INTRUSION DECEPTION CZYLI BAW SIĘ W CIUCIUBABKĘ Z NAMI

Transcription

1 INTRUSION DECEPTION CZYLI BAW SIĘ W CIUCIUBABKĘ Z NAMI Na przykładzie Junos WebApp Secure Edmund Asare

2 INCONVENIENT STATISTICS 70% of ALL threats are at the Web application layer. Gartner 73% of organizations have been hacked in the past two years through insecure Web apps. Ponemon Institute 2

3 SECURING WEB APPLICATIONS To protect this weak foundation, organizations are layering security onto their web applications. Web Application Firewalls (WAFs) Intrusion Protection System (IPS) WAFs apply additional security protections at the host to block attacks, primarily based on signatures. All these network and application security technologies are useful in identifying and blocking the low-hanging, known attacks. 3

4 CHANGING THE VIEW By all means, organizations should keep up their layered defenses and continue to tune and improve them. However, we also need to look at web applications from the eyes of our attackers and then use what we learn about the attackers to deceive them 4

5 HONEYPOT IDEA "A honeypot is an information system resource whose value lies in unauthorized or illicit use of that resource", Lance Spitzner Goal : Know Your Enemy by learning the tools, tactics and motives of the blackhat community. Create non production networks, devices, systems, services used to delude the attackers (fake company, etc) Honeypots are very useful in the serendipitous identification of an opportunistic attacker who is randomly scanning the Internet for potential victims. Honeypots are also useful for observing the attacker in action and collecting forensics about the attack. One of the major pitfalls of a honeypot deployment is it isn t designed to protect production systems in real time 5

6 FOCUS ON APPLICATION LAYER Deception can be embedded into the application code using honeytoken (aka honeycode, aka tartraps) By making the honeytoken variable, security teams deceive attackers into identifying themselves when they probe the code for weaknesses. GET /index.php Return 500 Error getevents() HAS EVENTS! Set Status: 500 Attacker Web Server Event Manager 6

7 INTRUSION DECEPTION What is it? Exploit attacker psychology and attack economics Extensions of traditional honey pot techniques Why do it? Detect advanced hackers before they breach (even some zero-day attacks) Waste attackers time Decrease ROI of attacks More effective then just blocking known attack vectors What do you need? Tracking technique (Cookies, IP) Event management API Detection points Active counter responses 7

8 INTRUSION DECEPTION TRACKING TECHNIQUE Attributing requests to an attacker HTTP protocol is stateless You can t tell if requests are issued by the same person Achieve state with a combination of Cookies IP Address User-Agent Be creative, there are less obvious ways ;) State is still limited Attacker can change cookies, IP and user-agents 8

9 INTRUSION DECEPTION EVENT MANAGEMENT API Keeps track of detected attacks Who issued an attack (based on tracking) What was the attack Simple Event Management API getevents(<tracking info>) :event[] Get all events for a given user logevent(<tracking info>, <event>) :void Record a new event for a given user 9

10 INTRUSION DECEPTION DETECTION POINTS Add a fake attack surface to the website Fake inputs Legitimate Validated Inputs Fake files Fake configuration Fake code is cleanly blended with real code Unlike traditional honeypot servers or services Activity on fake attack surface Guaranteed malicious Send info to event management API 10

11 INTRUSION DECEPTION DETECTION POINTS: FAKE INPUTS Forms <form method= POST action= search.php > <input type= hidden name= product value= 435 > <input type= hidden name= filter value= ^[a-za-z0-9-_ ]+$ > <input type= text name= query > <input type= submit value= Search > </form> URLs <a href= rateproduct.php?prodid=435&rating=4&limitperuser=1 >Rate: 4 Stars</a> Detection <?php if ($_POST[ filter ]!= ^[a-za-z0-9-_ ]+$ ) EventAPI.logEvent(cookie, ip, user-agent, Manipulated Hidden Input ); if ($_GET[ limitperuser ]!= 1 ) EventAPI.logEvent(cookie, ip, ua, Manipulated Query Parameter ); REST OF YOUR WEBSITE CODE. 11

12 INTRUSION DECEPTION DETECTION POINTS: FAKE FILES Create /admin.php Create /config.php Create /login.php Be creative, you can do this for a lot of files Detection <?php EventAPI.logEvent(cookie, ip, user-agent, Accessed:. $SERVER[ REQUEST_URI ]); RETURN FAKE CONTENT (Login page, or whatever your pretending to be). 12

13 INTRUSION DECEPTION DETECTION POINTS: FAKE CONFIGURATION Fake disallow directory in robots.txt Sitemap: User-agent: * Disallow: /session/ Disallow: /settings/ Disallow: /wikiadmin/ Disallow: /browse/ Disallow: /w/browse/ Disallow: /layout/ Detection (/wikiadmin/index.php) <?php EventAPI.logEvent(cookie, ip, user-agent, Disallow Directory Accessed ); RETURN 403 ERROR. 13

14 INTRUSION DECEPTION HOW DOES IT WORK? RETURNING 500 ERRORS GET /index.php Return 500 Error getevents() HAS EVENTS! Set Status: 500 Attacker Web Server Event Manager Step 3) Stopping Detected Attackers: Attacker issues any request to server Server checks event manger for past events Server sees previous /admin.php a event Server sets response code to 500 Server returns 500 error without executing the rest of the script 14

15 INTRUSION DECEPTION BUILD OR BUY? Junos WebApp Secure (Commercial) Reverse Proxy that introduces Intrusion Deception No code changes required, improves with each release Drops in quickly, minimal configuration Highly advanced tracking techniques, detection points, and responses OWASP App Sensor (Open Source) Specification and design (No Code Provided) Roll your own Invent and integrate your own detection and responses More flexibility, tighter integration 15

16 DETECTION BY DECEPTION Tar Traps Query String Parameters Network Perimeter Hidden Input Fields Client Firewall App Server Database Server Configuration 16

17 TRAFFIC FLOW: CLIENT TO APP SERVER AND BACK 17

18 THE ANATOMY OF A WEB ATTACK Phase 1 Reconnaissance Phase 2 Attack Vector Establishment Phase 3 Implementation Phase 4 Automation Days or weeks Weeks or months Weeks or months Months or years Years Phase 5 Maintenance Web App Firewall 18

19 DECEPTION: SO WHAT EXACTLY ARE TAR TRAPS? And how, exactly, do Tar Traps catch attackers? Attack scripts usually parse a page and try every iteration they can, thus hitting the embedded traps along with the actual application fields. Traps are specifically crafted to be interesting to a live attacker, which makes them more likely to interact with the trapped code. Any manipulation of a trap is immediately suspicious, because they re not part of the actual application or even visible to normal users. 19

20 TAR TRAPS: YOU CAN T RUN, BUT YOU CAN HIDE. Since HTML is interpreted, and there is more to a web page than is ever displayed to the user, we have an opportunity to hide traps in multiple locations. For example: Query Parameters visible, but easily overlooked Hidden Form Fields hidden is a feature, not a bug JavaScript Script code itself is not displayed to the users Cookies Cookies aren t displayed to the user An attacker could see all of these, which is the point. Normal users won t try and manipulate hidden functions, while an attacker goes out of their way to find them and exploit them. 20

21 TRACK ATTACKERS BEYOND THE IP Track IP Address Track Browser Attacks Persistent Token Capacity to persist in all browsers including various privacy control features. Track Software and Script Attacks Fingerprinting HTTP communications. 21

22 FINGERPRINT OF AN ATTACKER Timezone Browser version Fonts Browser add-ons 200+ attributes used to create the fingerprint. ~ Real Time availability of fingerprints IP Address False Positives nearly zero 22

23 SMART PROFILE OF ATTACKER Attacker local name (on machine) Attacker global name (in Spotlight) Attacker threat level Incident history 23

24 RESPOND AND DECEIVE Junos WebApp Secure Responses Human Hacker Botnet Targeted Scan IP Scan Scripts &Tools Exploits Warn attacker Block user Force CAPTCHA Slow connection Simulate broken application Force log-out All responses are available for any type of threat. Highlighted responses are most appropriate for each type of threat. 24

25 SECURITY ADMINISTRATION Web-based console Real-time On-demand threat information SMTP alerting Reporting (Pdf, HTML) CLI for exporting data into SIEM tool 25

26 THE JUNOS WEBAPP SECURE ADVANTAGE DECEPTION-BASED SECURITY Detect Track Profile Respond Tar Traps detect threats without false positives. Track IPs, browsers, software and scripts. Understand attacker s capabilities and intents. Adaptive responses, including block, warn and deceive. 26

27 WEB APP SECURITY TECHNOLOGY Web Application Firewall Web Intrusion Deception System Detection Signatures Tar Traps Tracking IP address Browser, software and scripts Profiling IP address Browser, software and scripts Responses Block IP Block, warn and deceive attacker PCI Section

28 JUNOS SPOTLIGHT SECURE Junos Spotlight Secure Global Attacker Intelligence Service Attacker from San Francisco Junos WebApp Secure protected site in UK Attacker fingerprint uploaded Attacker fingerprint available for all sites protected by Junos WebApp Secure Detect Anywhere, Stop Everywhere 28

29 UNIFIED PROTECTION ACROSS PLATFORMS Internal Virtualized Cloud 29

30 JUNOS WEBAPP SECURE 30

31