Knock Knock Understanding Who is Using Your Web Applications Aaron - - PowerPoint PPT Presentation

Knock Knock

Understanding Who is Using Your Web Applications

Aaron Bedra Application Security Lead Braintree Payments

Tuesday, April 23, 13

Right now, your web applications are being attacked

Tuesday, April 23, 13

And it will happen again, and again, and again

Tuesday, April 23, 13

But not always in the way you think

Tuesday, April 23, 13

Let’s take a look at typical application security measures

Tuesday, April 23, 13

User Requests Web Server Application Environment

Tuesday, April 23, 13

Tuesday, April 23, 13

roland : 12345

Tuesday, April 23, 13

roland : 12345

Tuesday, April 23, 13

And we go on with our day

Tuesday, April 23, 13

How many of you stop there?

Tuesday, April 23, 13

It’s time to start asking more questions

Tuesday, April 23, 13

But remember…

Tuesday, April 23, 13

Don’t impact user experience!

Tuesday, April 23, 13

???

Tuesday, April 23, 13

• Signature based detection
• Anomaly detection
• Reputational intelligence
• Action
• Repsheet

Tuesday, April 23, 13

Signatures

Tuesday, April 23, 13

Mod Security

Tuesday, April 23, 13

Web Application Firewall

Tuesday, April 23, 13

Rule based detection

Tuesday, April 23, 13

Allows you to block or alert if traffic matches a signature

Tuesday, April 23, 13

Improved by the OWASP Core Rule Set

Tuesday, April 23, 13

A great tool to add to your stack

Tuesday, April 23, 13

Works with Apache, nginx, and IIS

Tuesday, April 23, 13

Works well with Apache

Tuesday, April 23, 13

Like most signature based tools it requires tuning

Tuesday, April 23, 13

And has a high possibility of false positives

Tuesday, April 23, 13

Great for helping with 0-day attacks

Tuesday, April 23, 13

Favor alerting over blocking in most scenarios

Tuesday, April 23, 13

User Requests Web Server ModSecurity Application Environment

Tuesday, April 23, 13

Anomalies

Tuesday, April 23, 13

10.20.253.8 - - [23/Apr/2013:14:20:21 +0000] "POST /login HTTP/1.1" 200 267"-" "Mozilla/ 5.0 (Windows NT 6.1; WOW64; rv:8.0) Gecko/ 20100101 Firefox/8.0" "77.77.165.233"

Tuesday, April 23, 13

10.20.253.8 - - [23/Apr/2013:14:20:22 +0000] "POST /users/king-roland/cc_records HTTP/1.1" 302 2085 "-" "Mozilla/5.0 (Windows NT 6.1; WOW64; rv:8.0) Gecko/20100101 Firefox/8.0" "77.77.165.233"

Tuesday, April 23, 13

10.20.253.8 - - [23/Apr/2013:14:20:23 +0000] "POST /users/king-roland/cc_records HTTP/1.1" 302 2083 "-" "Mozilla/5.0 (Windows NT 6.1; WOW64; rv:8.0) Gecko/20100101 Firefox/8.0" "77.77.165.233"

Tuesday, April 23, 13

10.20.253.8 - - [23/Apr/2013:14:20:24 +0000] "POST /users/king-roland/cc_records HTTP/1.1" 302 2085 "-" "Mozilla/5.0 (Windows NT 6.1; WOW64; rv:8.0) Gecko/20100101 Firefox/8.0" "77.77.165.233"

Tuesday, April 23, 13

What do you see?

Tuesday, April 23, 13

I see a website getting carded

Tuesday, April 23, 13

???

Tuesday, April 23, 13

Play by play

Tuesday, April 23, 13

10.20.253.8 - - [23/Apr/2013:14:20:21 +0000] "POST /login HTTP/1.1" 200 267"-" "Mozilla/ 5.0 (Windows NT 6.1; WOW64; rv:8.0) Gecko/ 20100101 Firefox/8.0" "77.77.165.233"

Login Request

Tuesday, April 23, 13

10.20.253.8 - - [23/Apr/2013:14:20:22 +0000] "POST /users/king-roland/cc_records HTTP/1.1" 302 2085 "-" "Mozilla/5.0 (Windows NT 6.1; WOW64; rv:8.0) Gecko/20100101 Firefox/8.0" "77.77.165.233"

Add credit card to account #1 1 sec delay

Tuesday, April 23, 13

10.20.253.8 - - [23/Apr/2013:14:20:23 +0000] "POST /users/king-roland/cc_records HTTP/1.1" 302 2083 "-" "Mozilla/5.0 (Windows NT 6.1; WOW64; rv:8.0) Gecko/20100101 Firefox/8.0" "77.77.165.233"

1 sec delay Add credit card to account #2 FF 8 on Windows 7

• r Bot?

Tuesday, April 23, 13

10.20.253.8 - - [23/Apr/2013:14:20:24 +0000] "POST /users/king-roland/cc_records HTTP/1.1" 302 2085 "-" "Mozilla/5.0 (Windows NT 6.1; WOW64; rv:8.0) Gecko/20100101 Firefox/8.0" "77.77.165.233"

1 sec delay Add credit card to account #3 FF 8 on Windows 7

• r Bot?

Plovdiv Bulgaria

Tuesday, April 23, 13

And this continues…

Tuesday, April 23, 13

10,000 more times

Tuesday, April 23, 13

Those were the only requests that IP address made

Tuesday, April 23, 13

Aside from the number

• f requests what else

gave it away?

Tuesday, April 23, 13

5% 5% 4% 27% 59%

GET POST HEAD PUT DELETE

Tuesday, April 23, 13

HTTP method distribution is important

Tuesday, April 23, 13

When an actor deviates significantly, there must be a reason!

Tuesday, April 23, 13

Let’s talk GeoIP

Tuesday, April 23, 13

Adding GeoIP information is generically useful

Tuesday, April 23, 13

But it also helps in the face of an attack

Tuesday, April 23, 13

It can help protect you and your users

Tuesday, April 23, 13

Scenario

Tuesday, April 23, 13

King Roland gets his GMail account hacked

Tuesday, April 23, 13

Hacker sends a password reset request to your server

Tuesday, April 23, 13

Normally, you would email the reset

Tuesday, April 23, 13

Unless...

Tuesday, April 23, 13

You realize that King Roland always logs in from Druidia

Tuesday, April 23, 13

But the hacker is requesting the reset from Spaceball City

Tuesday, April 23, 13

Instead of sending the reset, you now ask some questions

Tuesday, April 23, 13

And hopefully protect King Roland from further bad actions

Tuesday, April 23, 13

GeoIP detection also helps you block traffic from unwanted countries

Tuesday, April 23, 13

User Requests Web Server ModSecurity Application Environment GeoIP

Tuesday, April 23, 13

Other Anomalies

• Request Rate
• TCP Fingerprint vs. User Agent
• Account Create/Delete/Subscribe
• Anything you can imagine

Tuesday, April 23, 13

What do they have in common?

Tuesday, April 23, 13

Does the behavior fit an equation?

Tuesday, April 23, 13

If so, your detection is simple

Tuesday, April 23, 13

Request rate > Threshold

Tuesday, April 23, 13

TCP fingerprint != User Agent

Tuesday, April 23, 13

But the HTTP method deviation is harder

Tuesday, April 23, 13

100% GET requests with a known UA (e.g. Google) is ok

Tuesday, April 23, 13

100% POST requests is not

Tuesday, April 23, 13

But it’s not always that simple

Tuesday, April 23, 13

Scenario

Tuesday, April 23, 13

A high rate of account create requests are coming from a single address

Tuesday, April 23, 13

Is it a NATted IP or a fraud/spam bot?

Tuesday, April 23, 13

We have patterns and data…

Tuesday, April 23, 13

What’s the next step?

Tuesday, April 23, 13

Quantitative Analysis

Tuesday, April 23, 13

Quantitative Analysis

Tuesday, April 23, 13

Quantitative Analysis Security as a Data Science Probelm

Tuesday, April 23, 13

We can apply some machine learning to the data in an attempt to classify it

Tuesday, April 23, 13

Classifier

???

User Requests Web Server ModSecurity Application Environment GeoIP

Tuesday, April 23, 13

This is where a lot of the value comes from

Tuesday, April 23, 13

And combined with signature detection helps correlate attack events

Tuesday, April 23, 13

But you still need a way to keep track of it all

Tuesday, April 23, 13

Reputational Intelligence

Tuesday, April 23, 13

Who’s naughty and who’s really naughty

Tuesday, April 23, 13

Built up from the tools/ techniques mentioned previously

Tuesday, April 23, 13

Provides local reputation

Tuesday, April 23, 13

You can also purchase external reputation feeds

Tuesday, April 23, 13

The combination gives you solid awareness of bad actors

Tuesday, April 23, 13

Reputational Intelligence External Reputation Classifier

???

User Requests Web Server ModSecurity Application Environment GeoIP

???

Tuesday, April 23, 13

Action

Tuesday, April 23, 13

So now you have a ton

• f new information

Tuesday, April 23, 13

What do you do with it?

Tuesday, April 23, 13

Options

• Block the traffic
• Honeypot the attacker
• Attack back
• Contact the authorities

Tuesday, April 23, 13

Blocking the traffic is straight forward

Tuesday, April 23, 13

Block at the web server level (403)

Tuesday, April 23, 13

Block at the firewall level

Tuesday, April 23, 13

Both have advantages/ disadvantages

Tuesday, April 23, 13

Honeypots are much more interesting

Tuesday, April 23, 13

LB LB LB Engine Fake Real

DB DB

Partial Replication

Tuesday, April 23, 13

When you honeypot, the attacker doesn’t know they’ve been caught

Tuesday, April 23, 13

And it allows you to study their behavior

Tuesday, April 23, 13

And update your approach to preventing attacks

Tuesday, April 23, 13

But all of this requires a way to manage state and act on bad behavior

Tuesday, April 23, 13

Reputational Intelligence External Reputation Classifier

???

User Requests Web Server ModSecurity Application Environment GeoIP

???

State State Where do you act? Here?

Tuesday, April 23, 13

Repsheet

Tuesday, April 23, 13

Reputation Engine

Tuesday, April 23, 13

Redis

Repsheet Backend External Reputation Feeds User Requests Web Server ModSecurity Application Environment GeoIP Repsheet

Tuesday, April 23, 13

Redis

Repsheet Backend External Reputation Feeds User Requests Web Server ModSecurity Application Environment GeoIP Repsheet

Tuesday, April 23, 13

Redis

Repsheet Backend External Reputation Feeds User Requests Web Server ModSecurity Application Environment GeoIP Repsheet

Recorder

Tuesday, April 23, 13

Redis

Repsheet Backend External Reputation Feeds User Requests Web Server ModSecurity Application Environment GeoIP Repsheet

Managed State Recorder

Tuesday, April 23, 13

Redis

Repsheet Backend External Reputation Feeds User Requests Web Server ModSecurity Application Environment GeoIP Repsheet

Managed State Actor Recorder

Tuesday, April 23, 13

Redis

Repsheet Backend External Reputation Feeds User Requests Web Server ModSecurity Application Environment GeoIP Repsheet

Managed State

Classifier, Feed Integration, Learning Models

Actor Recorder

Tuesday, April 23, 13

Repsheet helps put everything together

Tuesday, April 23, 13

Web server module records activity and looks for offenders in the cache

Tuesday, April 23, 13

It listens to ModSecurity and adds

• ffending IPs to it’s list

Tuesday, April 23, 13

It provides notification and/or blocking of

• ffenders

Tuesday, April 23, 13

Blocking happens at the web server level

Tuesday, April 23, 13

But you can send the Repsheet data to your firewall for TCP level blocking

Tuesday, April 23, 13

Notification sends headers to the downstream application

Tuesday, April 23, 13

Which allows each app to chose how it is going to respond

Tuesday, April 23, 13

For instance, show a captcha on signup if Repsheet alerts

Tuesday, April 23, 13

Back end looks at the recorded data for bad behavior

Tuesday, April 23, 13

And updates the cache when it finds offenders

Tuesday, April 23, 13

You can supply your

• wn learning models

for the data

Tuesday, April 23, 13

Repsheet will soon provide some defaults

Tuesday, April 23, 13

github.com/abedra/ repsheet

Tuesday, April 23, 13

Still in early stage development

Tuesday, April 23, 13

But already in production for a few projects

Tuesday, April 23, 13

Summary

Tuesday, April 23, 13

There are lots of indicators of attack in your traffic

Tuesday, April 23, 13

Build up a system that can capture the data and sort good from bad

Tuesday, April 23, 13

Tools

• ModSecurity
• GeoIP
• Custom rules (velocity triggers,

fingerprinting, device id, etc)

• Custom behavioral classification
• Repsheet

Tuesday, April 23, 13

And Remember…

Tuesday, April 23, 13

Tuesday, April 23, 13

Questions?

Tuesday, April 23, 13