Mais conteúdo relacionado Semelhante a Repsheet: A Behavior Based Approach to Web Application Security (20) Repsheet: A Behavior Based Approach to Web Application Security1. Repsheet
A Behavior Based Approach to Web Application
Security
Aaron Bedra
Application Security Lead
Braintree Payments
Wednesday, July 10, 13
2. Right now, your web
applications are being
attacked
Wednesday, July 10, 13
3. And it will happen
again, and again, and
again
Wednesday, July 10, 13
5. Let’s take a look at
typical application
security measures
Wednesday, July 10, 13
10. And we go on with our
day
Wednesday, July 10, 13
12. It’s time to start asking
more questions
Wednesday, July 10, 13
16. • Signature based detection
• Anomaly detection
• Reputational intelligence
• Action
• Repsheet
Wednesday, July 10, 13
21. Allows you to block or
alert if traffic matches a
signature
Wednesday, July 10, 13
23. A great tool to add to
your stack
Wednesday, July 10, 13
27. And has a high
possibility of false
positives
Wednesday, July 10, 13
32. 10.20.253.8 - - [23/Apr/2013:14:20:21 +0000]
"POST /login HTTP/1.1" 200 267"-" "Mozilla/
5.0 (Windows NT 6.1; WOW64; rv:8.0) Gecko/
20100101 Firefox/8.0" "77.77.165.233"
Wednesday, July 10, 13
33. 10.20.253.8 - - [23/Apr/2013:14:20:22 +0000]
"POST /users/king-roland/credit_cards HTTP/
1.1" 302 2085 "-" "Mozilla/5.0 (Windows NT
6.1; WOW64; rv:8.0) Gecko/20100101 Firefox/
8.0" "77.77.165.233"
Wednesday, July 10, 13
34. 10.20.253.8 - - [23/Apr/2013:14:20:23 +0000]
"POST /users/king-roland/credit_cards HTTP/
1.1" 302 2083 "-" "Mozilla/5.0 (Windows NT
6.1; WOW64; rv:8.0) Gecko/20100101 Firefox/
8.0" "77.77.165.233"
Wednesday, July 10, 13
35. 10.20.253.8 - - [23/Apr/2013:14:20:24 +0000]
"POST /users/king-roland/credit_cards HTTP/
1.1" 302 2085 "-" "Mozilla/5.0 (Windows NT
6.1; WOW64; rv:8.0) Gecko/20100101 Firefox/
8.0" "77.77.165.233"
Wednesday, July 10, 13
37. I see a website getting
carded
Wednesday, July 10, 13
40. 10.20.253.8 - - [23/Apr/2013:14:20:21 +0000]
"POST /login HTTP/1.1" 200 267"-" "Mozilla/
5.0 (Windows NT 6.1; WOW64; rv:8.0) Gecko/
20100101 Firefox/8.0" "77.77.165.233"
Login Request
Wednesday, July 10, 13
41. 10.20.253.8 - - [23/Apr/2013:14:20:22 +0000]
"POST /users/king-roland/credit_cards HTTP/
1.1" 302 2085 "-" "Mozilla/5.0 (Windows NT
6.1; WOW64; rv:8.0) Gecko/20100101 Firefox/
8.0" "77.77.165.233"
Add credit card to account #1
1 sec delay
Wednesday, July 10, 13
42. 10.20.253.8 - - [23/Apr/2013:14:20:23 +0000]
"POST /users/king-roland/credit_cards HTTP/
1.1" 302 2083 "-" "Mozilla/5.0 (Windows NT
6.1; WOW64; rv:8.0) Gecko/20100101 Firefox/
8.0" "77.77.165.233"
1 sec delay
Add credit card to account #2
FF 8 on Windows 7
or Bot?
Wednesday, July 10, 13
43. 10.20.253.8 - - [23/Apr/2013:14:20:24 +0000]
"POST /users/king-roland/credit_cards HTTP/
1.1" 302 2085 "-" "Mozilla/5.0 (Windows NT
6.1; WOW64; rv:8.0) Gecko/20100101 Firefox/
8.0" "77.77.165.233"
1 sec delay
Add credit card to account #3
FF 8 on Windows 7
or Bot?
Plovdiv Bulgaria
Wednesday, July 10, 13
46. Those were the only
requests that IP address
made
Wednesday, July 10, 13
47. Aside from the number
of requests what else
gave it away?
Wednesday, July 10, 13
50. When an actor deviates
significantly, there must
be a reason!
Wednesday, July 10, 13
53. But it also helps in the
face of an attack
Wednesday, July 10, 13
54. It can help protect you
and your users
Wednesday, July 10, 13
60. You realize that King
Roland always logs in
from Druidia
Wednesday, July 10, 13
61. But the hacker is
requesting the reset
from Spaceball City
Wednesday, July 10, 13
66. Other Anomalies
• Request Rate
• TCP Fingerprint vs. User Agent
• Account Create/Delete/Subscribe
• Anything you can imagine
Wednesday, July 10, 13
69. If so, your detection is
simple
Wednesday, July 10, 13
72. But the HTTP method
deviation is harder
Wednesday, July 10, 13
77. A high rate of account
create requests are
coming from a single
address
Wednesday, July 10, 13
78. Is it a NATted IP or a
fraud/spam bot?
Wednesday, July 10, 13
84. We can apply some
machine learning to the
data in an attempt to
classify it
Wednesday, July 10, 13
86. This is where a lot of
the value comes from
Wednesday, July 10, 13
88. But you still need a way
to keep track of it all
Wednesday, July 10, 13
91. Built up from the tools/
techniques mentioned
previously
Wednesday, July 10, 13
93. You can also purchase
external reputation
feeds
Wednesday, July 10, 13
97. So now you have a ton
of new information
Wednesday, July 10, 13
99. Options
• Block the traffic
• Honeypot the attacker
• Modify your response
• Attack back
• Contact the authorities
Wednesday, July 10, 13
101. Block at the web server
level (403)
Wednesday, July 10, 13
107. And it allows you to
study their behavior
Wednesday, July 10, 13
109. But all of this requires a
way to manage state
and act on bad behavior
Wednesday, July 10, 13
126. But you can send the
Repsheet data to your
firewall for TCP level
blocking
Wednesday, July 10, 13
128. Which allows each app
to chose how it is going
to respond
Wednesday, July 10, 13
130. Back end looks at the
recorded data for bad
behavior
Wednesday, July 10, 13
132. You can supply your
own learning models
for the data
Wednesday, July 10, 13
135. There are lots of
indicators of attack in
your traffic
Wednesday, July 10, 13
136. Build up a system that
can capture the data
and sort good from bad
Wednesday, July 10, 13
137. Tools
• ModSecurity
• GeoIP
• Custom rules (velocity triggers,
fingerprinting, device id, etc)
• Custom behavioral classification
• Repsheet
Wednesday, July 10, 13