• Share
  • Email
  • Embed
  • Like
  • Save
  • Private Content
Repsheet: A Behavior Based Approach to Web Application Security
 

Repsheet: A Behavior Based Approach to Web Application Security

on

  • 1,022 views

This is a presentation on how to approach analyzing web application security.

This is a presentation on how to approach analyzing web application security.

Statistics

Views

Total Views
1,022
Views on SlideShare
1,016
Embed Views
6

Actions

Likes
0
Downloads
18
Comments
0

1 Embed 6

https://twitter.com 6

Accessibility

Categories

Upload Details

Uploaded via as Adobe PDF

Usage Rights

© All Rights Reserved

Report content

Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
  • Full Name Full Name Comment goes here.
    Are you sure you want to
    Your message goes here
    Processing…
Post Comment
Edit your comment

    Repsheet: A Behavior Based Approach to Web Application Security Repsheet: A Behavior Based Approach to Web Application Security Presentation Transcript

    • Repsheet A Behavior Based Approach to Web Application Security Aaron Bedra Application Security Lead Braintree Payments Wednesday, July 10, 13
    • Right now, your web applications are being attacked Wednesday, July 10, 13
    • And it will happen again, and again, and again Wednesday, July 10, 13
    • But not always in the way you think Wednesday, July 10, 13
    • Let’s take a look at typical application security measures Wednesday, July 10, 13
    • User Requests Web Server Application Environment Wednesday, July 10, 13
    • Wednesday, July 10, 13
    • roland : 12345 Wednesday, July 10, 13
    • roland : 12345 Wednesday, July 10, 13
    • And we go on with our day Wednesday, July 10, 13
    • How many of you stop there? Wednesday, July 10, 13
    • It’s time to start asking more questions Wednesday, July 10, 13
    • But remember… Wednesday, July 10, 13
    • Don’t impact user experience! Wednesday, July 10, 13
    • ??? Wednesday, July 10, 13
    • • Signature based detection • Anomaly detection • Reputational intelligence • Action • Repsheet Wednesday, July 10, 13
    • Signatures Wednesday, July 10, 13
    • Mod Security Wednesday, July 10, 13
    • Web Application Firewall Wednesday, July 10, 13
    • Rule based detection Wednesday, July 10, 13
    • Allows you to block or alert if traffic matches a signature Wednesday, July 10, 13
    • Improved by the OWASP Core Rule Set Wednesday, July 10, 13
    • A great tool to add to your stack Wednesday, July 10, 13
    • Works with Apache, nginx, and IIS Wednesday, July 10, 13
    • Works well with Apache Wednesday, July 10, 13
    • Like most signature based tools it requires tuning Wednesday, July 10, 13
    • And has a high possibility of false positives Wednesday, July 10, 13
    • Great for helping with 0-day attacks Wednesday, July 10, 13
    • Favor alerting over blocking in most scenarios Wednesday, July 10, 13
    • User Requests Web Server ModSecurity Application Environment Wednesday, July 10, 13
    • Anomalies Wednesday, July 10, 13
    • 10.20.253.8 - - [23/Apr/2013:14:20:21 +0000] "POST /login HTTP/1.1" 200 267"-" "Mozilla/ 5.0 (Windows NT 6.1; WOW64; rv:8.0) Gecko/ 20100101 Firefox/8.0" "77.77.165.233" Wednesday, July 10, 13
    • 10.20.253.8 - - [23/Apr/2013:14:20:22 +0000] "POST /users/king-roland/credit_cards HTTP/ 1.1" 302 2085 "-" "Mozilla/5.0 (Windows NT 6.1; WOW64; rv:8.0) Gecko/20100101 Firefox/ 8.0" "77.77.165.233" Wednesday, July 10, 13
    • 10.20.253.8 - - [23/Apr/2013:14:20:23 +0000] "POST /users/king-roland/credit_cards HTTP/ 1.1" 302 2083 "-" "Mozilla/5.0 (Windows NT 6.1; WOW64; rv:8.0) Gecko/20100101 Firefox/ 8.0" "77.77.165.233" Wednesday, July 10, 13
    • 10.20.253.8 - - [23/Apr/2013:14:20:24 +0000] "POST /users/king-roland/credit_cards HTTP/ 1.1" 302 2085 "-" "Mozilla/5.0 (Windows NT 6.1; WOW64; rv:8.0) Gecko/20100101 Firefox/ 8.0" "77.77.165.233" Wednesday, July 10, 13
    • What do you see? Wednesday, July 10, 13
    • I see a website getting carded Wednesday, July 10, 13
    • ??? Wednesday, July 10, 13
    • Play by play Wednesday, July 10, 13
    • 10.20.253.8 - - [23/Apr/2013:14:20:21 +0000] "POST /login HTTP/1.1" 200 267"-" "Mozilla/ 5.0 (Windows NT 6.1; WOW64; rv:8.0) Gecko/ 20100101 Firefox/8.0" "77.77.165.233" Login Request Wednesday, July 10, 13
    • 10.20.253.8 - - [23/Apr/2013:14:20:22 +0000] "POST /users/king-roland/credit_cards HTTP/ 1.1" 302 2085 "-" "Mozilla/5.0 (Windows NT 6.1; WOW64; rv:8.0) Gecko/20100101 Firefox/ 8.0" "77.77.165.233" Add credit card to account #1 1 sec delay Wednesday, July 10, 13
    • 10.20.253.8 - - [23/Apr/2013:14:20:23 +0000] "POST /users/king-roland/credit_cards HTTP/ 1.1" 302 2083 "-" "Mozilla/5.0 (Windows NT 6.1; WOW64; rv:8.0) Gecko/20100101 Firefox/ 8.0" "77.77.165.233" 1 sec delay Add credit card to account #2 FF 8 on Windows 7 or Bot? Wednesday, July 10, 13
    • 10.20.253.8 - - [23/Apr/2013:14:20:24 +0000] "POST /users/king-roland/credit_cards HTTP/ 1.1" 302 2085 "-" "Mozilla/5.0 (Windows NT 6.1; WOW64; rv:8.0) Gecko/20100101 Firefox/ 8.0" "77.77.165.233" 1 sec delay Add credit card to account #3 FF 8 on Windows 7 or Bot? Plovdiv Bulgaria Wednesday, July 10, 13
    • And this continues… Wednesday, July 10, 13
    • 10,000 more times Wednesday, July 10, 13
    • Those were the only requests that IP address made Wednesday, July 10, 13
    • Aside from the number of requests what else gave it away? Wednesday, July 10, 13
    • 5% 5% 4% 27% 59% GET POST HEAD PUT DELETE Wednesday, July 10, 13
    • HTTP method distribution is important Wednesday, July 10, 13
    • When an actor deviates significantly, there must be a reason! Wednesday, July 10, 13
    • Let’s talk GeoIP Wednesday, July 10, 13
    • Adding GeoIP information is generically useful Wednesday, July 10, 13
    • But it also helps in the face of an attack Wednesday, July 10, 13
    • It can help protect you and your users Wednesday, July 10, 13
    • Scenario Wednesday, July 10, 13
    • King Roland gets his GMail account hacked Wednesday, July 10, 13
    • Hacker sends a password reset request to your server Wednesday, July 10, 13
    • Normally, you would email the reset Wednesday, July 10, 13
    • Unless... Wednesday, July 10, 13
    • You realize that King Roland always logs in from Druidia Wednesday, July 10, 13
    • But the hacker is requesting the reset from Spaceball City Wednesday, July 10, 13
    • Instead of sending the reset, you now ask some questions Wednesday, July 10, 13
    • And hopefully protect King Roland from further bad actions Wednesday, July 10, 13
    • GeoIP detection also helps you block traffic from unwanted countries Wednesday, July 10, 13
    • User Requests Web Server ModSecurity Application Environment GeoIP Wednesday, July 10, 13
    • Other Anomalies • Request Rate • TCP Fingerprint vs. User Agent • Account Create/Delete/Subscribe • Anything you can imagine Wednesday, July 10, 13
    • What do they have in common? Wednesday, July 10, 13
    • Does the behavior fit an equation? Wednesday, July 10, 13
    • If so, your detection is simple Wednesday, July 10, 13
    • Request rate > Threshold Wednesday, July 10, 13
    • TCP fingerprint != User Agent Wednesday, July 10, 13
    • But the HTTP method deviation is harder Wednesday, July 10, 13
    • 100% GET requests with a known UA (e.g. Google) is ok Wednesday, July 10, 13
    • 100% POST requests is not Wednesday, July 10, 13
    • But it’s not always that simple Wednesday, July 10, 13
    • Scenario Wednesday, July 10, 13
    • A high rate of account create requests are coming from a single address Wednesday, July 10, 13
    • Is it a NATted IP or a fraud/spam bot? Wednesday, July 10, 13
    • We have patterns and data… Wednesday, July 10, 13
    • What’s the next step? Wednesday, July 10, 13
    • Quantitative Analysis Wednesday, July 10, 13
    • Quantitative Analysis Wednesday, July 10, 13
    • Quantitative Analysis Security as a Data Science Probelm Wednesday, July 10, 13
    • We can apply some machine learning to the data in an attempt to classify it Wednesday, July 10, 13
    • Classifier ??? User Requests Web Server ModSecurity Application Environment GeoIP Wednesday, July 10, 13
    • This is where a lot of the value comes from Wednesday, July 10, 13
    • And combined with signature detection helps correlate attack events Wednesday, July 10, 13
    • But you still need a way to keep track of it all Wednesday, July 10, 13
    • Reputational Intelligence Wednesday, July 10, 13
    • Who’s naughty and who’s really naughty Wednesday, July 10, 13
    • Built up from the tools/ techniques mentioned previously Wednesday, July 10, 13
    • Provides local reputation Wednesday, July 10, 13
    • You can also purchase external reputation feeds Wednesday, July 10, 13
    • The combination gives you solid awareness of bad actors Wednesday, July 10, 13
    • Reputational Intelligence External Reputation Classifier ??? User Requests Web Server ModSecurity Application Environment GeoIP ??? Wednesday, July 10, 13
    • Action Wednesday, July 10, 13
    • So now you have a ton of new information Wednesday, July 10, 13
    • What do you do with it? Wednesday, July 10, 13
    • Options • Block the traffic • Honeypot the attacker • Modify your response • Attack back • Contact the authorities Wednesday, July 10, 13
    • Blocking the traffic is straight forward Wednesday, July 10, 13
    • Block at the web server level (403) Wednesday, July 10, 13
    • Block at the firewall level Wednesday, July 10, 13
    • Both have advantages/ disadvantages Wednesday, July 10, 13
    • Honeypots are much more interesting Wednesday, July 10, 13
    • LB LB LB Engine Fake Real DB DBPartial Replication Wednesday, July 10, 13
    • When you honeypot, the attacker doesn’t know they’ve been caught Wednesday, July 10, 13
    • And it allows you to study their behavior Wednesday, July 10, 13
    • And update your approach to preventing attacks Wednesday, July 10, 13
    • But all of this requires a way to manage state and act on bad behavior Wednesday, July 10, 13
    • Reputational Intelligence External Reputation Classifier ??? User Requests Web Server ModSecurity Application Environment GeoIP ??? State State Where do you act? Here? Wednesday, July 10, 13
    • Repsheet Wednesday, July 10, 13
    • Reputation Engine Wednesday, July 10, 13
    • Redis Repsheet Backend External Reputation Feeds User Requests Web Server ModSecurity Application Environment GeoIP Repsheet Wednesday, July 10, 13
    • Redis Repsheet Backend External Reputation Feeds User Requests Web Server ModSecurity Application Environment GeoIP Repsheet Wednesday, July 10, 13
    • Redis Repsheet Backend External Reputation Feeds User Requests Web Server ModSecurity Application Environment GeoIP Repsheet Recorder Wednesday, July 10, 13
    • Redis Repsheet Backend External Reputation Feeds User Requests Web Server ModSecurity Application Environment GeoIP Repsheet Managed State Recorder Wednesday, July 10, 13
    • Redis Repsheet Backend External Reputation Feeds User Requests Web Server ModSecurity Application Environment GeoIP Repsheet Managed State ActorRecorder Wednesday, July 10, 13
    • Redis Repsheet Backend External Reputation Feeds User Requests Web Server ModSecurity Application Environment GeoIP Repsheet Managed State Classifier, Feed Integration, Learning Models ActorRecorder Wednesday, July 10, 13
    • Wednesday, July 10, 13
    • Wednesday, July 10, 13
    • Repsheet helps put everything together Wednesday, July 10, 13
    • Web server module records activity and looks for offenders in the cache Wednesday, July 10, 13
    • It listens to ModSecurity and adds offending IPs to it’s list Wednesday, July 10, 13
    • It provides notification and/or blocking of offenders Wednesday, July 10, 13
    • Blocking happens at the web server level Wednesday, July 10, 13
    • But you can send the Repsheet data to your firewall for TCP level blocking Wednesday, July 10, 13
    • Notification sends headers to the downstream application Wednesday, July 10, 13
    • Which allows each app to chose how it is going to respond Wednesday, July 10, 13
    • For instance, show a captcha on signup if Repsheet alerts Wednesday, July 10, 13
    • Back end looks at the recorded data for bad behavior Wednesday, July 10, 13
    • And updates the cache when it finds offenders Wednesday, July 10, 13
    • You can supply your own learning models for the data Wednesday, July 10, 13
    • github.com/repsheet/ repsheet Wednesday, July 10, 13
    • Summary Wednesday, July 10, 13
    • There are lots of indicators of attack in your traffic Wednesday, July 10, 13
    • Build up a system that can capture the data and sort good from bad Wednesday, July 10, 13
    • Tools • ModSecurity • GeoIP • Custom rules (velocity triggers, fingerprinting, device id, etc) • Custom behavioral classification • Repsheet Wednesday, July 10, 13
    • And Remember… Wednesday, July 10, 13
    • Wednesday, July 10, 13
    • Questions? Wednesday, July 10, 13