Repsheet. A Behavior Based Approach to Web Application Security. Aaron Bedra Application Security Lead Braintree Payments. tirsdag den 1.

Transcription

1 Repsheet A Behavior Based Approach to Web Application Security Aaron Bedra Application Security Lead Braintree Payments

2 Right now, your web applications are being attacked

3 And it will happen again, and again, and again

4 But not always in the way you think

5 Let s take a look at typical application security measures

6 User Requests Web Server Application Environment

7

8 roland : 12345

9 roland : 12345

10 And we go on with our day

11 How many of you stop there?

12 It s time to start asking more questions

13 But remember

14 Don t impact user experience!

15 ???

16 Signature based detection Anomaly detection Reputation based intelligence Action Repsheet

17 Signatures

18 ModSecurity

19 Web Application Firewall

20 Rule based detection

21 Allows you to block or alert if traffic matches a signature

22 Improved by the OWASP Core Rule Set

23 A great tool to add to your stack

24 Works with Apache, nginx, and IIS

25 Works well with Apache

26 Like most signature based tools it requires tuning

27 And has a high possibility of false positives

28 Great for helping with 0-day attacks

29 Favor alerting over blocking in most scenarios

30 User Requests Web Server ModSecurity Application Environment

31 Anomalies

32 [23/Apr/2013:14:20: ] "POST /login HTTP/1.1" "-" "Mozilla/ 5.0 (Windows NT 6.1; WOW64; rv:8.0) Gecko/ Firefox/8.0" " "

33 [23/Apr/2013:14:20: ] "POST /users/king-roland/credit_cards HTTP/ 1.1" "-" "Mozilla/5.0 (Windows NT 6.1; WOW64; rv:8.0) Gecko/ Firefox/ 8.0" " "

34 [23/Apr/2013:14:20: ] "POST /users/king-roland/credit_cards HTTP/ 1.1" "-" "Mozilla/5.0 (Windows NT 6.1; WOW64; rv:8.0) Gecko/ Firefox/ 8.0" " "

35 [23/Apr/2013:14:20: ] "POST /users/king-roland/credit_cards HTTP/ 1.1" "-" "Mozilla/5.0 (Windows NT 6.1; WOW64; rv:8.0) Gecko/ Firefox/ 8.0" " "

36 What do you see?

37 I see a website getting carded

38 ???

39 Play by play

40 Login Request [23/Apr/2013:14:20: ] "POST /login HTTP/1.1" "-" "Mozilla/ 5.0 (Windows NT 6.1; WOW64; rv:8.0) Gecko/ Firefox/8.0" " "

41 Add credit card to account #1 1 sec delay [23/Apr/2013:14:20: ] "POST /users/king-roland/credit_cards HTTP/ 1.1" "-" "Mozilla/5.0 (Windows NT 6.1; WOW64; rv:8.0) Gecko/ Firefox/ 8.0" " "

42 Add credit card to account #2 1 sec delay [23/Apr/2013:14:20: ] "POST /users/king-roland/credit_cards HTTP/ 1.1" "-" "Mozilla/5.0 (Windows NT 6.1; WOW64; rv:8.0) Gecko/ Firefox/ 8.0" " " FF 8 on Windows 7 or Bot?

43 Add credit card to account #3 1 sec delay [23/Apr/2013:14:20: ] "POST /users/king-roland/credit_cards HTTP/ 1.1" "-" "Mozilla/5.0 (Windows NT 6.1; WOW64; rv:8.0) Gecko/ Firefox/ 8.0" " " FF 8 on Windows 7 Plovdiv Bulgaria or Bot?

44 And this continues

45 10,000 more times

46 Those were the only requests that IP address made

47 Aside from the number of requests what else gave it away?

48 GET POST HEAD PUT DELETE 5% 4% 5% 27% 59%

49 HTTP method distribution is important

50 When an actor deviates significantly, there must be a reason!

51 Let s talk GeoIP

52 Adding GeoIP information is generically useful

53 But it also helps in the face of an attack

54 It can help protect you and your users

55 Scenario

56 King Roland gets his GMail account hacked

57 Hacker sends a password reset request to your server

58 Normally, you would the reset

59 Unless...

60 You realize that King Roland always logs in from Druidia

61 But the hacker is requesting the reset from Spaceball City

62 Instead of sending the reset, you now ask some questions

63 And hopefully protect King Roland from further bad actions

64 GeoIP detection also helps you block traffic from unwanted countries

65 User Requests Web Server ModSecurity GeoIP Application Environment

66 Other Anomalies Request rate Header ordering TCP Fingerprint vs. User Agent Account Create/Delete/Subscribe Anything you can imagine

67 What do they have in common?

68 Does the behavior fit an equation?

69 If so, your detection is simple

70 Request rate > Threshold

71 TCP fingerprint!= User Agent

72 But the HTTP method deviation is harder

73 100% GET requests with a known UA (e.g. Google) is ok

74 100% POST requests is not

75 But it s not always that simple

76 Scenario

77 A high rate of account create requests are coming from a single address

78 Is it a NATed IP or a fraud/spam bot?

79 We have patterns and data

80 What s the next step?

81 Quantitative Analysis

82 Quantitative Analysis

83 Security as a Data Science Quantitative Analysis Problem

84 We can apply some machine learning to the data in an attempt to classify it

85 User Requests??? Web Server Classifier ModSecurity GeoIP Application Environment

86 This is where a lot of the value comes from

87 And combined with signature detection helps correlate attack events

88 But you still need a way to keep track of it all

89 Reputation Based Intelligence

90 Who s naughty and who s really naughty

91 Built up from the tools/ techniques mentioned previously

92 Provides local reputation

93 You can also purchase external reputation feeds

94 The combination gives you solid awareness of bad actors

95 User Requests Web Server??? Classifier ModSecurity External Reputation Reputational Intelligence??? GeoIP Application Environment

96 Action

97 So now you have a ton of new information

98 What do you do with it?

99 Options Block the traffic Honeypot the attacker Modify your response Attack back Contact the authorities

100 Blocking the traffic is straight forward

101 Block at the web server level (403)

102 Block at the firewall level

103 Both have advantages/ disadvantages

104 Honeypots are much more interesting

105 LB Engine LB LB Fake Real DB Partial Replication DB

106 When you honeypot, the attacker doesn t know they ve been caught

107 And it allows you to study their behavior

108 And update your approach to preventing attacks

109 But all of this requires a way to manage state and act on bad behavior

110 Where do you act? User Requests State Web Server??? Classifier ModSecurity External Reputation Reputational Intelligence??? GeoIP Here? State Application Environment

111 Repsheet

112 Reputation Engine

113 User Requests Web Server ModSecurity Redis GeoIP External Reputation Feeds Repsheet Backend Repsheet Application Environment

114 User Requests Web Server ModSecurity Redis GeoIP External Reputation Feeds Repsheet Backend Repsheet Application Environment

115 User Requests Web Server ModSecurity Redis GeoIP External Reputation Feeds Repsheet Backend Repsheet Recorder Application Environment

116 User Requests Managed State Web Server ModSecurity Redis GeoIP External Reputation Feeds Repsheet Backend Repsheet Recorder Application Environment

117 User Requests Managed State Web Server ModSecurity Redis GeoIP External Reputation Feeds Repsheet Backend Repsheet Recorder Actor Application Environment

118 User Requests Managed State Web Server ModSecurity Redis GeoIP External Reputation Feeds Repsheet Backend Repsheet Out of band processing Recorder Application Environment Actor

119

120

121 Repsheet helps put everything together

122 Web server module records activity and looks for offenders in the cache

123 It listens to ModSecurity and adds offending IPs to its list

124 It provides notification and/or blocking of offenders

125 Blocking happens at the web server level

126 But you can send Repsheet data to your firewall for TCP level blocking

127 Notification sends headers to the downstream application

128 Which allows each app to chose how it is going to respond

129 For instance, show a captcha on signup if Repsheet alerts

130 Back end looks at the recorded data for bad behavior

131 And updates the cache when it finds offenders

132 You can supply your own learning models for the data

133 github.com/repsheet/ repsheet

134 Summary

135 There are lots of indicators of attack in your traffic

136 Build up a system that can capture the data and sort good from bad

137 Tools ModSecurity GeoIP Custom rules (velocity triggers, fingerprinting, device id, etc) Custom behavioral classification Repsheet

138 And Remember

139

140 Questions?