Repsheet: A Behavior Based Approach to Web Application Security

2,163 views
2,044 views

Published on

This is a presentation on how to approach analyzing web application security.

Published in: Technology
0 Comments
3 Likes
Statistics
Notes
  • Be the first to comment

No Downloads
Views
Total views
2,163
On SlideShare
0
From Embeds
0
Number of Embeds
6
Actions
Shares
0
Downloads
47
Comments
0
Likes
3
Embeds 0
No embeds

No notes for slide

Repsheet: A Behavior Based Approach to Web Application Security

  1. 1. Repsheet A Behavior Based Approach to Web Application Security Aaron Bedra Application Security Lead Braintree Payments Wednesday, July 10, 13
  2. 2. Right now, your web applications are being attacked Wednesday, July 10, 13
  3. 3. And it will happen again, and again, and again Wednesday, July 10, 13
  4. 4. But not always in the way you think Wednesday, July 10, 13
  5. 5. Let’s take a look at typical application security measures Wednesday, July 10, 13
  6. 6. User Requests Web Server Application Environment Wednesday, July 10, 13
  7. 7. Wednesday, July 10, 13
  8. 8. roland : 12345 Wednesday, July 10, 13
  9. 9. roland : 12345 Wednesday, July 10, 13
  10. 10. And we go on with our day Wednesday, July 10, 13
  11. 11. How many of you stop there? Wednesday, July 10, 13
  12. 12. It’s time to start asking more questions Wednesday, July 10, 13
  13. 13. But remember… Wednesday, July 10, 13
  14. 14. Don’t impact user experience! Wednesday, July 10, 13
  15. 15. ??? Wednesday, July 10, 13
  16. 16. • Signature based detection • Anomaly detection • Reputational intelligence • Action • Repsheet Wednesday, July 10, 13
  17. 17. Signatures Wednesday, July 10, 13
  18. 18. Mod Security Wednesday, July 10, 13
  19. 19. Web Application Firewall Wednesday, July 10, 13
  20. 20. Rule based detection Wednesday, July 10, 13
  21. 21. Allows you to block or alert if traffic matches a signature Wednesday, July 10, 13
  22. 22. Improved by the OWASP Core Rule Set Wednesday, July 10, 13
  23. 23. A great tool to add to your stack Wednesday, July 10, 13
  24. 24. Works with Apache, nginx, and IIS Wednesday, July 10, 13
  25. 25. Works well with Apache Wednesday, July 10, 13
  26. 26. Like most signature based tools it requires tuning Wednesday, July 10, 13
  27. 27. And has a high possibility of false positives Wednesday, July 10, 13
  28. 28. Great for helping with 0-day attacks Wednesday, July 10, 13
  29. 29. Favor alerting over blocking in most scenarios Wednesday, July 10, 13
  30. 30. User Requests Web Server ModSecurity Application Environment Wednesday, July 10, 13
  31. 31. Anomalies Wednesday, July 10, 13
  32. 32. 10.20.253.8 - - [23/Apr/2013:14:20:21 +0000] "POST /login HTTP/1.1" 200 267"-" "Mozilla/ 5.0 (Windows NT 6.1; WOW64; rv:8.0) Gecko/ 20100101 Firefox/8.0" "77.77.165.233" Wednesday, July 10, 13
  33. 33. 10.20.253.8 - - [23/Apr/2013:14:20:22 +0000] "POST /users/king-roland/credit_cards HTTP/ 1.1" 302 2085 "-" "Mozilla/5.0 (Windows NT 6.1; WOW64; rv:8.0) Gecko/20100101 Firefox/ 8.0" "77.77.165.233" Wednesday, July 10, 13
  34. 34. 10.20.253.8 - - [23/Apr/2013:14:20:23 +0000] "POST /users/king-roland/credit_cards HTTP/ 1.1" 302 2083 "-" "Mozilla/5.0 (Windows NT 6.1; WOW64; rv:8.0) Gecko/20100101 Firefox/ 8.0" "77.77.165.233" Wednesday, July 10, 13
  35. 35. 10.20.253.8 - - [23/Apr/2013:14:20:24 +0000] "POST /users/king-roland/credit_cards HTTP/ 1.1" 302 2085 "-" "Mozilla/5.0 (Windows NT 6.1; WOW64; rv:8.0) Gecko/20100101 Firefox/ 8.0" "77.77.165.233" Wednesday, July 10, 13
  36. 36. What do you see? Wednesday, July 10, 13
  37. 37. I see a website getting carded Wednesday, July 10, 13
  38. 38. ??? Wednesday, July 10, 13
  39. 39. Play by play Wednesday, July 10, 13
  40. 40. 10.20.253.8 - - [23/Apr/2013:14:20:21 +0000] "POST /login HTTP/1.1" 200 267"-" "Mozilla/ 5.0 (Windows NT 6.1; WOW64; rv:8.0) Gecko/ 20100101 Firefox/8.0" "77.77.165.233" Login Request Wednesday, July 10, 13
  41. 41. 10.20.253.8 - - [23/Apr/2013:14:20:22 +0000] "POST /users/king-roland/credit_cards HTTP/ 1.1" 302 2085 "-" "Mozilla/5.0 (Windows NT 6.1; WOW64; rv:8.0) Gecko/20100101 Firefox/ 8.0" "77.77.165.233" Add credit card to account #1 1 sec delay Wednesday, July 10, 13
  42. 42. 10.20.253.8 - - [23/Apr/2013:14:20:23 +0000] "POST /users/king-roland/credit_cards HTTP/ 1.1" 302 2083 "-" "Mozilla/5.0 (Windows NT 6.1; WOW64; rv:8.0) Gecko/20100101 Firefox/ 8.0" "77.77.165.233" 1 sec delay Add credit card to account #2 FF 8 on Windows 7 or Bot? Wednesday, July 10, 13
  43. 43. 10.20.253.8 - - [23/Apr/2013:14:20:24 +0000] "POST /users/king-roland/credit_cards HTTP/ 1.1" 302 2085 "-" "Mozilla/5.0 (Windows NT 6.1; WOW64; rv:8.0) Gecko/20100101 Firefox/ 8.0" "77.77.165.233" 1 sec delay Add credit card to account #3 FF 8 on Windows 7 or Bot? Plovdiv Bulgaria Wednesday, July 10, 13
  44. 44. And this continues… Wednesday, July 10, 13
  45. 45. 10,000 more times Wednesday, July 10, 13
  46. 46. Those were the only requests that IP address made Wednesday, July 10, 13
  47. 47. Aside from the number of requests what else gave it away? Wednesday, July 10, 13
  48. 48. 5% 5% 4% 27% 59% GET POST HEAD PUT DELETE Wednesday, July 10, 13
  49. 49. HTTP method distribution is important Wednesday, July 10, 13
  50. 50. When an actor deviates significantly, there must be a reason! Wednesday, July 10, 13
  51. 51. Let’s talk GeoIP Wednesday, July 10, 13
  52. 52. Adding GeoIP information is generically useful Wednesday, July 10, 13
  53. 53. But it also helps in the face of an attack Wednesday, July 10, 13
  54. 54. It can help protect you and your users Wednesday, July 10, 13
  55. 55. Scenario Wednesday, July 10, 13
  56. 56. King Roland gets his GMail account hacked Wednesday, July 10, 13
  57. 57. Hacker sends a password reset request to your server Wednesday, July 10, 13
  58. 58. Normally, you would email the reset Wednesday, July 10, 13
  59. 59. Unless... Wednesday, July 10, 13
  60. 60. You realize that King Roland always logs in from Druidia Wednesday, July 10, 13
  61. 61. But the hacker is requesting the reset from Spaceball City Wednesday, July 10, 13
  62. 62. Instead of sending the reset, you now ask some questions Wednesday, July 10, 13
  63. 63. And hopefully protect King Roland from further bad actions Wednesday, July 10, 13
  64. 64. GeoIP detection also helps you block traffic from unwanted countries Wednesday, July 10, 13
  65. 65. User Requests Web Server ModSecurity Application Environment GeoIP Wednesday, July 10, 13
  66. 66. Other Anomalies • Request Rate • TCP Fingerprint vs. User Agent • Account Create/Delete/Subscribe • Anything you can imagine Wednesday, July 10, 13
  67. 67. What do they have in common? Wednesday, July 10, 13
  68. 68. Does the behavior fit an equation? Wednesday, July 10, 13
  69. 69. If so, your detection is simple Wednesday, July 10, 13
  70. 70. Request rate > Threshold Wednesday, July 10, 13
  71. 71. TCP fingerprint != User Agent Wednesday, July 10, 13
  72. 72. But the HTTP method deviation is harder Wednesday, July 10, 13
  73. 73. 100% GET requests with a known UA (e.g. Google) is ok Wednesday, July 10, 13
  74. 74. 100% POST requests is not Wednesday, July 10, 13
  75. 75. But it’s not always that simple Wednesday, July 10, 13
  76. 76. Scenario Wednesday, July 10, 13
  77. 77. A high rate of account create requests are coming from a single address Wednesday, July 10, 13
  78. 78. Is it a NATted IP or a fraud/spam bot? Wednesday, July 10, 13
  79. 79. We have patterns and data… Wednesday, July 10, 13
  80. 80. What’s the next step? Wednesday, July 10, 13
  81. 81. Quantitative Analysis Wednesday, July 10, 13
  82. 82. Quantitative Analysis Wednesday, July 10, 13
  83. 83. Quantitative Analysis Security as a Data Science Probelm Wednesday, July 10, 13
  84. 84. We can apply some machine learning to the data in an attempt to classify it Wednesday, July 10, 13
  85. 85. Classifier ??? User Requests Web Server ModSecurity Application Environment GeoIP Wednesday, July 10, 13
  86. 86. This is where a lot of the value comes from Wednesday, July 10, 13
  87. 87. And combined with signature detection helps correlate attack events Wednesday, July 10, 13
  88. 88. But you still need a way to keep track of it all Wednesday, July 10, 13
  89. 89. Reputational Intelligence Wednesday, July 10, 13
  90. 90. Who’s naughty and who’s really naughty Wednesday, July 10, 13
  91. 91. Built up from the tools/ techniques mentioned previously Wednesday, July 10, 13
  92. 92. Provides local reputation Wednesday, July 10, 13
  93. 93. You can also purchase external reputation feeds Wednesday, July 10, 13
  94. 94. The combination gives you solid awareness of bad actors Wednesday, July 10, 13
  95. 95. Reputational Intelligence External Reputation Classifier ??? User Requests Web Server ModSecurity Application Environment GeoIP ??? Wednesday, July 10, 13
  96. 96. Action Wednesday, July 10, 13
  97. 97. So now you have a ton of new information Wednesday, July 10, 13
  98. 98. What do you do with it? Wednesday, July 10, 13
  99. 99. Options • Block the traffic • Honeypot the attacker • Modify your response • Attack back • Contact the authorities Wednesday, July 10, 13
  100. 100. Blocking the traffic is straight forward Wednesday, July 10, 13
  101. 101. Block at the web server level (403) Wednesday, July 10, 13
  102. 102. Block at the firewall level Wednesday, July 10, 13
  103. 103. Both have advantages/ disadvantages Wednesday, July 10, 13
  104. 104. Honeypots are much more interesting Wednesday, July 10, 13
  105. 105. LB LB LB Engine Fake Real DB DBPartial Replication Wednesday, July 10, 13
  106. 106. When you honeypot, the attacker doesn’t know they’ve been caught Wednesday, July 10, 13
  107. 107. And it allows you to study their behavior Wednesday, July 10, 13
  108. 108. And update your approach to preventing attacks Wednesday, July 10, 13
  109. 109. But all of this requires a way to manage state and act on bad behavior Wednesday, July 10, 13
  110. 110. Reputational Intelligence External Reputation Classifier ??? User Requests Web Server ModSecurity Application Environment GeoIP ??? State State Where do you act? Here? Wednesday, July 10, 13
  111. 111. Repsheet Wednesday, July 10, 13
  112. 112. Reputation Engine Wednesday, July 10, 13
  113. 113. Redis Repsheet Backend External Reputation Feeds User Requests Web Server ModSecurity Application Environment GeoIP Repsheet Wednesday, July 10, 13
  114. 114. Redis Repsheet Backend External Reputation Feeds User Requests Web Server ModSecurity Application Environment GeoIP Repsheet Wednesday, July 10, 13
  115. 115. Redis Repsheet Backend External Reputation Feeds User Requests Web Server ModSecurity Application Environment GeoIP Repsheet Recorder Wednesday, July 10, 13
  116. 116. Redis Repsheet Backend External Reputation Feeds User Requests Web Server ModSecurity Application Environment GeoIP Repsheet Managed State Recorder Wednesday, July 10, 13
  117. 117. Redis Repsheet Backend External Reputation Feeds User Requests Web Server ModSecurity Application Environment GeoIP Repsheet Managed State ActorRecorder Wednesday, July 10, 13
  118. 118. Redis Repsheet Backend External Reputation Feeds User Requests Web Server ModSecurity Application Environment GeoIP Repsheet Managed State Classifier, Feed Integration, Learning Models ActorRecorder Wednesday, July 10, 13
  119. 119. Wednesday, July 10, 13
  120. 120. Wednesday, July 10, 13
  121. 121. Repsheet helps put everything together Wednesday, July 10, 13
  122. 122. Web server module records activity and looks for offenders in the cache Wednesday, July 10, 13
  123. 123. It listens to ModSecurity and adds offending IPs to it’s list Wednesday, July 10, 13
  124. 124. It provides notification and/or blocking of offenders Wednesday, July 10, 13
  125. 125. Blocking happens at the web server level Wednesday, July 10, 13
  126. 126. But you can send the Repsheet data to your firewall for TCP level blocking Wednesday, July 10, 13
  127. 127. Notification sends headers to the downstream application Wednesday, July 10, 13
  128. 128. Which allows each app to chose how it is going to respond Wednesday, July 10, 13
  129. 129. For instance, show a captcha on signup if Repsheet alerts Wednesday, July 10, 13
  130. 130. Back end looks at the recorded data for bad behavior Wednesday, July 10, 13
  131. 131. And updates the cache when it finds offenders Wednesday, July 10, 13
  132. 132. You can supply your own learning models for the data Wednesday, July 10, 13
  133. 133. github.com/repsheet/ repsheet Wednesday, July 10, 13
  134. 134. Summary Wednesday, July 10, 13
  135. 135. There are lots of indicators of attack in your traffic Wednesday, July 10, 13
  136. 136. Build up a system that can capture the data and sort good from bad Wednesday, July 10, 13
  137. 137. Tools • ModSecurity • GeoIP • Custom rules (velocity triggers, fingerprinting, device id, etc) • Custom behavioral classification • Repsheet Wednesday, July 10, 13
  138. 138. And Remember… Wednesday, July 10, 13
  139. 139. Wednesday, July 10, 13
  140. 140. Questions? Wednesday, July 10, 13

×