Csa UK agm 2019 - Web API attacks - Trends seen in the field Kriti Mohul
•Download as PPTX, PDF•
1 like•107 views
Cloud Services are on the increase, and so is the use of Web APIs. Connecting applications, and other services, platforms and third party connections all use Web APIs extensively. This talk will focus on raising awareness of the risks associated with the use of Web APIs, trending attacks.
Recommended
Recommended
More Related Content
What's hot
What's hot (20)
Similar to Csa UK agm 2019 - Web API attacks - Trends seen in the field Kriti Mohul
Similar to Csa UK agm 2019 - Web API attacks - Trends seen in the field Kriti Mohul (20)
More from Cloud Security Alliance, UK chapter
More from Cloud Security Alliance, UK chapter (11)
Recently uploaded
Recently uploaded (20)
Csa UK agm 2019 - Web API attacks - Trends seen in the field Kriti Mohul
- 1. 1©2019 Check Point Software Technologies Ltd.©2019 Check Point Software Technologies Ltd. Kriti Mohun | Security Engineer, Check Point UK kritim@checkpoint.com Use Cases: CloudApp/WebAPI Securing Web APIs/WebApp CLOUD ATTACKS
- 2. 2©2019 Check Point Software Technologies Ltd. Agenda • Trending Cloud attacks • Use Cases of Cloud attacks seen in the field • Securing your Cloud based Web Apps, Web APIs, Microservices • Summary
- 3. 3©2019 Check Point Software Technologies Ltd. Trending Cloud $120 BILLION
- 4. 4©2019 Check Point Software Technologies Ltd. Trending and Recent Cloud Attacks Man-In-The-Cloud Cloud Malware Campaigns Web API attacks Spectre and Meltdown Advanced persistent threats (APTs) Denial of service attacks MicroServices Concerns
- 5. 5©2019 Check Point Software Technologies Ltd. Every Cloud has a silver lining NOT
- 6. 6©2019 Check Point Software Technologies Ltd. Man-In-The-Cloud
- 7. 7©2019 Check Point Software Technologies Ltd. Cloud Malware Campaign • Cloud Fanta • Cloud Squirrel SugarSync cloud storage app was used deliver malware Ransomware attack on multiple targeted cloud apps
- 8. 8©2019 Check Point Software Technologies Ltd. Web API attack Surface Image credits: peterlaird.blogspot.com
- 9. 9©2019 Check Point Software Technologies Ltd. API Attack Layers Post Login Data and Application Attacks - APTs, data exfiltration, logical attacks API / Layer 7 DDoS Attacks - compromise API services access* API Foundational Security Access Control - tokens, authorization, authentication Rate Limiting - client throttling, quotas* Network Privacy – SSL / TLS Pre Login Login / Botnet Attacks - credential stuffing, fuzzing, stolen cookies
- 10. 10©2019 Check Point Software Technologies Ltd. API Protection Attack layers Check Point WAAP offering Pre Login Bot protection, negative security Automatic schema learning process* Post Login Negative security, OPEN API schema validation Automatic schema learning process* API Foundational Security Rate limiting
- 11. ©2019 Check Point Software Technologies Ltd. EXAMPLE SQL INJECTION
- 12. 12©2019 Check Point Software Technologies Ltd. Example Vulnerable Code – SQL Injection
- 13. 13©2019 Check Point Software Technologies Ltd. Send hundreds of exploit strings Among them a single apostrophe - ‘ (encoded %27) POST /challange/sql_injection/ HTTP/1.1 Host: 127.0.0.1 User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:64.0) Gecko/20100101 Firefox/64.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Referer: http://127.0.0.1/challange/os_injection/ Content-Type: application/x-www-form-urlencoded Content-Length: 24 Connection: close Cookie: PHPSESSID=b2968a24289593256b4b65f503169f68 Upgrade-Insecure-Requests: 1 search=%27 Standard Attack Tool Will yield an error and hint to the attacker that the code is vulnerable
- 14. 15©2019 Check Point Software Technologies Ltd. Detects (‘ apostrophe) as suspicious request BLOCK Suspicious request Routes page with (‘ apostrophe) for analysis and scoring HTTP Advanced Analysis Engines Indicators Detector Final Score: 6.1 Risk: High 3.1 User Reputation The user sent 30 requests NOT to typical URL's, with all of the requests being suspicious 3 Payload score The following indicators appeared in the request represents low likelihood of attack 7.8 URL score The system learned this URL is prone to attacks, and the system learned to offset the overall score up 6.2 Parameter score The system learned this parameter is prone to attacks, and the system learned to offset the overall score up Check Point ML WAAP – Two Stage Enforcement
- 15. 16©2019 Check Point Software Technologies Ltd. SQL Example Test with Attack Tool Code Vulnerability SQL Injection %27 is presented as ‘ [URL encoding] • WAF solutions based on ModSecurity: Azure, Akamai, CloudFlare • Others use same methodology: Imperva, F5, Radware + CHECK POINT WAAP CATCHES %27 ‘ • Indicators register (‘ apostrophe) as suspicious traffic • Triggers advanced analysis • Registers bad score • WAAP BLOCKS ATTACK WAF based on ModSecurity MISSES %27 ‘ • Signature based technology bypasses (‘ apostrophe) due to too many false positives • No rule triggered • ATTACK ALLOWED
- 16. 17©2019 Check Point Software Technologies Ltd. Web Application and API Protection (WAAP) Web Application Protection OWASP top 10 and much more API Security XML, REST and JSON payload processing and API usage thresholds Bot Mitigation Mitigation of automated connections. (includes user credential abuse) “ WAF bundles are evolving into a consolidated solution — WAAP — and promise greater efficiency, potential cost savings and enhanced visibility into an organization's application security posture ” Gartner, Dec 2017
- 17. 18©2019 Check Point Software Technologies Ltd. Foundations of Check Point WAAP Solution WAAP ML-based Infinity 2.0 PrecisionPrevention Automation Stop more attacks Extremely low False Positive rate Zero Tuning FlexibilityOpenness Management Open-Source Nano Agents IaaS / PaaS / FaaS Network, VM, Container Any Web framework APIs, Situational visibility, Human readable policies
- 18. 19©2019 Check Point Software Technologies Ltd. DB ZoneAzure Internet DMZ Analysis Zone Ingestion App Zone API User App Zone Human WAAP WAAPWAAPWAAP
- 19. 20©2019 Check Point Software Technologies Ltd.
- 20. 21©2019 Check Point Software Technologies Ltd. Securing CONTAINERS IN THE PUBLIC CLOUD Worker Nodes Master Nodes Who’s running it? You You Self Contained K8S Worker Nodes Master Nodes Who’s running it? You Cloud Provider Managed K8S (EKS/AKS/GKE/OKS...) Worker Nodes Master Nodes Who’s running it? Cloud Provider N/A CaaS (Fargate/ACI) Native Security
- 21. 22©2019 Check Point Software Technologies Ltd. Securing CONTAINERS IN THE PUBLIC CLOUD Worker Nodes Master Nodes Who’s running it? You You Self Contained K8S Worker Nodes Master Nodes Who’s running it? You Cloud Provider Managed K8S (EKS/AKS/GKE/OKS...) Worker Nodes Master Nodes Who’s running it? Cloud Provider N/A CaaS (Fargate/ACI) Native Security
- 22. 23©2019 Check Point Software Technologies Ltd. SECURITY CHALLENGES Privilege Escalation The attacker can move to the host and own all the containers Containers are Assembled Containers are built mostly from open source libraries and binaries Heterogeneous Environment Your security is as strong as your weakest container
- 23. 24©2019 Check Point Software Technologies Ltd. CONFIGURATION MANAGEMENT & HARDENING
- 24. 25©2019 Check Point Software Technologies Ltd.
- 25. 26©2019 Check Point Software Technologies Ltd. Summary • Cloud Security – Protecting Web App, Cloud App and API are key • DevOps – Security inclusive • Prevention – Precision – Automation • WAAP EA Program
- 26. ©2019 Check Point Software Technologies Ltd. THANK YOU Kriti Mohun | Security Engineer, Check Point UK kritim@checkpoint.com
Editor's Notes
- Cloud malware injection attacks Malware injection attacks are done to take control of a user’s information in the cloud. For this purpose, hackers add an infected service implementation module to a SaaS or PaaS solution or a virtual machine instance to an IaaS solution. If the cloud system is successfully deceived, it will redirect the cloud user’s requests to the hacker’s module or instance, initiating the execution of malicious code. Then the attacker can begin their malicious activity such as manipulating or stealing data or eavesdropping. The most common forms of malware injection attacks are cross-site scripting attacks and SQL injection attacks. During a cross-site scripting attack, hackers add malicious scripts (Flash, JavaScript, etc.) to a vulnerable web page. German researchers arranged an XSS attack against the Amazon Web Services cloud computing platform in 2011. In the case of SQL injection, attackers target SQL servers with vulnerable database applications. In 2008, Sony’s PlayStation website became the victim of a SQL injection attack. 2. Abuse of cloud services Hackers can use cheap cloud services to arrange DoS and brute force attacks on target users, companies, and even other cloud providers. For instance, security experts Bryan and Anderson arranged a DoS attack by exploiting capacities of Amazon’s EC2 cloud infrastructure in 2010. As a result, they managed to make their client unavailable on the internet by spending only $6 to rent virtual services. An example of a brute force attack was demonstrated by Thomas Roth at the 2011 Black Hat Technical Security Conference. By renting servers from cloud providers, hackers can use powerful cloud capacities to send thousands of possible passwords to a target user’s account. 3. Denial of service attacks DoS attacks are designed to overload a system and make services unavailable to its users. These attacks are especially dangerous for cloud computing systems, as many users may suffer as the result of flooding even a single cloud server. In case of high workload, cloud systems begin to provide more computational power by involving more virtual machines and service instances. While trying to prevent a cyber attack, the cloud system actually makes it more devastating. Finally, the cloud system slows down and legitimate users lose any availability to access their cloud services. In the cloud environment, DDoS attacks may be even more dangerous if hackers use more zombie machines to attack a large number of systems. 4. Side channel attacks A side channel attack is arranged by hackers when they place a malicious virtual machine on the same host as the target virtual machine. During a side channel attack, hackers target system implementations of cryptographic algorithms. However, this type of threat can be avoided with a secure system design. 5. Wrapping attacks A wrapping attack is an example of a man-in-the-middle attack in the cloud environment. Cloud computing is vulnerable to wrapping attacks because cloud users typically connect to services via a web browser. An XML signature is used to protect users’ credentials from unauthorized access, but this signature doesn’t secure the positions in the document. Thus, XML signature element wrapping allows attackers to manipulate an XML document. For example, a vulnerability was found in the SOAP interface of Amazon Elastic Cloud Computing (EC2) in 2009. This weakness allowed attackers to modify an eavesdropped message as a result of a successful signature wrapping attack. 6. Man-in-the-cloud attacks During this type of attack, hackers intercept and reconfigure cloud services by exploiting vulnerabilities in the synchronization token system so that during the next synchronization with the cloud, the synchronization token will be replaced with a new one that provides access to the attackers. Users may never know that their accounts have been hacked, as an attacker can put back the original synchronization tokens at any time. Moreover, there’s a risk that compromised accounts will never be recovered. 7. Insider attacks An insider attack is initiated by a legitimate user who is purposefully violating the security policy. In a cloud environment, an attacker can be a cloud provider administrator or an employee of a client company with extensive privileges. To prevent malicious activity of this type, cloud developers should design secure architectures with different levels of access to cloud services. 8. Account or service hijacking Account or service hijacking is achieved after gaining access to a user’s credentials. There are various techniques for achieving this, from fishing to spyware to cookie poisoning. Once a cloud account has been hacked, attackers can obtain a user’s personal information or corporate data and compromise cloud computing services. For instance, an employee of Salesforce, a SaaS vendor, became the victim of a phishing scam which led to the exposure of all of the company’s client accounts in 2007. 9. Advanced persistent threats (APTs) APTs are attacks that let hackers continuously steal sensitive data stored in the cloud or exploit cloud services without being noticed by legitimate users. The duration of these attacks allows hackers to adapt to security measures against them. Once unauthorized access is established, hackers can move through data center networks and use network traffic for their malicious activity. 10. New attacks: Spectre and Meltdown These two types of cyber attacks appeared earlier this year and have already become a new threat to cloud computing. With the help of malicious JavaScript code, adversaries can read encrypted data from memory by exploiting a design weakness in most modern processors. Both Spectre and Meltdown break the isolation between applications and the operating system, letting attackers read information from the kernel. This is a real headache for cloud developers, as not all cloud users install the latest security patches.
- CloudFanta is different from other malware because of the way it spreads. Like a lot of malware, it is first delivered via a phishing email with a malicious attachment. However, this is only the first stage of an infection. Whereas most malware might then contact a command and control server, CloudFanta uses a popular cloud storage site called SugarSync. The link in the email is a direct download, so the user isn't even shown the SugarSync page. Once a user clicks the link, it automatically downloads the malicious part of the malware from SugarSync in the form of a Java file. This file is obfuscated by using a double extension, .PDF.jar, which, on most systems, will only show up as .PDF, therefore tricking the user into thinking he is opening a document. Once run, the Java file will then download dynamic-link library files masquerading as PNG image files. This obfuscation is designed to bypass antivirus and firewall protections. The connection to SugarSync is encrypted, further increasing the malware's ability to go undetected. Once installed, the CloudFanta malware is quite typical in its function, waiting for the user to visit online banking or email sign in pages. The users are then redirected to a phishing site that looks identical to the real page, and when they enter their username and password, these are sent to the attackers. The malware is also used to send further spam emails from the victims' accounts. SugarSync would be an unusual service to allow in a corporate environment, but to prevent this particular strain on cloud malware, ensure access to it is blocked. It is also important that the enterprise's network security tools and services be able to detect malware in sanctioned and unsanctioned cloud services.
- Structure of API, private, partner API ( on boarding process exist), public (open API)