13
  • Wednesday, July 10, 13
  • Wednesday, July 10, 13
  • Repsheet helps put everything together Wednesday, July 10, 13
  • Web server module records activity and looks for offenders in the cache Wednesday, July 10, 13
  • It listens to ModSecurity and adds offending IPs to it’s list Wednesday, July 10, 13
  • It provides notification and/or blocking of offenders Wednesday, July 10, 13
  • Blocking happens at the web server level Wednesday, July 10, 13
  • But you can send the Repsheet data to your firewall for TCP level blocking Wednesday, July 10, 13
  • Notification sends headers to the downstream application Wednesday, July 10, 13
  • Which allows each app to chose how it is going to respond Wednesday, July 10, 13
  • For instance, show a captcha on signup if Repsheet alerts Wednesday, July 10, 13
  • Back end looks at the recorded data for bad behavior Wednesday, July 10, 13
  • And updates the cache when it finds offenders Wednesday, July 10, 13
  • You can supply your own learning models for the data Wednesday, July 10, 13
  • github.com/repsheet/ repsheet Wednesday, July 10, 13
  • Summary Wednesday, July 10, 13
  • There are lots of indicators of attack in your traffic Wednesday, July 10, 13
  • Build up a system that can capture the data and sort good from bad Wednesday, July 10, 13
  • Tools • ModSecurity • GeoIP • Custom rules (velocity triggers, fingerprinting, device id, etc) • Custom behavioral classification • Repsheet Wednesday, July 10, 13
  • And Remember… Wednesday, July 10, 13
  • Wednesday, July 10, 13
  • Questions? Wednesday, July 10, 13