knock knock
play

Knock Knock Understanding Who is Using Your Web Applications Aaron - PowerPoint PPT Presentation

Feb 11, 2024 •525 likes •1.96k views

Knock Knock Understanding Who is Using Your Web Applications Aaron Bedra Application Security Lead Braintree Payments Tuesday, April 23, 13 Right now, your web applications are being attacked Tuesday, April 23, 13 And it will happen

  1. Knock Knock Understanding Who is Using Your Web Applications Aaron Bedra Application Security Lead Braintree Payments Tuesday, April 23, 13

  2. Right now, your web applications are being attacked Tuesday, April 23, 13

  3. And it will happen again, and again, and again Tuesday, April 23, 13

  4. But not always in the way you think Tuesday, April 23, 13

  5. Let’s take a look at typical application security measures Tuesday, April 23, 13

  6. User Requests Web Server Application Environment Tuesday, April 23, 13

  7. Tuesday, April 23, 13

  8. roland : 12345 Tuesday, April 23, 13

  9. roland : 12345 Tuesday, April 23, 13

  10. And we go on with our day Tuesday, April 23, 13

  11. How many of you stop there? Tuesday, April 23, 13

  12. It’s time to start asking more questions Tuesday, April 23, 13

  13. But remember… Tuesday, April 23, 13

  14. Don’t impact user experience! Tuesday, April 23, 13

  15. ??? Tuesday, April 23, 13

  16. • Signature based detection • Anomaly detection • Reputational intelligence • Action • Repsheet Tuesday, April 23, 13

  17. Signatures Tuesday, April 23, 13

  18. Mod Security Tuesday, April 23, 13

  19. Web Application Firewall Tuesday, April 23, 13

  20. Rule based detection Tuesday, April 23, 13

  21. Allows you to block or alert if traffic matches a signature Tuesday, April 23, 13

  22. Improved by the OWASP Core Rule Set Tuesday, April 23, 13

  23. A great tool to add to your stack Tuesday, April 23, 13

  24. Works with Apache, nginx, and IIS Tuesday, April 23, 13

  25. Works well with Apache Tuesday, April 23, 13

  26. Like most signature based tools it requires tuning Tuesday, April 23, 13

  27. And has a high possibility of false positives Tuesday, April 23, 13

  28. Great for helping with 0-day attacks Tuesday, April 23, 13

  29. Favor alerting over blocking in most scenarios Tuesday, April 23, 13

  30. User Requests Web Server ModSecurity Application Environment Tuesday, April 23, 13

  31. Anomalies Tuesday, April 23, 13

  32. 10.20.253.8 - - [23/Apr/2013:14:20:21 +0000] "POST /login HTTP/1.1" 200 267"-" "Mozilla/ 5.0 (Windows NT 6.1; WOW64; rv:8.0) Gecko/ 20100101 Firefox/8.0" "77.77.165.233" Tuesday, April 23, 13

  33. 10.20.253.8 - - [23/Apr/2013:14:20:22 +0000] "POST /users/king-roland/cc_records HTTP/1.1" 302 2085 "-" "Mozilla/5.0 (Windows NT 6.1; WOW64; rv:8.0) Gecko/20100101 Firefox/8.0" "77.77.165.233" Tuesday, April 23, 13

  34. 10.20.253.8 - - [23/Apr/2013:14:20:23 +0000] "POST /users/king-roland/cc_records HTTP/1.1" 302 2083 "-" "Mozilla/5.0 (Windows NT 6.1; WOW64; rv:8.0) Gecko/20100101 Firefox/8.0" "77.77.165.233" Tuesday, April 23, 13

  35. 10.20.253.8 - - [23/Apr/2013:14:20:24 +0000] "POST /users/king-roland/cc_records HTTP/1.1" 302 2085 "-" "Mozilla/5.0 (Windows NT 6.1; WOW64; rv:8.0) Gecko/20100101 Firefox/8.0" "77.77.165.233" Tuesday, April 23, 13

  36. What do you see? Tuesday, April 23, 13

  37. I see a website getting carded Tuesday, April 23, 13

  38. ??? Tuesday, April 23, 13

  39. Play by play Tuesday, April 23, 13

  40. Login Request 10.20.253.8 - - [23/Apr/2013:14:20:21 +0000] "POST /login HTTP/1.1" 200 267"-" "Mozilla/ 5.0 (Windows NT 6.1; WOW64; rv:8.0) Gecko/ 20100101 Firefox/8.0" "77.77.165.233" Tuesday, April 23, 13

  41. 1 sec delay Add credit card to account #1 10.20.253.8 - - [23/Apr/2013:14:20:22 +0000] "POST /users/king-roland/cc_records HTTP/1.1" 302 2085 "-" "Mozilla/5.0 (Windows NT 6.1; WOW64; rv:8.0) Gecko/20100101 Firefox/8.0" "77.77.165.233" Tuesday, April 23, 13

  42. 1 sec delay Add credit card to account #2 10.20.253.8 - - [23/Apr/2013:14:20:23 +0000] "POST /users/king-roland/cc_records HTTP/1.1" 302 2083 "-" "Mozilla/5.0 (Windows NT 6.1; WOW64; rv:8.0) Gecko/20100101 Firefox/8.0" "77.77.165.233" FF 8 on Windows 7 or Bot? Tuesday, April 23, 13

  43. 1 sec delay Add credit card to account #3 10.20.253.8 - - [23/Apr/2013:14:20:24 +0000] "POST /users/king-roland/cc_records HTTP/1.1" 302 2085 "-" "Mozilla/5.0 (Windows NT 6.1; WOW64; rv:8.0) Gecko/20100101 Firefox/8.0" "77.77.165.233" FF 8 on Windows 7 or Bot? Plovdiv Bulgaria Tuesday, April 23, 13

  44. And this continues… Tuesday, April 23, 13

  45. 10,000 more times Tuesday, April 23, 13

  46. Those were the only requests that IP address made Tuesday, April 23, 13

  47. Aside from the number of requests what else gave it away? Tuesday, April 23, 13

  48. GET POST HEAD PUT DELETE 5% 5% 4% 27% 59% Tuesday, April 23, 13

  49. HTTP method distribution is important Tuesday, April 23, 13

  50. When an actor deviates significantly, there must be a reason! Tuesday, April 23, 13

  51. Let’s talk GeoIP Tuesday, April 23, 13

  52. Adding GeoIP information is generically useful Tuesday, April 23, 13

  53. But it also helps in the face of an attack Tuesday, April 23, 13

  54. It can help protect you and your users Tuesday, April 23, 13

  55. Scenario Tuesday, April 23, 13

  56. King Roland gets his GMail account hacked Tuesday, April 23, 13

  57. Hacker sends a password reset request to your server Tuesday, April 23, 13

  58. Normally, you would email the reset Tuesday, April 23, 13

  59. Unless... Tuesday, April 23, 13

  60. You realize that King Roland always logs in from Druidia Tuesday, April 23, 13

  61. But the hacker is requesting the reset from Spaceball City Tuesday, April 23, 13

  62. Instead of sending the reset, you now ask some questions Tuesday, April 23, 13

  63. And hopefully protect King Roland from further bad actions Tuesday, April 23, 13

  64. GeoIP detection also helps you block traffic from unwanted countries Tuesday, April 23, 13

  65. User Requests Web Server ModSecurity GeoIP Application Environment Tuesday, April 23, 13

  66. Other Anomalies • Request Rate • TCP Fingerprint vs. User Agent • Account Create/Delete/Subscribe • Anything you can imagine Tuesday, April 23, 13

  67. What do they have in common? Tuesday, April 23, 13

  68. Does the behavior fit an equation? Tuesday, April 23, 13

  69. If so, your detection is simple Tuesday, April 23, 13

  70. Request rate > Threshold Tuesday, April 23, 13

  71. TCP fingerprint != User Agent Tuesday, April 23, 13

  72. But the HTTP method deviation is harder Tuesday, April 23, 13

  73. 100% GET requests with a known UA (e.g. Google) is ok Tuesday, April 23, 13

  74. 100% POST requests is not Tuesday, April 23, 13

  75. But it’s not always that simple Tuesday, April 23, 13

  76. Scenario Tuesday, April 23, 13

  77. A high rate of account create requests are coming from a single address Tuesday, April 23, 13

  78. Is it a NATted IP or a fraud/spam bot? Tuesday, April 23, 13

  79. We have patterns and data… Tuesday, April 23, 13

  80. What’s the next step? Tuesday, April 23, 13

  81. Quantitative Analysis Tuesday, April 23, 13

  82. Quantitative Analysis Tuesday, April 23, 13

  83. Security as a Data Science Quantitative Analysis Probelm Tuesday, April 23, 13

  84. We can apply some machine learning to the data in an attempt to classify it Tuesday, April 23, 13

  85. User Requests Web Server ??? Classifier ModSecurity GeoIP Application Environment Tuesday, April 23, 13

  86. This is where a lot of the value comes from Tuesday, April 23, 13

  87. And combined with signature detection helps correlate attack events Tuesday, April 23, 13

  88. But you still need a way to keep track of it all Tuesday, April 23, 13

  89. Reputational Intelligence Tuesday, April 23, 13

  90. Who’s naughty and who’s really naughty Tuesday, April 23, 13

  91. Built up from the tools/ techniques mentioned previously Tuesday, April 23, 13

  92. Provides local reputation Tuesday, April 23, 13

  93. You can also purchase external reputation feeds Tuesday, April 23, 13

  94. The combination gives you solid awareness of bad actors Tuesday, April 23, 13

  95. User Requests Web Server ??? Classifier ModSecurity ??? GeoIP External Reputational Reputation Intelligence Application Environment Tuesday, April 23, 13

  96. Action Tuesday, April 23, 13

  97. So now you have a ton of new information Tuesday, April 23, 13

  98. What do you do with it? Tuesday, April 23, 13

  99. Options • Block the traffic • Honeypot the attacker • Attack back • Contact the authorities Tuesday, April 23, 13

  100. Blocking the traffic is straight forward Tuesday, April 23, 13

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

S.P.A.G. LOLZ! KS2 2: KNOCK - KNOCK! TODAYS CHALLENGE: Learn how to EXPAND nouns into

S.P.A.G. LOLZ! KS2 2: KNOCK - KNOCK! TODAYS CHALLENGE: Learn how to EXPAND nouns into

S.P.A.G. LOLZ! KS2 2: KNOCK - KNOCK! TODAYS CHALLENGE: Learn how to EXPAND nouns into phrases RECOGNISE question words PERFORM knock-knock jokes with a friend WHAT IS FUNNY? What does funny mean? What

529 views • 11 slides
KNOCK KNOCK, WHOS THERE? On the Security of LGs Knock Codes Raina Samuel** Iulian Neamtiu

KNOCK KNOCK, WHOS THERE? On the Security of LGs Knock Codes Raina Samuel** Iulian Neamtiu

KNOCK KNOCK, WHOS THERE? On the Security of LGs Knock Codes Raina Samuel** Iulian Neamtiu Philipp Markert Adam J. Aviv New Jersey Institute New Jersey Institute Ruhr University The George of Technology of Technology Bochum

111 views • 10 slides
Knock, Knock, FDA is Here; Be Prepared for a Regulatory Inspection Joanne Schlossin, Consumer

Knock, Knock, FDA is Here; Be Prepared for a Regulatory Inspection Joanne Schlossin, Consumer

Knock, Knock, FDA is Here; Be Prepared for a Regulatory Inspection Joanne Schlossin, Consumer Safety Officer Karen Kosar, BIMO Specialist BIMO-East President Ronald Reagan (4/12/86) "The nine most terrifying words in the English

1.29k views • 42 slides
Knock, Knock, Whos There?: Development of Doorstep Messages to Increase Survey Participation

Knock, Knock, Whos There?: Development of Doorstep Messages to Increase Survey Participation

Knock, Knock, Whos There?: Development of Doorstep Messages to Increase Survey Participation in Seven Languages Patricia Goerman, Yazmn A. Garca Trejo and Anna Sandoval Girn Center for Survey Measurement, U.S. Census Bureau Presented

325 views • 17 slides
KNOCK OUT Blue B Flashover in action KNOCK OUT Key features: Takeaways and Path Forward

KNOCK OUT Blue B Flashover in action KNOCK OUT Key features: Takeaways and Path Forward

KNOCK OUT Blue B Flashover in action KNOCK OUT Key features: Takeaways and Path Forward Mechanical actuation is simple , powerful , and feasible for this device How to achieve maximum mechanical advantage? Existing Tools Halligan

412 views • 7 slides
The Knock Em Alive The Knock Em Alive Positively Powerful Positively Powerful

The Knock Em Alive The Knock Em Alive Positively Powerful Positively Powerful

The Knock Em Alive The Knock Em Alive Positively Powerful Positively Powerful Strategies For Your Job Strategies For Your Job Success! Success! With Dr. Joel Martin President. Triad West Inc. Get you where you want to

1.19k views • 31 slides
How to Get Donor Visits & Knock Them Out of the Park @fundraiserchad Who is this guy? And

How to Get Donor Visits & Knock Them Out of the Park @fundraiserchad Who is this guy? And

How to Get Donor Visits & Knock Them Out of the Park @fundraiserchad Who is this guy? And why does he think he knows what hes talking about? career fundraiser providing fundraising strategy, training & coaching to small nonprofit

854 views • 61 slides
When You Are Ready, Opportunity Will Knock! CVM PD Day May 24, 2017 Dr. Barbara Roberts

When You Are Ready, Opportunity Will Knock! CVM PD Day May 24, 2017 Dr. Barbara Roberts

When You Are Ready, Opportunity Will Knock! CVM PD Day May 24, 2017 Dr. Barbara Roberts Executive Director, WorkLife Find Your Passion What do you love? What ignites your imagination? What kind of puzzles or problems capture your

399 views • 11 slides
District of Columbia Office of the State Superintendent of Education It Takes a City to Knock it

District of Columbia Office of the State Superintendent of Education It Takes a City to Knock it

District of Columbia Office of the State Superintendent of Education It Takes a City to Knock it Out of the PARCC! It Takes a City It Takes a City to Knock it Out of the PARCC! Understanding the Shifts: Translating the NGSS into Practice

527 views • 50 slides
Come and Knock On Our Door: Evaluating the Impact of Varying Rules for Case Follow-Up Using

Come and Knock On Our Door: Evaluating the Impact of Varying Rules for Case Follow-Up Using

Come and Knock On Our Door: Evaluating the Impact of Varying Rules for Case Follow-Up Using Linked Survey Paradata and Administrative Records Casey Eggleston and Jonathan Eggleston (Census) November 5, 2019 This report is released to inform

817 views • 35 slides
It Takes a City It Takes a City to Knock it Out of the PARCC! Making the Transition from Pencil

It Takes a City It Takes a City to Knock it Out of the PARCC! Making the Transition from Pencil

It Takes a City It Takes a City to Knock it Out of the PARCC! Making the Transition from Pencil and Paper to Computer-based Assessments Welcome! LEA Leadership Institute, January 23, 2015 Gallaudet University Ballroom B Washington, DC

238 views • 21 slides
Crawford W. Long Middle School ( in a virtual world) th Grade Ready to Knock ck Out 6 th de th

Crawford W. Long Middle School ( in a virtual world) th Grade Ready to Knock ck Out 6 th de th

Crawford W. Long Middle School ( in a virtual world) th Grade Ready to Knock ck Out 6 th de th Grade Champs 6 th 2 Principal Lisa Hill 3 4 Mrs. Dickerson Team m A Math 5 Mr. Critc tcher her- Scien ence e & Social Stu tudies

584 views • 27 slides
NOC Knock... ...who's there? NOC Frontend Development & Improvement Rachael Holt

NOC Knock... ...who's there? NOC Frontend Development & Improvement Rachael Holt

NOC Knock... ...who's there? NOC Frontend Development & Improvement Rachael Holt (HEAnet) & Gareth Eason (HEAnet) TF-NOC Preparation Meeting, Copenhagen, 3 r d May 2010 Who am I? (slide 2 of 318) Gareth Eason - Network

837 views • 56 slides
How to Knock 20 Seconds Off f Your Average Handling Tim ime Paul Weald What is AHT? And why

How to Knock 20 Seconds Off f Your Average Handling Tim ime Paul Weald What is AHT? And why

How to Knock 20 Seconds Off f Your Average Handling Tim ime Paul Weald What is AHT? And why is it important? Average Handle Time is composed of three elements 1. Talk time 2. Hold time 3. Wrap time It is important from a workforce

338 views • 8 slides
Kellogg Insight Podcast Transcript Knock Your Next Business Presentation Out of the Park Jake

Kellogg Insight Podcast Transcript Knock Your Next Business Presentation Out of the Park Jake

Kellogg Insight Podcast Transcript Knock Your Next Business Presentation Out of the Park Jake SMITH : Tim Calkins is a clinical professor of marketing at Kellogg. And his new book, on how to give a good business presentation, has a slightly

264 views • 4 slides
and Discernment Behold, I stand at the door and knock. If anyone hears my voice and opens the

and Discernment Behold, I stand at the door and knock. If anyone hears my voice and opens the

Prayer Life and Discernment Behold, I stand at the door and knock. If anyone hears my voice and opens the door, (then) I will enter his house and dine with him, and he with me. (Rev 3:20) RCIA Journey of Faith - 7 May 2009 Prayer Life

624 views • 20 slides
Performance Tuning best pracitces and performance monitoring with Zabbix Andrew Nelson Senior

Performance Tuning best pracitces and performance monitoring with Zabbix Andrew Nelson Senior

Performance Tuning best pracitces and performance monitoring with Zabbix Andrew Nelson Senior Linux Consultant May 28, 2015 NLUUG Conf, Utrecht, Netherlands Overview Introduction Performance tuning is Science! A little Law and

595 views • 47 slides
SEDA: An Architecture for Well-Conditioned, Scalable Internet Services Matt Welsh, David Culler,

SEDA: An Architecture for Well-Conditioned, Scalable Internet Services Matt Welsh, David Culler,

SEDA: An Architecture for Well-Conditioned, Scalable Internet Services Matt Welsh, David Culler, and Eric Brewer Computer Science Division University of California, Berkeley Symposium on Operating Systems Principles (SOSP), October 2001

466 views • 24 slides
100 Drupal performance and scalability best practices Gord Christmas gord.christmas@acquia.com

100 Drupal performance and scalability best practices Gord Christmas gord.christmas@acquia.com

100 Drupal performance and scalability best practices Gord Christmas gord.christmas@acquia.com Saturday, April 6, 13 1 Long tail of performance tuning 20% of the performance tuning will give 50% of the improvements Potentially a hundred

363 views • 10 slides
OUTLINE Introduction Scalability Evaluation Scalability Enhancement Approach

OUTLINE Introduction Scalability Evaluation Scalability Enhancement Approach

R. Hashemian 1 , D. Krishnamurthy 1 , M. Arlitt 2 , N. Carlsson 3 1. University of Calgary 2. HP Labs 3. Linkping University by : Raoufehsadat Hashemian The 4th ACM/SPEC International Conference on Performance Engineering ICPE 2013 OUTLINE

717 views • 22 slides
Motivation Motivation 2 Typical e-commerce sites are complex, consisting of hundreds of

Motivation Motivation 2 Typical e-commerce sites are complex, consisting of hundreds of

A METHOD FOR A METHOD FOR EVALUATING THE IMPACT OF SOFTWARE CONFIGURATION PARAMETERS ON E PARAMETERS ON E- COMMERCE SITES Monchai Sopitkamol Daniel A. Menasc George Mason University Kasetsart University Dept. of Computer Science, MS 4A5

360 views • 21 slides
Bro 2.0 and Beyond Network Attack Detection and Defense Early Warning Systems Schloss Dagstuhl,

Bro 2.0 and Beyond Network Attack Detection and Defense Early Warning Systems Schloss Dagstuhl,

The Bro Network Security Monitor Bro 2.0 and Beyond Network Attack Detection and Defense Early Warning Systems Schloss Dagstuhl, 2012 Dagstuhl 2012 2 Outline Bro Introduction Much different from the typical IDS you may know Hot off

742 views • 63 slides
A theory of closure operators Alva L. Couch Marc A. Chiarini Tufts University Convergent

A theory of closure operators Alva L. Couch Marc A. Chiarini Tufts University Convergent

A theory of closure operators Alva L. Couch Marc A. Chiarini Tufts University Convergent operators A convergent operator assures a specific network state and is idempotent if that state exists already. Example 1: set a parameter to a

707 views • 21 slides
CPSC 531: System Modeling and Simulation Carey Williamson Department of Computer Science

CPSC 531: System Modeling and Simulation Carey Williamson Department of Computer Science

CPSC 531: System Modeling and Simulation Carey Williamson Department of Computer Science University of Calgary Fall 2017 Agenda Welcome! Course Overview Learning Outcomes Administrative Details Expectations Q&A

559 views • 21 slides

More recommend