INTRUSION DECEPTION CZYLI BAW SIĘ W CIUCIUBABKĘ Z NAMI

Similar documents
THE SMARTEST WAY TO PROTECT WEBSITES AND WEB APPS FROM ATTACKS. Junos WebApp Secure Junos Spotlight Secure

THE SMARTEST WAY TO PROTECT WEBSITES AND WEB APPS FROM ATTACKS

RETHINK SECURITY FOR UNKNOWN ATTACKS

IT SECURITY SEMINAR "STALLION " Security, NGFW fallacy & going Beyond IP? Juniper Networks - Jaro Pietikäinen

SECURE THE DATACENTER. Dennis de Leest Sr. Systems Engineer

Why Device Fingerprinting Provides Better Network Security than IP Blocking. How to transform the economics of hacking in your favor

Securing Your Web Application against security vulnerabilities. Ong Khai Wei, IT Specialist, Development Tools (Rational) IBM Software Group

Network that Know. Rasmus Andersen Lead Security Sales Specialist North & RESE

Rational AppScan & Ounce Products

Check list for web developers

SANS Top 20 Critical Controls for Effective Cyber Defense

Where every interaction matters.

WHITE PAPER. FortiWeb and the OWASP Top 10 Mitigating the most dangerous application security threats

The Global Attacker Security Intelligence Service Explained

ETHICAL HACKING APPLICATIO WIRELESS110 00NETWORK APPLICATION MOBILE MOBILE0001

HONEYPOT SECURITY. February The Government of the Hong Kong Special Administrative Region

APPLICATION PROGRAMMING INTERFACE

Securing the system using honeypot in cloud computing environment

From the Bottom to the Top: The Evolution of Application Monitoring

Threat Center. Real-time multi-level threat detection, analysis, and automated remediation

The Top Web Application Attacks: Are you vulnerable?

Arrow ECS University 2015 Radware Hybrid Cloud WAF Service. 9 Ottobre 2015

THE ROLE OF IDS & ADS IN NETWORK SECURITY

Banking Security using Honeypot

Second-generation (GenII) honeypots

Application and Database Security with F5 BIG-IP ASM and IBM InfoSphere Guardium

The New PCI Requirement: Application Firewall vs. Code Review

What Next Gen Firewalls Miss: 6 Requirements to Protect Web Applications

How To Protect A Web Application From Attack From A Trusted Environment

Application Layer Encryption: Protecting against Application Logic and Session Theft Attacks. Whitepaper

Adaptive Intelligent Firewall - der nächste Entwicklungssprung der NGFW. Jürgen Seitz Systems Engineering Manager

Information Supplement: Requirement 6.6 Code Reviews and Application Firewalls Clarified

Concierge SIEM Reporting Overview

Web Application Security. Radovan Gibala Senior Field Systems Engineer F5 Networks

CALNET 3 Category 7 Network Based Management Security. Table of Contents

The Hillstone and Trend Micro Joint Solution

WEB APPLICATION FIREWALLS: DO WE NEED THEM?

ArcGIS Server Security Threats & Best Practices David Cordes Michael Young

Vulnerability Management

Project 2: Web Security Pitfalls

National Information Security Group The Top Web Application Hack Attacks. Danny Allan Director, Security Research

Semantic based Web Application Firewall (SWAF V 1.6) Operations and User Manual. Document Version 1.0

What is Web Security? Motivation

SECURITY B-SIDES: ATLANTA STRATEGIC PENETRATION TESTING. Presented by: Dave Kennedy Eric Smith

Contemporary Web Application Attacks. Ivan Pang Senior Consultant Edvance Limited

Breaking the Cyber Attack Lifecycle

Cybercrime myths, challenges and how to protect our business. Vladimir Kantchev Managing Partner Service Centrix

STOPPING LAYER 7 ATTACKS with F5 ASM. Sven Müller Security Solution Architect

BREAKING THE KILL CHAIN AN EARLY WARNING SYSTEM FOR ADVANCED THREAT

Application security testing: Protecting your application and data

10 Things Every Web Application Firewall Should Provide Share this ebook

The purpose of this report is to educate our prospective clients about capabilities of Hackers Locked.

Advanced Honeypot System for Analysing Network Security

Imperva s Response to Information Supplement to PCI DSS Requirement Section 6.6

WEB SECURITY CONCERNS THAT WEB VULNERABILITY SCANNING CAN IDENTIFY

NSFOCUS Web Application Firewall White Paper

The Web AppSec How-to: The Defenders Toolbox

Unified Security, ATP and more

Website Security. End-to-End Application Security from the Cloud. Cloud-Based, Big Data Security Approach. Datasheet: What You Get. Why Incapsula?

Barracuda Web Application Firewall vs. Intrusion Prevention Systems (IPS) Whitepaper

WebApp Secure 5.5. Published: Copyright 2014, Juniper Networks, Inc.

JUNIPER NETWORKS SPOTLIGHT SECURE THREAT INTELLIGENCE PLATFORM

Hacker Intelligence Initiative, Monthly Trend Report #17

defending against advanced persistent threats: strategies for a new era of attacks agility made possible

THE BLIND SPOT IN THREAT INTELLIGENCE THE BLIND SPOT IN THREAT INTELLIGENCE

Endpoint Threat Detection without the Pain

Barracuda Web Site Firewall Ensures PCI DSS Compliance

Shellshock. Oz Elisyan & Maxim Zavodchik

Network Instruments white paper

Intrusion detection for web applications

End-to-End Application Security from the Cloud

Web Application Firewall

Visualizing Threats: Improved Cyber Security Through Network Visualization

How Attackers are Targeting Your Mobile Devices. Wade Williamson

CHAPTER 3 : INCIDENT RESPONSE FIVE KEY RECOMMENDATIONS GLOBAL THREAT INTELLIGENCE REPORT 2015 :: COPYRIGHT 2015 NTT INNOVATION INSTITUTE 1 LLC

Web Application Security 101

Evading Infrastructure Security Mohamed Bedewi Penetration Testing Consultant

FINAL DoIT v.8 APPLICATION SECURITY PROCEDURE

WEB SITE SECURITY. Jeff Aliber Verizon Digital Media Services

Web Application Security

Information Technology Policy

CS 356 Lecture 17 and 18 Intrusion Detection. Spring 2013

Integrating Security Testing into Quality Control

Security Evaluation CLX.Sentinel

IDS / IPS. James E. Thiel S.W.A.T.

Intrusion Detection and Cyber Security Monitoring of SCADA and DCS Networks

Web Application Security

SHARE THIS WHITEPAPER. Top Selection Criteria for an Anti-DDoS Solution Whitepaper

Running the SANS Top 5 Essential Log Reports with Activeworx Security Center

Transcription:

INTRUSION DECEPTION CZYLI BAW SIĘ W CIUCIUBABKĘ Z NAMI Na przykładzie Junos WebApp Secure Edmund Asare

INCONVENIENT STATISTICS 70% of ALL threats are at the Web application layer. Gartner 73% of organizations have been hacked in the past two years through insecure Web apps. Ponemon Institute 2

SECURING WEB APPLICATIONS To protect this weak foundation, organizations are layering security onto their web applications. Web Application Firewalls (WAFs) Intrusion Protection System (IPS) WAFs apply additional security protections at the host to block attacks, primarily based on signatures. All these network and application security technologies are useful in identifying and blocking the low-hanging, known attacks. 3

CHANGING THE VIEW By all means, organizations should keep up their layered defenses and continue to tune and improve them. However, we also need to look at web applications from the eyes of our attackers and then use what we learn about the attackers to deceive them 4

HONEYPOT IDEA "A honeypot is an information system resource whose value lies in unauthorized or illicit use of that resource", Lance Spitzner Goal : Know Your Enemy by learning the tools, tactics and motives of the blackhat community. Create non production networks, devices, systems, services used to delude the attackers (fake company, etc) Honeypots are very useful in the serendipitous identification of an opportunistic attacker who is randomly scanning the Internet for potential victims. Honeypots are also useful for observing the attacker in action and collecting forensics about the attack. One of the major pitfalls of a honeypot deployment is it isn t designed to protect production systems in real time 5

FOCUS ON APPLICATION LAYER Deception can be embedded into the application code using honeytoken (aka honeycode, aka tartraps) By making the honeytoken variable, security teams deceive attackers into identifying themselves when they probe the code for weaknesses. GET /index.php Return 500 Error getevents() HAS EVENTS! Set Status: 500 Attacker Web Server Event Manager 6

INTRUSION DECEPTION What is it? Exploit attacker psychology and attack economics Extensions of traditional honey pot techniques Why do it? Detect advanced hackers before they breach (even some zero-day attacks) Waste attackers time Decrease ROI of attacks More effective then just blocking known attack vectors What do you need? Tracking technique (Cookies, IP) Event management API Detection points Active counter responses 7

INTRUSION DECEPTION TRACKING TECHNIQUE Attributing requests to an attacker HTTP protocol is stateless You can t tell if requests are issued by the same person Achieve state with a combination of Cookies IP Address User-Agent Be creative, there are less obvious ways ;) State is still limited Attacker can change cookies, IP and user-agents 8

INTRUSION DECEPTION EVENT MANAGEMENT API Keeps track of detected attacks Who issued an attack (based on tracking) What was the attack Simple Event Management API getevents(<tracking info>) :event[] Get all events for a given user logevent(<tracking info>, <event>) :void Record a new event for a given user 9

INTRUSION DECEPTION DETECTION POINTS Add a fake attack surface to the website Fake inputs Legitimate Validated Inputs Fake files Fake configuration Fake code is cleanly blended with real code Unlike traditional honeypot servers or services Activity on fake attack surface Guaranteed malicious Send info to event management API 10

INTRUSION DECEPTION DETECTION POINTS: FAKE INPUTS Forms <form method= POST action= search.php > <input type= hidden name= product value= 435 > <input type= hidden name= filter value= ^[a-za-z0-9-_ ]+$ > <input type= text name= query > <input type= submit value= Search > </form> URLs <a href= rateproduct.php?prodid=435&rating=4&limitperuser=1 >Rate: 4 Stars</a> Detection <?php if ($_POST[ filter ]!= ^[a-za-z0-9-_ ]+$ ) EventAPI.logEvent(cookie, ip, user-agent, Manipulated Hidden Input ); if ($_GET[ limitperuser ]!= 1 ) EventAPI.logEvent(cookie, ip, ua, Manipulated Query Parameter ); REST OF YOUR WEBSITE CODE. 11

INTRUSION DECEPTION DETECTION POINTS: FAKE FILES Create /admin.php Create /config.php Create /login.php Be creative, you can do this for a lot of files Detection <?php EventAPI.logEvent(cookie, ip, user-agent, Accessed:. $SERVER[ REQUEST_URI ]); RETURN FAKE CONTENT (Login page, or whatever your pretending to be). 12

INTRUSION DECEPTION DETECTION POINTS: FAKE CONFIGURATION Fake disallow directory in robots.txt Sitemap: http://bsideswww.securitybsides.com/sitemap.xml User-agent: * Disallow: /session/ Disallow: /settings/ Disallow: /wikiadmin/ Disallow: /browse/ Disallow: /w/browse/ Disallow: /layout/ Detection (/wikiadmin/index.php) <?php EventAPI.logEvent(cookie, ip, user-agent, Disallow Directory Accessed ); RETURN 403 ERROR. 13

INTRUSION DECEPTION HOW DOES IT WORK? RETURNING 500 ERRORS GET /index.php Return 500 Error getevents() HAS EVENTS! Set Status: 500 Attacker Web Server Event Manager Step 3) Stopping Detected Attackers: Attacker issues any request to server Server checks event manger for past events Server sees previous /admin.php a event Server sets response code to 500 Server returns 500 error without executing the rest of the script 14

INTRUSION DECEPTION BUILD OR BUY? Junos WebApp Secure (Commercial) Reverse Proxy that introduces Intrusion Deception No code changes required, improves with each release Drops in quickly, minimal configuration Highly advanced tracking techniques, detection points, and responses OWASP App Sensor (Open Source) Specification and design (No Code Provided) https://owasp.org/index.php/owasp_appsensor_project Roll your own Invent and integrate your own detection and responses More flexibility, tighter integration 15

DETECTION BY DECEPTION Tar Traps Query String Parameters Network Perimeter Hidden Input Fields Client Firewall App Server Database Server Configuration 16

TRAFFIC FLOW: CLIENT TO APP SERVER AND BACK 17

THE ANATOMY OF A WEB ATTACK Phase 1 Reconnaissance Phase 2 Attack Vector Establishment Phase 3 Implementation Phase 4 Automation Days or weeks Weeks or months Weeks or months Months or years Years Phase 5 Maintenance Web App Firewall 18

DECEPTION: SO WHAT EXACTLY ARE TAR TRAPS? And how, exactly, do Tar Traps catch attackers? Attack scripts usually parse a page and try every iteration they can, thus hitting the embedded traps along with the actual application fields. Traps are specifically crafted to be interesting to a live attacker, which makes them more likely to interact with the trapped code. Any manipulation of a trap is immediately suspicious, because they re not part of the actual application or even visible to normal users. 19

TAR TRAPS: YOU CAN T RUN, BUT YOU CAN HIDE. Since HTML is interpreted, and there is more to a web page than is ever displayed to the user, we have an opportunity to hide traps in multiple locations. For example: Query Parameters visible, but easily overlooked Hidden Form Fields hidden is a feature, not a bug JavaScript Script code itself is not displayed to the users Cookies Cookies aren t displayed to the user An attacker could see all of these, which is the point. Normal users won t try and manipulate hidden functions, while an attacker goes out of their way to find them and exploit them. 20

TRACK ATTACKERS BEYOND THE IP Track IP Address Track Browser Attacks Persistent Token Capacity to persist in all browsers including various privacy control features. Track Software and Script Attacks Fingerprinting HTTP communications. 21

FINGERPRINT OF AN ATTACKER Timezone Browser version Fonts Browser add-ons 200+ attributes used to create the fingerprint. ~ Real Time availability of fingerprints IP Address False Positives nearly zero 22

SMART PROFILE OF ATTACKER Attacker local name (on machine) Attacker global name (in Spotlight) Attacker threat level Incident history 23

RESPOND AND DECEIVE Junos WebApp Secure Responses Human Hacker Botnet Targeted Scan IP Scan Scripts &Tools Exploits Warn attacker Block user Force CAPTCHA Slow connection Simulate broken application Force log-out All responses are available for any type of threat. Highlighted responses are most appropriate for each type of threat. 24

SECURITY ADMINISTRATION Web-based console Real-time On-demand threat information SMTP alerting Reporting (Pdf, HTML) CLI for exporting data into SIEM tool 25

THE JUNOS WEBAPP SECURE ADVANTAGE DECEPTION-BASED SECURITY Detect Track Profile Respond Tar Traps detect threats without false positives. Track IPs, browsers, software and scripts. Understand attacker s capabilities and intents. Adaptive responses, including block, warn and deceive. 26

WEB APP SECURITY TECHNOLOGY Web Application Firewall Web Intrusion Deception System Detection Signatures Tar Traps Tracking IP address Browser, software and scripts Profiling IP address Browser, software and scripts Responses Block IP Block, warn and deceive attacker PCI Section 6.6 27

JUNOS SPOTLIGHT SECURE Junos Spotlight Secure Global Attacker Intelligence Service Attacker from San Francisco Junos WebApp Secure protected site in UK Attacker fingerprint uploaded Attacker fingerprint available for all sites protected by Junos WebApp Secure Detect Anywhere, Stop Everywhere 28

UNIFIED PROTECTION ACROSS PLATFORMS Internal Virtualized Cloud 29

JUNOS WEBAPP SECURE 30

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information