Repsheet: A Behavior Based Approach to Web Application Security
Upcoming SlideShare
Loading in...5
×
 

Like this? Share it with your network

Share

Repsheet: A Behavior Based Approach to Web Application Security

on

  • 1,338 views

This is a presentation on how to approach analyzing web application security.

This is a presentation on how to approach analyzing web application security.

Statistics

Views

Total Views
1,338
Views on SlideShare
1,330
Embed Views
8

Actions

Likes
1
Downloads
21
Comments
0

2 Embeds 8

https://twitter.com 6
http://www.pearltrees.com 2

Accessibility

Categories

Upload Details

Uploaded via as Adobe PDF

Usage Rights

© All Rights Reserved

Report content

Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
  • Full Name Full Name Comment goes here.
    Are you sure you want to
    Your message goes here
    Processing…
Post Comment
Edit your comment

Repsheet: A Behavior Based Approach to Web Application Security Presentation Transcript

  • 1. Repsheet A Behavior Based Approach to Web Application Security Aaron Bedra Application Security Lead Braintree Payments Wednesday, July 10, 13
  • 2. Right now, your web applications are being attacked Wednesday, July 10, 13
  • 3. And it will happen again, and again, and again Wednesday, July 10, 13
  • 4. But not always in the way you think Wednesday, July 10, 13
  • 5. Let’s take a look at typical application security measures Wednesday, July 10, 13
  • 6. User Requests Web Server Application Environment Wednesday, July 10, 13
  • 7. Wednesday, July 10, 13
  • 8. roland : 12345 Wednesday, July 10, 13
  • 9. roland : 12345 Wednesday, July 10, 13
  • 10. And we go on with our day Wednesday, July 10, 13
  • 11. How many of you stop there? Wednesday, July 10, 13
  • 12. It’s time to start asking more questions Wednesday, July 10, 13
  • 13. But remember… Wednesday, July 10, 13
  • 14. Don’t impact user experience! Wednesday, July 10, 13
  • 15. ??? Wednesday, July 10, 13
  • 16. • Signature based detection • Anomaly detection • Reputational intelligence • Action • Repsheet Wednesday, July 10, 13
  • 17. Signatures Wednesday, July 10, 13
  • 18. Mod Security Wednesday, July 10, 13
  • 19. Web Application Firewall Wednesday, July 10, 13
  • 20. Rule based detection Wednesday, July 10, 13
  • 21. Allows you to block or alert if traffic matches a signature Wednesday, July 10, 13
  • 22. Improved by the OWASP Core Rule Set Wednesday, July 10, 13
  • 23. A great tool to add to your stack Wednesday, July 10, 13
  • 24. Works with Apache, nginx, and IIS Wednesday, July 10, 13
  • 25. Works well with Apache Wednesday, July 10, 13
  • 26. Like most signature based tools it requires tuning Wednesday, July 10, 13
  • 27. And has a high possibility of false positives Wednesday, July 10, 13
  • 28. Great for helping with 0-day attacks Wednesday, July 10, 13
  • 29. Favor alerting over blocking in most scenarios Wednesday, July 10, 13
  • 30. User Requests Web Server ModSecurity Application Environment Wednesday, July 10, 13
  • 31. Anomalies Wednesday, July 10, 13
  • 32. 10.20.253.8 - - [23/Apr/2013:14:20:21 +0000] "POST /login HTTP/1.1" 200 267"-" "Mozilla/ 5.0 (Windows NT 6.1; WOW64; rv:8.0) Gecko/ 20100101 Firefox/8.0" "77.77.165.233" Wednesday, July 10, 13
  • 33. 10.20.253.8 - - [23/Apr/2013:14:20:22 +0000] "POST /users/king-roland/credit_cards HTTP/ 1.1" 302 2085 "-" "Mozilla/5.0 (Windows NT 6.1; WOW64; rv:8.0) Gecko/20100101 Firefox/ 8.0" "77.77.165.233" Wednesday, July 10, 13
  • 34. 10.20.253.8 - - [23/Apr/2013:14:20:23 +0000] "POST /users/king-roland/credit_cards HTTP/ 1.1" 302 2083 "-" "Mozilla/5.0 (Windows NT 6.1; WOW64; rv:8.0) Gecko/20100101 Firefox/ 8.0" "77.77.165.233" Wednesday, July 10, 13
  • 35. 10.20.253.8 - - [23/Apr/2013:14:20:24 +0000] "POST /users/king-roland/credit_cards HTTP/ 1.1" 302 2085 "-" "Mozilla/5.0 (Windows NT 6.1; WOW64; rv:8.0) Gecko/20100101 Firefox/ 8.0" "77.77.165.233" Wednesday, July 10, 13
  • 36. What do you see? Wednesday, July 10, 13
  • 37. I see a website getting carded Wednesday, July 10, 13
  • 38. ??? Wednesday, July 10, 13
  • 39. Play by play Wednesday, July 10, 13
  • 40. 10.20.253.8 - - [23/Apr/2013:14:20:21 +0000] "POST /login HTTP/1.1" 200 267"-" "Mozilla/ 5.0 (Windows NT 6.1; WOW64; rv:8.0) Gecko/ 20100101 Firefox/8.0" "77.77.165.233" Login Request Wednesday, July 10, 13
  • 41. 10.20.253.8 - - [23/Apr/2013:14:20:22 +0000] "POST /users/king-roland/credit_cards HTTP/ 1.1" 302 2085 "-" "Mozilla/5.0 (Windows NT 6.1; WOW64; rv:8.0) Gecko/20100101 Firefox/ 8.0" "77.77.165.233" Add credit card to account #1 1 sec delay Wednesday, July 10, 13
  • 42. 10.20.253.8 - - [23/Apr/2013:14:20:23 +0000] "POST /users/king-roland/credit_cards HTTP/ 1.1" 302 2083 "-" "Mozilla/5.0 (Windows NT 6.1; WOW64; rv:8.0) Gecko/20100101 Firefox/ 8.0" "77.77.165.233" 1 sec delay Add credit card to account #2 FF 8 on Windows 7 or Bot? Wednesday, July 10, 13
  • 43. 10.20.253.8 - - [23/Apr/2013:14:20:24 +0000] "POST /users/king-roland/credit_cards HTTP/ 1.1" 302 2085 "-" "Mozilla/5.0 (Windows NT 6.1; WOW64; rv:8.0) Gecko/20100101 Firefox/ 8.0" "77.77.165.233" 1 sec delay Add credit card to account #3 FF 8 on Windows 7 or Bot? Plovdiv Bulgaria Wednesday, July 10, 13
  • 44. And this continues… Wednesday, July 10, 13
  • 45. 10,000 more times Wednesday, July 10, 13
  • 46. Those were the only requests that IP address made Wednesday, July 10, 13
  • 47. Aside from the number of requests what else gave it away? Wednesday, July 10, 13
  • 48. 5% 5% 4% 27% 59% GET POST HEAD PUT DELETE Wednesday, July 10, 13
  • 49. HTTP method distribution is important Wednesday, July 10, 13
  • 50. When an actor deviates significantly, there must be a reason! Wednesday, July 10, 13
  • 51. Let’s talk GeoIP Wednesday, July 10, 13
  • 52. Adding GeoIP information is generically useful Wednesday, July 10, 13
  • 53. But it also helps in the face of an attack Wednesday, July 10, 13
  • 54. It can help protect you and your users Wednesday, July 10, 13
  • 55. Scenario Wednesday, July 10, 13
  • 56. King Roland gets his GMail account hacked Wednesday, July 10, 13
  • 57. Hacker sends a password reset request to your server Wednesday, July 10, 13
  • 58. Normally, you would email the reset Wednesday, July 10, 13
  • 59. Unless... Wednesday, July 10, 13
  • 60. You realize that King Roland always logs in from Druidia Wednesday, July 10, 13
  • 61. But the hacker is requesting the reset from Spaceball City Wednesday, July 10, 13
  • 62. Instead of sending the reset, you now ask some questions Wednesday, July 10, 13
  • 63. And hopefully protect King Roland from further bad actions Wednesday, July 10, 13
  • 64. GeoIP detection also helps you block traffic from unwanted countries Wednesday, July 10, 13
  • 65. User Requests Web Server ModSecurity Application Environment GeoIP Wednesday, July 10, 13
  • 66. Other Anomalies • Request Rate • TCP Fingerprint vs. User Agent • Account Create/Delete/Subscribe • Anything you can imagine Wednesday, July 10, 13
  • 67. What do they have in common? Wednesday, July 10, 13
  • 68. Does the behavior fit an equation? Wednesday, July 10, 13
  • 69. If so, your detection is simple Wednesday, July 10, 13
  • 70. Request rate > Threshold Wednesday, July 10, 13
  • 71. TCP fingerprint != User Agent Wednesday, July 10, 13
  • 72. But the HTTP method deviation is harder Wednesday, July 10, 13
  • 73. 100% GET requests with a known UA (e.g. Google) is ok Wednesday, July 10, 13
  • 74. 100% POST requests is not Wednesday, July 10, 13
  • 75. But it’s not always that simple Wednesday, July 10, 13
  • 76. Scenario Wednesday, July 10, 13
  • 77. A high rate of account create requests are coming from a single address Wednesday, July 10, 13
  • 78. Is it a NATted IP or a fraud/spam bot? Wednesday, July 10, 13
  • 79. We have patterns and data… Wednesday, July 10, 13
  • 80. What’s the next step? Wednesday, July 10, 13
  • 81. Quantitative Analysis Wednesday, July 10, 13
  • 82. Quantitative Analysis Wednesday, July 10, 13
  • 83. Quantitative Analysis Security as a Data Science Probelm Wednesday, July 10, 13
  • 84. We can apply some machine learning to the data in an attempt to classify it Wednesday, July 10, 13
  • 85. Classifier ??? User Requests Web Server ModSecurity Application Environment GeoIP Wednesday, July 10, 13
  • 86. This is where a lot of the value comes from Wednesday, July 10, 13
  • 87. And combined with signature detection helps correlate attack events Wednesday, July 10, 13
  • 88. But you still need a way to keep track of it all Wednesday, July 10, 13
  • 89. Reputational Intelligence Wednesday, July 10, 13
  • 90. Who’s naughty and who’s really naughty Wednesday, July 10, 13
  • 91. Built up from the tools/ techniques mentioned previously Wednesday, July 10, 13
  • 92. Provides local reputation Wednesday, July 10, 13
  • 93. You can also purchase external reputation feeds Wednesday, July 10, 13
  • 94. The combination gives you solid awareness of bad actors Wednesday, July 10, 13
  • 95. Reputational Intelligence External Reputation Classifier ??? User Requests Web Server ModSecurity Application Environment GeoIP ??? Wednesday, July 10, 13
  • 96. Action Wednesday, July 10, 13
  • 97. So now you have a ton of new information Wednesday, July 10, 13
  • 98. What do you do with it? Wednesday, July 10, 13
  • 99. Options • Block the traffic • Honeypot the attacker • Modify your response • Attack back • Contact the authorities Wednesday, July 10, 13
  • 100. Blocking the traffic is straight forward Wednesday, July 10, 13
  • 101. Block at the web server level (403) Wednesday, July 10, 13
  • 102. Block at the firewall level Wednesday, July 10, 13
  • 103. Both have advantages/ disadvantages Wednesday, July 10, 13
  • 104. Honeypots are much more interesting Wednesday, July 10, 13
  • 105. LB LB LB Engine Fake Real DB DBPartial Replication Wednesday, July 10, 13
  • 106. When you honeypot, the attacker doesn’t know they’ve been caught Wednesday, July 10, 13
  • 107. And it allows you to study their behavior Wednesday, July 10, 13
  • 108. And update your approach to preventing attacks Wednesday, July 10, 13
  • 109. But all of this requires a way to manage state and act on bad behavior Wednesday, July 10, 13
  • 110. Reputational Intelligence External Reputation Classifier ??? User Requests Web Server ModSecurity Application Environment GeoIP ??? State State Where do you act? Here? Wednesday, July 10, 13
  • 111. Repsheet Wednesday, July 10, 13
  • 112. Reputation Engine Wednesday, July 10, 13
  • 113. Redis Repsheet Backend External Reputation Feeds User Requests Web Server ModSecurity Application Environment GeoIP Repsheet Wednesday, July 10, 13
  • 114. Redis Repsheet Backend External Reputation Feeds User Requests Web Server ModSecurity Application Environment GeoIP Repsheet Wednesday, July 10, 13
  • 115. Redis Repsheet Backend External Reputation Feeds User Requests Web Server ModSecurity Application Environment GeoIP Repsheet Recorder Wednesday, July 10, 13
  • 116. Redis Repsheet Backend External Reputation Feeds User Requests Web Server ModSecurity Application Environment GeoIP Repsheet Managed State Recorder Wednesday, July 10, 13
  • 117. Redis Repsheet Backend External Reputation Feeds User Requests Web Server ModSecurity Application Environment GeoIP Repsheet Managed State ActorRecorder Wednesday, July 10, 13
  • 118. Redis Repsheet Backend External Reputation Feeds User Requests Web Server ModSecurity Application Environment GeoIP Repsheet Managed State Classifier, Feed Integration, Learning Models ActorRecorder Wednesday, July 10, 13
  • 119. Wednesday, July 10, 13
  • 120. Wednesday, July 10, 13
  • 121. Repsheet helps put everything together Wednesday, July 10, 13
  • 122. Web server module records activity and looks for offenders in the cache Wednesday, July 10, 13
  • 123. It listens to ModSecurity and adds offending IPs to it’s list Wednesday, July 10, 13
  • 124. It provides notification and/or blocking of offenders Wednesday, July 10, 13
  • 125. Blocking happens at the web server level Wednesday, July 10, 13
  • 126. But you can send the Repsheet data to your firewall for TCP level blocking Wednesday, July 10, 13
  • 127. Notification sends headers to the downstream application Wednesday, July 10, 13
  • 128. Which allows each app to chose how it is going to respond Wednesday, July 10, 13
  • 129. For instance, show a captcha on signup if Repsheet alerts Wednesday, July 10, 13
  • 130. Back end looks at the recorded data for bad behavior Wednesday, July 10, 13
  • 131. And updates the cache when it finds offenders Wednesday, July 10, 13
  • 132. You can supply your own learning models for the data Wednesday, July 10, 13
  • 133. github.com/repsheet/ repsheet Wednesday, July 10, 13
  • 134. Summary Wednesday, July 10, 13
  • 135. There are lots of indicators of attack in your traffic Wednesday, July 10, 13
  • 136. Build up a system that can capture the data and sort good from bad Wednesday, July 10, 13
  • 137. Tools • ModSecurity • GeoIP • Custom rules (velocity triggers, fingerprinting, device id, etc) • Custom behavioral classification • Repsheet Wednesday, July 10, 13
  • 138. And Remember… Wednesday, July 10, 13
  • 139. Wednesday, July 10, 13
  • 140. Questions? Wednesday, July 10, 13