a blueprint for web attack survival
DESCRIPTION
Is your organization prepared to face a large-scale attack from hacktivists or cybercriminals? This webinar provides a step-by-step plan to protect web applications using proven strategies from application security consultants that have been on the front lines of attack. This presentation from Imperva and WhiteHat Security outlines the steps your organization can take to implement a comprehensive strategy for repelling web attacks. This presentation will (1) describe the modern attack methods and tools used by hacktivists and cybercriminals (2) explain the processes and technologies you can use to safeguard your website (3) help you prioritize security efforts and identify security tips and tricks you might have overlooked.TRANSCRIPT
© 2013 Imperva, Inc. All rights reserved.
Blueprint for Web Attack Survival
Confidential 1
Kasey Cross, Sr. Manager, Web Security, Imperva Nick Silver, Sr. Solutions Architect, WhiteHat Security
© 2013 Imperva, Inc. All rights reserved.
Agenda
Confidential 2
§ Application Threatscape
§ Solutions to Mitigate Web Attacks
© 2013 Imperva, Inc. All rights reserved.
Presenters
Confidential 3
§ Kasey Cross • Senior Product Marketing Manager at Imperva • Frequent speaker at industry events • Managed SecureSphere WAF product line
for 8 years
§ Nick Silver
• Sr. Solutions Architect at WhiteHat Security
© 2013 Imperva, Inc. All rights reserved.
Application Threatscape
Confidential 4
Web Application Vulnerabilities and Threats
© 2013 Imperva, Inc. All rights reserved.
Industry Averages for 2012
Confidential 5
© 2013 Imperva, Inc. All rights reserved. Confidential 6
The average number of days in a year a website is exposed to at least one serious* vulnerability
© 2013 Imperva, Inc. All rights reserved.
Industrialization of Hacking and Automation
Researching Vulnerabilities
Developing Exploits Growing Botnets Exploiting Targets
Consuming
Direct Value: PII, CCN Command & Control Malware Distribution
Phishing & spam DDoS
Growing Botnets and Exploiting Vulnerabilities
Selecting Targets via Search Engines Templates & Kits
Centralized Management
Roles Optimization Automation
Confidential 7
© 2013 Imperva, Inc. All rights reserved.
Hacktivism Attack Targets and Methods
2010
Now
2011
2012
2013
Titanic Takeover Tuesday
Operation Payback
HTTP Flood “Abibil Assassin” (Vertigo & KamiNa variants) & attack to login page from 54 countries
Confidential 8
© 2013 Imperva, Inc. All rights reserved.
Distributed Denial of Service Threats
Confidential 9
§ 74% of organizations received a DDoS attack in past year1
§ Many DDoS attacks are launched by botnets, because of scale • Toolkits automate DDoS attacks • Botnets for rent from $50 - $2K
§ DDoS attacks are moving up the stack • Less expensive; requires few attackers • Bypasses network security measures DDoS Attack Tool
1 ”The Trends and Changing Landscape of DDoS Threats and Protection,” Forrester Research
© 2013 Imperva, Inc. All rights reserved.
Commercialized DDoS
§ Customer satisfaction guarantee!
Confidential 10
© 2013 Imperva, Inc. All rights reserved.
Commercialized DDoS
§ Customer satisfaction guarantee!
Confidential 11
© 2013 Imperva, Inc. All rights reserved.
Step-by-Step Instructions to Survive a Web Attack
Confidential 12
© 2013 Imperva, Inc. All rights reserved.
1. Understand the Threat Actor
Confidential 13
§ Identify the attack source: • Research their attack
techniques and tools
§ Hacktivism: • Monitor social media, Twitter,
Facebook, and YouTube • Identify DDoS attack tools and
“booster packs”
§ Cybercrime: • Talk to peers in your industry about attack sources and tools • Read hacker intelligence reports and security research
13
© 2013 Imperva, Inc. All rights reserved.
2. Develop a Security Response Plan
Confidential 14
§ Organize an incident response team • IT security personnel, networking, and application development
teams • Assign 24x7 coverage
§ Create a Red Team • Security engineers that will look for vulnerabilities • Evaluate all potential risks including, application, network, end-
user, social engineering, and even physical threats
14
© 2013 Imperva, Inc. All rights reserved.
§ DNS and Internet Service Providers § DDoS Protection Services § Relevant security consultants
Little Black Book of Contacts
Confidential 15
§ IT security managers § IT operations managers § Networking operators § Application developers § Database administrators § Legal § Executive management
Gather the names, phone numbers, and email addresses of:
INTE
RN
AL
EX
TER
NA
L
© 2013 Imperva, Inc. All rights reserved.
Document Network and Server Information
Confidential 16
§ Gather IP address and network info for: • Web servers • Databases • DNS servers • Network firewalls • Web application firewalls • Database firewalls • Routers and switches • Disaster recovery networks
§ Develop network architecture diagrams
16
Security Tip: Keep network information and contact lists secure
© 2013 Imperva, Inc. All rights reserved.
Notify Management & Set Up a War Room
Confidential 17
§ Inform Executive Management of the threat § Consider warning employees
• Notify users of potential downtime (for DDoS)
• Educate employees about phishing • Prepare IT for social
engineering threats
§ Establish a War Room • “Ground zero” for planning and
communications
17
© 2013 Imperva, Inc. All rights reserved.
3. Locate and Assess Servers and Apps
Confidential 18
§ Scan your network to identify all assets (cloud and local) • Classify assets by information and brand sensitivity to identify high
risk landscapes • Prioritize efforts to based on risk levels
§ Secure database access • Scan DBs for vulnerabilities or configuration flaws • Remove any default or unnecessary user accounts • Disable unneeded services
18
© 2013 Imperva, Inc. All rights reserved.
Perform Vulnerability Assessments
Confidential 19
§ Perform vulnerability assessments • Scan both Network and Application Layers • Scan all known Web Assets • Scan Concurrently and Continuously • Analyze application functionality for DDoS attack potential and
Business Logic based exploits • Implement assessment practice across the entire SDLC
19
Design" Development" QA" Production"
© 2013 Imperva, Inc. All rights reserved.
4. Application, Network & End-Point Controls
Confidential 20 20
Anti Virus Network Security
Database Security
Install anti-virus and anti-malware software on servers. Make sure definition files are up to date.
Block all unnecessary ports with the firewall. Configure the IPS to block high and critical violations.
Configure your database firewall to block unauthorized SQL queries, limit access, and virtually patch vulnerabilities.
© 2013 Imperva, Inc. All rights reserved.
Ratchet Up Web App Firewall Protection
Confidential 21
§ Review and tune the web application profile • Review acceptable characters & parameter value lengths • Compare the profile to vulnerability scan results
§ Tighten profile policies to block based on profile violations
21
Directories
URLs
© 2013 Imperva, Inc. All rights reserved.
Block Web Attacks and Attack Sources
Confidential 22
© 2013 Imperva, Inc. All rights reserved.
WAF Policies to Stop App DDoS Attacks
Confidential 23
§ Create policies that block: • High rates of requests in a short
period of time by IP address, by user, and by session
• Known malicious IP addresses, anonymous proxies, and Tor networks
• Users that request many files with extensions like “.pdf”, “.mp3” or “.mp4” in a short period of time
• Users that download large amounts of data • Users that initiate multiple requests that cause extremely slow
web server responses
23
DDoS Preparation Tip Make sure you can manage your security products from an out-of-band network
© 2013 Imperva, Inc. All rights reserved.
While app DDoS attacks target Web servers & databases network DDoS attacks target your Internet connection
Stopping Network DDoS Threats
Confidential 24 24
Web Servers and Databases
© 2013 Imperva, Inc. All rights reserved.
While app DDoS attacks target Web servers & databases network DDoS attacks target your Internet connection
Stopping Network DDoS Threats
Confidential 25 25
Web Servers and Databases
© 2013 Imperva, Inc. All rights reserved.
While app DDoS attacks target Web servers & databases network DDoS attacks target your Internet connection
Stopping Network DDoS Threats
Confidential 26 26
Web Servers and Databases
To prevent network DDoS attacks, look at DDoS mitigation services that stop attacks before they reach your network
© 2013 Imperva, Inc. All rights reserved.
While app DDoS attacks target Web servers & databases network DDoS attacks target your Internet connection
Stopping Network DDoS Threats
Confidential 27 27
Web Servers and Databases
To prevent network DDoS attacks, look at DDoS mitigation services that stop attacks before they reach your network
© 2013 Imperva, Inc. All rights reserved.
§ Continuously monitor alerts from security and network devices and from performance monitoring tools
§ If attacks are coming from a specific geographic area, create policies to block requests from that area
§ If you can detect which URLs bots are targeting, create bot mitigation rules that block bots from accessing those URLs
§ Monitor social media, hacker forums, IRC chat rooms, and sites that list website defacements
5. Security Procedures When Under Attack
Confidential 28 28
© 2013 Imperva, Inc. All rights reserved.
Stop DDoS Attacks that Target Databases
Confidential 29
§ Attackers often target search, login & registration pages § Create custom policies to block the attacks
• Block an excessive number of failed logins • Block multiple successful logins from the same user
29
Number of Occurrences
Failed Login
© 2013 Imperva, Inc. All rights reserved.
6. Conduct a Post Mortem of the Attack
Confidential 30
§ Review the impact of the attack § Analyze alert logs from your WAF,
SIEM, & network monitoring tools
§ Answer the following questions: • Did you suffer any downtime during the attack? • Was any sensitive data compromised? • What security technologies and processes were in place? Were
they effective? • What improvements can be made in the future?
30
Once you have completed your post-‐mortem, you will be be8er prepared to tackle future web a8acks.
[1] Zone-H lists recent of Website defacements at http://www.zone-h.org/archive. [2] Non-alcoholic beer and coffee are suitable alternatives.
© 2013 Imperva, Inc. All rights reserved.
Solutions to Prepare For and Stop Web Attacks
Confidential 31
© 2013 Imperva, Inc. All rights reserved.
Secure SDLC with WhiteHat Sentinel
Confidential 32 32
Design" Development" QA" Production"
Sentinel Source (SAST)"
Computer-based training (CBT)"
Sentinel PL (DAST)"
Sentinel BE, SE, and PE (DAST)"
Sentinel Mobile"
© 2013 Imperva, Inc. All rights reserved.
Complete Solution (DAST)
Confidential 33 33
© 2013 Imperva, Inc. All rights reserved. Confidential 34 34
Complete Solution (Source)
© 2013 Imperva, Inc. All rights reserved.
Imperva Web Application Security Solutions
Confidential 35
SecureSphere Web Application Firewall Accurate, automated protection against online threats
Incapsula • Scalable, easy to use,
cloud-based DDoS and Web application firewall service
© 2013 Imperva, Inc. All rights reserved.
Known Attackers
Bots
Web Attacks
Undesirable Countries
Web Fraud
App DDoS
Scrapers
Phishing Sites
Comment Spammers
Vulnerabilities
Web Apps
SecureSphere
Complete Protection Against Web Threats
Confidential 36
© 2013 Imperva, Inc. All rights reserved.
Imperva and WhiteHat are offering a free 30-day trial. Register at: http://reg.whitehatsec.com/imperva
Are Your Web Applications Secure?
Confidential 37 37
© 2013 Imperva, Inc. All rights reserved.
#ImpervaChat
Confidential 38
§ What: Twitter Chat § When: Tues., Oct. 1st @ 10am-11am (PDT) § Where: #ImpervaChat § Co Moderators:
• Barry Shteiman, Senior Security Strategist, Imperva § @bshteiman
• Kasey Cross, Senior Manager of Web Security Solutions, Imperva § @kaseycross
Best Practices for Surviving a Web Attack
© 2013 Imperva, Inc. All rights reserved.
www.imperva.com
39 Confidential