men in the server meet the man in the browser
DESCRIPTION
SOURCE Barcelona 2011 - Amichai ShulmanTRANSCRIPT
![Page 1: Men in the Server Meet the Man in the Browser](https://reader033.vdocument.in/reader033/viewer/2022061210/548e47f3b4795900208b4ba2/html5/thumbnails/1.jpg)
Men in the Server Meet the Man in the Browser
Amichai Shulman, CTO
![Page 2: Men in the Server Meet the Man in the Browser](https://reader033.vdocument.in/reader033/viewer/2022061210/548e47f3b4795900208b4ba2/html5/thumbnails/2.jpg)
2
Agenda
Quick Introduction Motivation Problem Definition Shape Based Tests Content Based Tests Overall Solution Strategy Summary
![Page 3: Men in the Server Meet the Man in the Browser](https://reader033.vdocument.in/reader033/viewer/2022061210/548e47f3b4795900208b4ba2/html5/thumbnails/3.jpg)
Introduction
![Page 4: Men in the Server Meet the Man in the Browser](https://reader033.vdocument.in/reader033/viewer/2022061210/548e47f3b4795900208b4ba2/html5/thumbnails/4.jpg)
Imperva Overview
Our mission.Protect the data that drives business
Our market segment.Enterprise Data Security
Our global business.• Public Company, Founded in 2002; • Global operations; HQ in Redwood Shores, CA• 350+ employees• Customers in 50+ countries
Our customers.1,300+ direct; Thousands cloud-based
• 4 of the top 5 global financial data service firms• 4 of the top 5 global telecommunications firms• 4 of the top 5 global computer hardware companies• 3 of the top 5 US commercial banks• 150+ government agencies and departments
4
![Page 5: Men in the Server Meet the Man in the Browser](https://reader033.vdocument.in/reader033/viewer/2022061210/548e47f3b4795900208b4ba2/html5/thumbnails/5.jpg)
Today’s PresenterAmichai Shulman – CTO Imperva
Speaker at Industry Events + RSA, Sybase Techwave, Info Security UK, Black Hat
Lecturer on Info Security + Technion - Israel Institute of Technology
Former security consultant to banks & financial services firms Leads the Application Defense Center (ADC)
+ Discovered over 20 commercial application vulnerabilities – Credited by Oracle, MS-SQL, IBM and others
Amichai Shulman one of InfoWorld’s “Top 25 CTOs”
![Page 6: Men in the Server Meet the Man in the Browser](https://reader033.vdocument.in/reader033/viewer/2022061210/548e47f3b4795900208b4ba2/html5/thumbnails/6.jpg)
Motivation
![Page 7: Men in the Server Meet the Man in the Browser](https://reader033.vdocument.in/reader033/viewer/2022061210/548e47f3b4795900208b4ba2/html5/thumbnails/7.jpg)
Client Side Attacks - Scope of Problem (1)Major Attack Vectors
Browser code+ On decline over past
3 years+ Expected to rise
over next 2 years Browser plug-ins
(Java, Flash, PDF, Media Player etc.)
OS libraries (graphics rendering)
![Page 8: Men in the Server Meet the Man in the Browser](https://reader033.vdocument.in/reader033/viewer/2022061210/548e47f3b4795900208b4ba2/html5/thumbnails/8.jpg)
Client Side Attacks - Scope of Problem (2)2010 Vulnerability Figures
Client side+ 77 IE vulnerabilites,
106 Firefox vulnerabilities, 188 Chrome vulnerabilities
+ 73 Adobe Flash, 9 Adobe Reader related vulnerabilities
+ 72 Various ActiveX related vulnerabilities
Server side+ Only 36
vulnerabilities across IIS, Apache and Tomcat
8
![Page 9: Men in the Server Meet the Man in the Browser](https://reader033.vdocument.in/reader033/viewer/2022061210/548e47f3b4795900208b4ba2/html5/thumbnails/9.jpg)
Client Side Attacks - Scope of Problem (3)Malware Distribution Methods
Drive-By-Download / Malvertizing Phishing, “Spear Phishing” Torrent and P2P Physical
![Page 10: Men in the Server Meet the Man in the Browser](https://reader033.vdocument.in/reader033/viewer/2022061210/548e47f3b4795900208b4ba2/html5/thumbnails/10.jpg)
Client Side Attacks - Scope of Problem (4)2009 / 2010 Attack Figures
A 2010 report by Kaspersky+ ~600M attempts reported to KSN, more than 5 times
increase over 2009 Number of Zeus infected computers estimated at
10M Rustock spanned 1M computers 40K new infections a day (with some being
cleaned up)Consumers cannot be expected to cope with the technical problem on their own
![Page 11: Men in the Server Meet the Man in the Browser](https://reader033.vdocument.in/reader033/viewer/2022061210/548e47f3b4795900208b4ba2/html5/thumbnails/11.jpg)
From Consumer Attack to a Business Problem
The threat to consumers is constantly growing+ Number of vulnerabilities+ Number of attacks+ Types of attacks+ Sophistication
Usage is expanding beyond banking and popular retail applications
We are passed the point of no return+ Cannot expect average consumers to avoid infection and
mitigate attacks alone+ We cannot deny service to infected consumers+ We cannot let the consumer bear the consequences of a
compromise
![Page 12: Men in the Server Meet the Man in the Browser](https://reader033.vdocument.in/reader033/viewer/2022061210/548e47f3b4795900208b4ba2/html5/thumbnails/12.jpg)
From Consumer Attack to a Business Problem
Potential consequences (of failing to do so):+ Reduced on boarding rate+ Reduced activity+ Increased refunds+ Increased insurance rates
Consumer facing malware threatens online commerce*Forrester Feb 2011: Malware And Trojans And Bots, Oh My!
![Page 13: Men in the Server Meet the Man in the Browser](https://reader033.vdocument.in/reader033/viewer/2022061210/548e47f3b4795900208b4ba2/html5/thumbnails/13.jpg)
From Consumer Attack to a Business Problem
Car User Safety Online User Safety
![Page 14: Men in the Server Meet the Man in the Browser](https://reader033.vdocument.in/reader033/viewer/2022061210/548e47f3b4795900208b4ba2/html5/thumbnails/14.jpg)
Problem Definition
![Page 15: Men in the Server Meet the Man in the Browser](https://reader033.vdocument.in/reader033/viewer/2022061210/548e47f3b4795900208b4ba2/html5/thumbnails/15.jpg)
Client Side Trouble – Types of Interaction
Key loggers+ No interaction between malware and application+ Offline interaction between attacker and application using
stolen credentials Phishing
+ Some interaction between browser and actual application during attack
– Could be used for detection of some Phishing campaigns
+ Offline interaction between attacker and application using stolen credentials
Man in the Browser+ Extensive interaction between malware and application during
attack+ Offline interaction between attacker and application using
stolen credentials
![Page 16: Men in the Server Meet the Man in the Browser](https://reader033.vdocument.in/reader033/viewer/2022061210/548e47f3b4795900208b4ba2/html5/thumbnails/16.jpg)
Man in the Browser Attacks
Attacker code running in context of victim’s browser AKA Proxy Trojan Original motivation
+ No need to attack infrastructure (DNS, tap intorouter, etc.)
+ Defeat SSL Additional benefits
+ Access to local resources+ Access to application session data
Prominent Actors+ ZeuS, Gozi, URLZone, Sinowal, Limbo and SpyEye+ Silentbanker
16
![Page 17: Men in the Server Meet the Man in the Browser](https://reader033.vdocument.in/reader033/viewer/2022061210/548e47f3b4795900208b4ba2/html5/thumbnails/17.jpg)
MitB Attacks - The Evolution of Proxy Trojans
17
Key logger
Record HTML data
Inject HTML
elements
Manipulate and inject
transactions
![Page 18: Men in the Server Meet the Man in the Browser](https://reader033.vdocument.in/reader033/viewer/2022061210/548e47f3b4795900208b4ba2/html5/thumbnails/18.jpg)
MitB Attacks - Proxy Trojans in Action
18
Before After
![Page 19: Men in the Server Meet the Man in the Browser](https://reader033.vdocument.in/reader033/viewer/2022061210/548e47f3b4795900208b4ba2/html5/thumbnails/19.jpg)
MitB Attacks - Proxy Trojans in Action
19
Before After
![Page 20: Men in the Server Meet the Man in the Browser](https://reader033.vdocument.in/reader033/viewer/2022061210/548e47f3b4795900208b4ba2/html5/thumbnails/20.jpg)
MitB Attacks - Proxy Trojans in Action
20
Before After
![Page 21: Men in the Server Meet the Man in the Browser](https://reader033.vdocument.in/reader033/viewer/2022061210/548e47f3b4795900208b4ba2/html5/thumbnails/21.jpg)
MitB Attacks - Proxy Trojans in Action
21
Before After
![Page 22: Men in the Server Meet the Man in the Browser](https://reader033.vdocument.in/reader033/viewer/2022061210/548e47f3b4795900208b4ba2/html5/thumbnails/22.jpg)
MitB Attacks - Proxy Trojans in Action
22
Before After
![Page 23: Men in the Server Meet the Man in the Browser](https://reader033.vdocument.in/reader033/viewer/2022061210/548e47f3b4795900208b4ba2/html5/thumbnails/23.jpg)
Proxy Trojan Architecture
23
Client MachineWeb Application
![Page 24: Men in the Server Meet the Man in the Browser](https://reader033.vdocument.in/reader033/viewer/2022061210/548e47f3b4795900208b4ba2/html5/thumbnails/24.jpg)
Proxy Trojan Architecture
24
Client MachineWeb Application
Tamper Request
Tamper Page
Extract Data
Inject Fake Transaction
Drop Server
![Page 25: Men in the Server Meet the Man in the Browser](https://reader033.vdocument.in/reader033/viewer/2022061210/548e47f3b4795900208b4ba2/html5/thumbnails/25.jpg)
Shape Based Tests
![Page 26: Men in the Server Meet the Man in the Browser](https://reader033.vdocument.in/reader033/viewer/2022061210/548e47f3b4795900208b4ba2/html5/thumbnails/26.jpg)
An Observation
Clean Infected
Trojan Likes to Tamper Plain Traffic
![Page 27: Men in the Server Meet the Man in the Browser](https://reader033.vdocument.in/reader033/viewer/2022061210/548e47f3b4795900208b4ba2/html5/thumbnails/27.jpg)
27
Typical Changes by Trojan
Encoding related headers+ Enforce use of traffic that is easily tampered by the
Trojan+ Avoid HTTP/1.1 connections, compressed data
Client type identification+ Ensure identification by drop server and other attacker
controlled components Additional parameters
+ Extra data provided by an unfortunate victim+ Could represent client identification for attacker
controlled components Parameter order
+ Expected from fake transactions
![Page 28: Men in the Server Meet the Man in the Browser](https://reader033.vdocument.in/reader033/viewer/2022061210/548e47f3b4795900208b4ba2/html5/thumbnails/28.jpg)
Shape Based Tests
The application (or a device protecting the application) inspects the shape of incoming messages for changes typical to Trojans
If a Trojan pattern is detect mark the client (IP address / session / request) as “infected”
28
![Page 29: Men in the Server Meet the Man in the Browser](https://reader033.vdocument.in/reader033/viewer/2022061210/548e47f3b4795900208b4ba2/html5/thumbnails/29.jpg)
Shape Based Tests in Action
29
Client MachineWeb Application
Tamper Request
Tamper Page
Extract Data
Inject Fake Transaction
Drop Server
Apply Shape Tests
Apply Shape Tests
![Page 30: Men in the Server Meet the Man in the Browser](https://reader033.vdocument.in/reader033/viewer/2022061210/548e47f3b4795900208b4ba2/html5/thumbnails/30.jpg)
30
Challenges – Tracking Trojan Discrepancies
Each Trojan may display a different change
Changes may be reflected in specific request types
Need to keep track of Trojans
Create a framework for shape based rules
Create a framework for constructing shape tests
![Page 31: Men in the Server Meet the Man in the Browser](https://reader033.vdocument.in/reader033/viewer/2022061210/548e47f3b4795900208b4ba2/html5/thumbnails/31.jpg)
Challenges – Avoiding False Positives
Some real client devices do not support (or choose not to support) HTTP/1.1 or compressed data
Engage the browser in a challenge response protocol
HTTP/1.1 200 OK...Content-Encoding: gzipRefresh: 2;url=infection_test.html?
infected=no
<html><head><script>window.navigate('infection_test.h
tml?infected=yes')</script></head><body></body></html>
31
...........V*//W...Qzi...I...z...J:`.......T$......d.y.%@.^f.R,...(..y.:.J....9.V......%%[email protected]...%6....
![Page 32: Men in the Server Meet the Man in the Browser](https://reader033.vdocument.in/reader033/viewer/2022061210/548e47f3b4795900208b4ba2/html5/thumbnails/32.jpg)
Content Based Tests
![Page 33: Men in the Server Meet the Man in the Browser](https://reader033.vdocument.in/reader033/viewer/2022061210/548e47f3b4795900208b4ba2/html5/thumbnails/33.jpg)
Content Based Tests
Current malware tampers HTML at the network layer (before it is interpreted by browser)
+ This is due to simplicity and robustness considerations Use client side code to verify integrity of HTML
page content in coordination with the server Some solutions try to “provoke” the MitB into
making changes. Then compare the HTML content to known Trojan behaviors
+ This can be avoided by careful configuration of the MitB+ Requires constant chase after MitB configuration files
– Construct an up-to-date database of “known behaviors”
![Page 34: Men in the Server Meet the Man in the Browser](https://reader033.vdocument.in/reader033/viewer/2022061210/548e47f3b4795900208b4ba2/html5/thumbnails/34.jpg)
Client / Server Content Verification
Server computes a digest of the delivered HTML page
+ Random (invisible) elements are injected into the page before computation
Server appends a page digest computation function to the HTML page
+ Computation function code includes a random salt When page is loaded into the browser, the
computation function is invoked, computes the digest and sends it to the server for verification
If the browser does not send back a digest then infection is assumed
34
![Page 35: Men in the Server Meet the Man in the Browser](https://reader033.vdocument.in/reader033/viewer/2022061210/548e47f3b4795900208b4ba2/html5/thumbnails/35.jpg)
Content Based Tests in Action
35
Client MachineWeb Application
Tamper Request
Tamper Page
Extract Data
Inject Fake Transaction
Drop Server
Compare Digests
Compute Digest and Inject Digest Computation Function
Compute Digest
![Page 36: Men in the Server Meet the Man in the Browser](https://reader033.vdocument.in/reader033/viewer/2022061210/548e47f3b4795900208b4ba2/html5/thumbnails/36.jpg)
Model Strengths (1)
Digest cannot be pre-computed by malware due to the random HTML elements
Digest cannot be computed by malware without executing the digest computation function
+ Requires malware to implement / invoke Javascript engine
Computation function can be extended to explicitly reference the randomly injected HTML elements through DOM functions
+ Requires the malware to implement / fake DOM Malware cannot dismiss test
36
![Page 37: Men in the Server Meet the Man in the Browser](https://reader033.vdocument.in/reader033/viewer/2022061210/548e47f3b4795900208b4ba2/html5/thumbnails/37.jpg)
Model Strengths (2)
Does not depend on specific MitB configuration and the expected changes
+ Only depends on protected application page+ Some configuration options should be available to
restrict the parts of the page that are digested– Avoid elements produced by client side code
Breaking the tie with attackers+ Complexity of the computation process can be
increased with small effort+ Resulting changes to malware code are complex and
painful, increasing its footprint
37
![Page 38: Men in the Server Meet the Man in the Browser](https://reader033.vdocument.in/reader033/viewer/2022061210/548e47f3b4795900208b4ba2/html5/thumbnails/38.jpg)
Overall Solution Strategy
![Page 39: Men in the Server Meet the Man in the Browser](https://reader033.vdocument.in/reader033/viewer/2022061210/548e47f3b4795900208b4ba2/html5/thumbnails/39.jpg)
Look at the Complete Picture
Apply shape based tests and content based tests to identify infected client devices
Interact with Infected Clients+ Provide clear visual warnings+ Contact customer offline+ Apply business access policies
– Example 1: Allow data extraction but deny transaction– Example 2: Limit transaction size
+ Automatically employ extra validation through side channels
– Adaptive authentication
+ Keep a more comprehensive audit trail for the user / session
![Page 40: Men in the Server Meet the Man in the Browser](https://reader033.vdocument.in/reader033/viewer/2022061210/548e47f3b4795900208b4ba2/html5/thumbnails/40.jpg)
MitB is Only Part of the Landscape
Identifying account takeover+ Server side fraud detection+ Device profiling and reputation+ Advanced authentication
Defeat Phishing Campaigns+ Detect and takedown campaigns+ Detect victims in real time
40
![Page 41: Men in the Server Meet the Man in the Browser](https://reader033.vdocument.in/reader033/viewer/2022061210/548e47f3b4795900208b4ba2/html5/thumbnails/41.jpg)
Flexible Deployment Framework
Cannot change application code whenever capabilities change or threats morph
Be able to protect legacy applications Create consistency across all applications and
flexibility in choosing vendors
41
![Page 42: Men in the Server Meet the Man in the Browser](https://reader033.vdocument.in/reader033/viewer/2022061210/548e47f3b4795900208b4ba2/html5/thumbnails/42.jpg)
Summary
![Page 43: Men in the Server Meet the Man in the Browser](https://reader033.vdocument.in/reader033/viewer/2022061210/548e47f3b4795900208b4ba2/html5/thumbnails/43.jpg)
Summary
Threat to consumer is constantly growing and is past the point where we can expect most of our consumers to avoid infection
Consumer infection has become a business problem
While providers should urge consumers to be prudent they MUST learn how to interact with infected consumers and create a safe business environment for them regardless of the general threat
Some car safety mechanisms are already regulated. We can expect the same from business IT security
![Page 44: Men in the Server Meet the Man in the Browser](https://reader033.vdocument.in/reader033/viewer/2022061210/548e47f3b4795900208b4ba2/html5/thumbnails/44.jpg)
Summary (cont.)
Enterprise IT is failing to properly tackle client based attacks within enterprise
The growing number of so called “APT” attacks on organizations demonstrate the effect of “compromised insider”
Failures stem from the same reason: try to avoid infection rather than learn to interact with infected clients
44
![Page 45: Men in the Server Meet the Man in the Browser](https://reader033.vdocument.in/reader033/viewer/2022061210/548e47f3b4795900208b4ba2/html5/thumbnails/45.jpg)
Questions
- CONFIDENTIAL -
![Page 46: Men in the Server Meet the Man in the Browser](https://reader033.vdocument.in/reader033/viewer/2022061210/548e47f3b4795900208b4ba2/html5/thumbnails/46.jpg)
Thank You
- CONFIDENTIAL -