a blueprint for web attack survival

© 2013 Imperva, Inc. All rights reserved.

Blueprint for Web Attack Survival

Confidential 1

Kasey Cross, Sr. Manager, Web Security, Imperva Nick Silver, Sr. Solutions Architect, WhiteHat Security


Agenda

Confidential 2

§ Application Threatscape

§  Solutions to Mitigate Web Attacks


Presenters

Confidential 3

§ Kasey Cross •  Senior Product Marketing Manager at Imperva •  Frequent speaker at industry events •  Managed SecureSphere WAF product line

for 8 years

§ Nick Silver

•  Sr. Solutions Architect at WhiteHat Security


Application Threatscape

Confidential 4

Web Application Vulnerabilities and Threats


Industry Averages for 2012

Confidential 5

© 2013 Imperva, Inc. All rights reserved. Confidential 6

The average number of days in a year a website is exposed to at least one serious* vulnerability


Industrialization of Hacking and Automation

Researching Vulnerabilities

Developing Exploits Growing Botnets Exploiting Targets

Consuming

Direct Value: PII, CCN Command & Control Malware Distribution

Phishing & spam DDoS

Growing Botnets and Exploiting Vulnerabilities

Selecting Targets via Search Engines Templates & Kits

Centralized Management

Roles Optimization Automation

Confidential 7


Hacktivism Attack Targets and Methods

2010

Now

2011

2012

2013

Titanic Takeover Tuesday

Operation Payback

HTTP Flood “Abibil Assassin” (Vertigo & KamiNa variants) & attack to login page from 54 countries

Confidential 8


Distributed Denial of Service Threats

Confidential 9

§  74% of organizations received a DDoS attack in past year1

§ Many DDoS attacks are launched by botnets, because of scale •  Toolkits automate DDoS attacks •  Botnets for rent from $50 - $2K

§ DDoS attacks are moving up the stack •  Less expensive; requires few attackers •  Bypasses network security measures DDoS Attack Tool

1 ”The Trends and Changing Landscape of DDoS Threats and Protection,” Forrester Research


Commercialized DDoS

§ Customer satisfaction guarantee!

Confidential 10


Commercialized DDoS

§ Customer satisfaction guarantee!

Confidential 11


Step-by-Step Instructions to Survive a Web Attack

Confidential 12


1. Understand the Threat Actor

Confidential 13

§  Identify the attack source: •  Research their attack

techniques and tools

§ Hacktivism: •  Monitor social media, Twitter,

Facebook, and YouTube •  Identify DDoS attack tools and

“booster packs”

§ Cybercrime: •  Talk to peers in your industry about attack sources and tools •  Read hacker intelligence reports and security research

13


2. Develop a Security Response Plan

Confidential 14

§ Organize an incident response team •  IT security personnel, networking, and application development

teams •  Assign 24x7 coverage

§ Create a Red Team •  Security engineers that will look for vulnerabilities •  Evaluate all potential risks including, application, network, end-

user, social engineering, and even physical threats

14


§  DNS and Internet Service Providers §  DDoS Protection Services §  Relevant security consultants

Little Black Book of Contacts

Confidential 15

§  IT security managers §  IT operations managers §  Networking operators §  Application developers §  Database administrators §  Legal §  Executive management

Gather the names, phone numbers, and email addresses of:

INTE

RN

AL

EX

TER

NA

L


Document Network and Server Information

Confidential 16

§ Gather IP address and network info for: •  Web servers •  Databases •  DNS servers •  Network firewalls •  Web application firewalls •  Database firewalls •  Routers and switches •  Disaster recovery networks

§ Develop network architecture diagrams

16

Security Tip: Keep network information and contact lists secure


Notify Management & Set Up a War Room

Confidential 17

§  Inform Executive Management of the threat § Consider warning employees

•  Notify users of potential downtime (for DDoS)

•  Educate employees about phishing •  Prepare IT for social

engineering threats

§ Establish a War Room •  “Ground zero” for planning and

communications

17


3. Locate and Assess Servers and Apps

Confidential 18

§ Scan your network to identify all assets (cloud and local) •  Classify assets by information and brand sensitivity to identify high

risk landscapes •  Prioritize efforts to based on risk levels

§ Secure database access •  Scan DBs for vulnerabilities or configuration flaws •  Remove any default or unnecessary user accounts •  Disable unneeded services

18


Perform Vulnerability Assessments

Confidential 19

§ Perform vulnerability assessments •  Scan both Network and Application Layers •  Scan all known Web Assets •  Scan Concurrently and Continuously •  Analyze application functionality for DDoS attack potential and

Business Logic based exploits •  Implement assessment practice across the entire SDLC

19

Design" Development" QA" Production"


4. Application, Network & End-Point Controls

Confidential 20 20

Anti Virus Network Security

Database Security

Install anti-virus and anti-malware software on servers. Make sure definition files are up to date.

Block all unnecessary ports with the firewall. Configure the IPS to block high and critical violations.

Configure your database firewall to block unauthorized SQL queries, limit access, and virtually patch vulnerabilities.


Ratchet Up Web App Firewall Protection

Confidential 21

§ Review and tune the web application profile •  Review acceptable characters & parameter value lengths •  Compare the profile to vulnerability scan results

§  Tighten profile policies to block based on profile violations

21

Directories

URLs


Block Web Attacks and Attack Sources

Confidential 22


WAF Policies to Stop App DDoS Attacks

Confidential 23

§ Create policies that block: •  High rates of requests in a short

period of time by IP address, by user, and by session

•  Known malicious IP addresses, anonymous proxies, and Tor networks

•  Users that request many files with extensions like “.pdf”, “.mp3” or “.mp4” in a short period of time

•  Users that download large amounts of data •  Users that initiate multiple requests that cause extremely slow

web server responses

23

DDoS Preparation Tip Make sure you can manage your security products from an out-of-band network


While app DDoS attacks target Web servers & databases network DDoS attacks target your Internet connection

Stopping Network DDoS Threats

Confidential 24 24

Web Servers and Databases




Confidential 25 25





Confidential 26 26


To prevent network DDoS attacks, look at DDoS mitigation services that stop attacks before they reach your network




Confidential 27 27


To prevent network DDoS attacks, look at DDoS mitigation services that stop attacks before they reach your network


§  Continuously monitor alerts from security and network devices and from performance monitoring tools

§  If attacks are coming from a specific geographic area, create policies to block requests from that area

§  If you can detect which URLs bots are targeting, create bot mitigation rules that block bots from accessing those URLs

§  Monitor social media, hacker forums, IRC chat rooms, and sites that list website defacements

5. Security Procedures When Under Attack

Confidential 28 28


Stop DDoS Attacks that Target Databases

Confidential 29

§ Attackers often target search, login & registration pages § Create custom policies to block the attacks

•  Block an excessive number of failed logins •  Block multiple successful logins from the same user

29

Number of Occurrences

Failed Login


6. Conduct a Post Mortem of the Attack

Confidential 30

§ Review the impact of the attack § Analyze alert logs from your WAF,

SIEM, & network monitoring tools

§ Answer the following questions: •  Did you suffer any downtime during the attack? •  Was any sensitive data compromised? •  What security technologies and processes were in place? Were

they effective? •  What improvements can be made in the future?

30

Once you have completed your post-‐mortem, you will be be8er prepared to tackle future web a8acks.

[1] Zone-H lists recent of Website defacements at http://www.zone-h.org/archive. [2] Non-alcoholic beer and coffee are suitable alternatives.


Solutions to Prepare For and Stop Web Attacks

Confidential 31


Secure SDLC with WhiteHat Sentinel

Confidential 32 32

Design" Development" QA" Production"

Sentinel Source (SAST)"

Computer-based training (CBT)"

Sentinel PL (DAST)"

Sentinel BE, SE, and PE (DAST)"

Sentinel Mobile"


Complete Solution (DAST)

Confidential 33 33


Imperva Web Application Security Solutions

Confidential 35

SecureSphere Web Application Firewall Accurate, automated protection against online threats

Incapsula •  Scalable, easy to use,

cloud-based DDoS and Web application firewall service


Known Attackers

Bots

Web Attacks

Undesirable Countries

Web Fraud

App DDoS

Scrapers

Phishing Sites

Comment Spammers

Vulnerabilities

Web Apps

SecureSphere

Complete Protection Against Web Threats

Confidential 36


Imperva and WhiteHat are offering a free 30-day trial. Register at: http://reg.whitehatsec.com/imperva

Are Your Web Applications Secure?

Confidential 37 37


#ImpervaChat

Confidential 38

§ What: Twitter Chat § When: Tues., Oct. 1st @ 10am-11am (PDT) § Where: #ImpervaChat § Co Moderators:

•  Barry Shteiman, Senior Security Strategist, Imperva §  @bshteiman

•  Kasey Cross, Senior Manager of Web Security Solutions, Imperva §  @kaseycross

Best Practices for Surviving a Web Attack


www.imperva.com

39 Confidential

a blueprint for web attack survival

Technology