Knock Knock Understanding Who is Using Your Web Applications Aaron Bedra Application Security Lead Braintree Payments Tuesday, April 23, 13
Right now, your web applications are being attacked Tuesday, April 23, 13
And it will happen again, and again, and again Tuesday, April 23, 13
But not always in the way you think Tuesday, April 23, 13
Let’s take a look at typical application security measures Tuesday, April 23, 13
User Requests Web Server Application Environment Tuesday, April 23, 13
Tuesday, April 23, 13
roland : 12345 Tuesday, April 23, 13
roland : 12345 Tuesday, April 23, 13
And we go on with our day Tuesday, April 23, 13
How many of you stop there? Tuesday, April 23, 13
It’s time to start asking more questions Tuesday, April 23, 13
But remember… Tuesday, April 23, 13
Don’t impact user experience! Tuesday, April 23, 13
??? Tuesday, April 23, 13
• Signature based detection • Anomaly detection • Reputational intelligence • Action • Repsheet Tuesday, April 23, 13
Signatures Tuesday, April 23, 13
Mod Security Tuesday, April 23, 13
Web Application Firewall Tuesday, April 23, 13
Rule based detection Tuesday, April 23, 13
Allows you to block or alert if traffic matches a signature Tuesday, April 23, 13
Improved by the OWASP Core Rule Set Tuesday, April 23, 13
A great tool to add to your stack Tuesday, April 23, 13
Works with Apache, nginx, and IIS Tuesday, April 23, 13
Works well with Apache Tuesday, April 23, 13
Like most signature based tools it requires tuning Tuesday, April 23, 13
And has a high possibility of false positives Tuesday, April 23, 13
Great for helping with 0-day attacks Tuesday, April 23, 13
Favor alerting over blocking in most scenarios Tuesday, April 23, 13
User Requests Web Server ModSecurity Application Environment Tuesday, April 23, 13
Anomalies Tuesday, April 23, 13
10.20.253.8 - - [23/Apr/2013:14:20:21 +0000] "POST /login HTTP/1.1" 200 267"-" "Mozilla/ 5.0 (Windows NT 6.1; WOW64; rv:8.0) Gecko/ 20100101 Firefox/8.0" "77.77.165.233" Tuesday, April 23, 13
10.20.253.8 - - [23/Apr/2013:14:20:22 +0000] "POST /users/king-roland/cc_records HTTP/1.1" 302 2085 "-" "Mozilla/5.0 (Windows NT 6.1; WOW64; rv:8.0) Gecko/20100101 Firefox/8.0" "77.77.165.233" Tuesday, April 23, 13
10.20.253.8 - - [23/Apr/2013:14:20:23 +0000] "POST /users/king-roland/cc_records HTTP/1.1" 302 2083 "-" "Mozilla/5.0 (Windows NT 6.1; WOW64; rv:8.0) Gecko/20100101 Firefox/8.0" "77.77.165.233" Tuesday, April 23, 13
10.20.253.8 - - [23/Apr/2013:14:20:24 +0000] "POST /users/king-roland/cc_records HTTP/1.1" 302 2085 "-" "Mozilla/5.0 (Windows NT 6.1; WOW64; rv:8.0) Gecko/20100101 Firefox/8.0" "77.77.165.233" Tuesday, April 23, 13
What do you see? Tuesday, April 23, 13
I see a website getting carded Tuesday, April 23, 13
??? Tuesday, April 23, 13
Play by play Tuesday, April 23, 13
Login Request 10.20.253.8 - - [23/Apr/2013:14:20:21 +0000] "POST /login HTTP/1.1" 200 267"-" "Mozilla/ 5.0 (Windows NT 6.1; WOW64; rv:8.0) Gecko/ 20100101 Firefox/8.0" "77.77.165.233" Tuesday, April 23, 13
1 sec delay Add credit card to account #1 10.20.253.8 - - [23/Apr/2013:14:20:22 +0000] "POST /users/king-roland/cc_records HTTP/1.1" 302 2085 "-" "Mozilla/5.0 (Windows NT 6.1; WOW64; rv:8.0) Gecko/20100101 Firefox/8.0" "77.77.165.233" Tuesday, April 23, 13
1 sec delay Add credit card to account #2 10.20.253.8 - - [23/Apr/2013:14:20:23 +0000] "POST /users/king-roland/cc_records HTTP/1.1" 302 2083 "-" "Mozilla/5.0 (Windows NT 6.1; WOW64; rv:8.0) Gecko/20100101 Firefox/8.0" "77.77.165.233" FF 8 on Windows 7 or Bot? Tuesday, April 23, 13
1 sec delay Add credit card to account #3 10.20.253.8 - - [23/Apr/2013:14:20:24 +0000] "POST /users/king-roland/cc_records HTTP/1.1" 302 2085 "-" "Mozilla/5.0 (Windows NT 6.1; WOW64; rv:8.0) Gecko/20100101 Firefox/8.0" "77.77.165.233" FF 8 on Windows 7 or Bot? Plovdiv Bulgaria Tuesday, April 23, 13
And this continues… Tuesday, April 23, 13
10,000 more times Tuesday, April 23, 13
Those were the only requests that IP address made Tuesday, April 23, 13
Aside from the number of requests what else gave it away? Tuesday, April 23, 13
GET POST HEAD PUT DELETE 5% 5% 4% 27% 59% Tuesday, April 23, 13
HTTP method distribution is important Tuesday, April 23, 13
When an actor deviates significantly, there must be a reason! Tuesday, April 23, 13
Let’s talk GeoIP Tuesday, April 23, 13
Adding GeoIP information is generically useful Tuesday, April 23, 13
But it also helps in the face of an attack Tuesday, April 23, 13
It can help protect you and your users Tuesday, April 23, 13
Scenario Tuesday, April 23, 13
King Roland gets his GMail account hacked Tuesday, April 23, 13
Hacker sends a password reset request to your server Tuesday, April 23, 13
Normally, you would email the reset Tuesday, April 23, 13
Unless... Tuesday, April 23, 13
You realize that King Roland always logs in from Druidia Tuesday, April 23, 13
But the hacker is requesting the reset from Spaceball City Tuesday, April 23, 13
Instead of sending the reset, you now ask some questions Tuesday, April 23, 13
And hopefully protect King Roland from further bad actions Tuesday, April 23, 13
GeoIP detection also helps you block traffic from unwanted countries Tuesday, April 23, 13
User Requests Web Server ModSecurity GeoIP Application Environment Tuesday, April 23, 13
Other Anomalies • Request Rate • TCP Fingerprint vs. User Agent • Account Create/Delete/Subscribe • Anything you can imagine Tuesday, April 23, 13
What do they have in common? Tuesday, April 23, 13
Does the behavior fit an equation? Tuesday, April 23, 13
If so, your detection is simple Tuesday, April 23, 13
Request rate > Threshold Tuesday, April 23, 13
TCP fingerprint != User Agent Tuesday, April 23, 13
But the HTTP method deviation is harder Tuesday, April 23, 13
100% GET requests with a known UA (e.g. Google) is ok Tuesday, April 23, 13
100% POST requests is not Tuesday, April 23, 13
But it’s not always that simple Tuesday, April 23, 13
Scenario Tuesday, April 23, 13
A high rate of account create requests are coming from a single address Tuesday, April 23, 13
Is it a NATted IP or a fraud/spam bot? Tuesday, April 23, 13
We have patterns and data… Tuesday, April 23, 13
What’s the next step? Tuesday, April 23, 13
Quantitative Analysis Tuesday, April 23, 13
Quantitative Analysis Tuesday, April 23, 13
Security as a Data Science Quantitative Analysis Probelm Tuesday, April 23, 13
We can apply some machine learning to the data in an attempt to classify it Tuesday, April 23, 13
User Requests Web Server ??? Classifier ModSecurity GeoIP Application Environment Tuesday, April 23, 13
This is where a lot of the value comes from Tuesday, April 23, 13
And combined with signature detection helps correlate attack events Tuesday, April 23, 13
But you still need a way to keep track of it all Tuesday, April 23, 13
Reputational Intelligence Tuesday, April 23, 13
Who’s naughty and who’s really naughty Tuesday, April 23, 13
Built up from the tools/ techniques mentioned previously Tuesday, April 23, 13
Provides local reputation Tuesday, April 23, 13
You can also purchase external reputation feeds Tuesday, April 23, 13
The combination gives you solid awareness of bad actors Tuesday, April 23, 13
User Requests Web Server ??? Classifier ModSecurity ??? GeoIP External Reputational Reputation Intelligence Application Environment Tuesday, April 23, 13
Action Tuesday, April 23, 13
So now you have a ton of new information Tuesday, April 23, 13
What do you do with it? Tuesday, April 23, 13
Options • Block the traffic • Honeypot the attacker • Attack back • Contact the authorities Tuesday, April 23, 13
Blocking the traffic is straight forward Tuesday, April 23, 13
Recommend
More recommend