self defending applications
DESCRIPTION
Applications are constantly under attack. Unfortunately, nearly all applications have no capability of detecting an attacker or responding before a breach occurs. Those applications sit passively and allow the attacker to constantly unleash attack after attack. Let's change the game and equip our application with the resources to detect an attack with high accuracy and respond in real time to prevent a compromise by eliminating the threat from the system. In this talk we'll cover the OWASP AppSensor project – a project that details how to instrument an application to become attack aware and immediately respond to neutralize threats. This project is backed by multiple talented security experts that have been advancing the project for the past three years. AppSensor has been featured in the Department of Defense Cross Talk journal, presented at the US Department of Homeland Security resilient software conference and at security conferences around the world.TRANSCRIPT
![Page 1: Self Defending Applications](https://reader037.vdocument.in/reader037/viewer/2022102716/54b70f944a7959a8588b4664/html5/thumbnails/1.jpg)
Creating Self Defending Applications to Repel
AttackersMichael Coates
@_mwc
![Page 2: Self Defending Applications](https://reader037.vdocument.in/reader037/viewer/2022102716/54b70f944a7959a8588b4664/html5/thumbnails/2.jpg)
• Chairman OWASP Board • Shape Security: Director of Product Security
Background – 12 years of security adventures• Built and lead security program protecting 450 million Firefox
users & Mozilla systems• Secured code processing millions of dollars daily• Bypassed electronic voting systems• Defended fortune 100 global network• Infiltrated telco for mobile networks in Asia and Middle east• “Talked” my way into bank server rooms & to obtain user
passwords
@_mwc
![Page 3: Self Defending Applications](https://reader037.vdocument.in/reader037/viewer/2022102716/54b70f944a7959a8588b4664/html5/thumbnails/3.jpg)
Billion Dollar Cybercrime
~US $350 Billion – Global Drug Trafficking Estimates
US $170 Billion – Apple Annual Revenue 2013
US $263 Billion – Hong Kong 2012 Gross Domestic Product (GDP)
US $469 Billion – Walmart Annual Revenue 2013
US $95 Billion – Morocco 2012 Gross Domestic Product (GDP)
US $112 Billion – Hewlett-Packard Annual Revenue 2013
US $104 Billion – Honda Annual Revenue 2012
![Page 4: Self Defending Applications](https://reader037.vdocument.in/reader037/viewer/2022102716/54b70f944a7959a8588b4664/html5/thumbnails/4.jpg)
Billion Dollar Cybercrime
~US $350 Billion – Global Drug Trafficking Estimates
US $170 Billion – Apple Annual Revenue 2013
US $263 Billion – Hong Kong 2012 Gross Domestic Product (GDP)
US $469 Billion – Walmart Annual Revenue 2013
US $95 Billion – Morocco 2012 Gross Domestic Product (GDP)
US $112 Billion – Hewlett-Packard Annual Revenue 2013
US $104 Billion – Honda Annual Revenue 2012
US $113 Billion – Global price tag of consumer cybercrime
![Page 5: Self Defending Applications](https://reader037.vdocument.in/reader037/viewer/2022102716/54b70f944a7959a8588b4664/html5/thumbnails/5.jpg)
Cost of Security
• Cybercrime cost to companies– 26% increase 2012 to 2013
• Cybercrime cost to individual– 50% increase 2012 to 2013
• Cost per breached record to company– Average US $136
![Page 6: Self Defending Applications](https://reader037.vdocument.in/reader037/viewer/2022102716/54b70f944a7959a8588b4664/html5/thumbnails/6.jpg)
Largest Single Culprit : Hacking
Verizon Data Breach Report 20132013 Incidents by Breach Type
datalossdb.org
48% from Hacking 52% involved Hacking
![Page 7: Self Defending Applications](https://reader037.vdocument.in/reader037/viewer/2022102716/54b70f944a7959a8588b4664/html5/thumbnails/7.jpg)
Opportunistic Scanners
• Scan web for common vulnerabilities• Highly leverage automation• Often untargeted
75% Attacks Opportunistic
Verizon Data Breach Report 2013
![Page 8: Self Defending Applications](https://reader037.vdocument.in/reader037/viewer/2022102716/54b70f944a7959a8588b4664/html5/thumbnails/8.jpg)
Underground Market Prices
2013 Dell SecureWorks
USDVisa, American Express, Discover $4-$8
Credit Card with track 1 and 2 data $12
Full user information $25
1,000 Infected Computers $20
DDOS Attacks (per hour) $3-$5
![Page 9: Self Defending Applications](https://reader037.vdocument.in/reader037/viewer/2022102716/54b70f944a7959a8588b4664/html5/thumbnails/9.jpg)
The Objective
• Protect the most critical data • Handle known and unknown attacks• Identify attackers before compromise• Automated – no humans needed
![Page 10: Self Defending Applications](https://reader037.vdocument.in/reader037/viewer/2022102716/54b70f944a7959a8588b4664/html5/thumbnails/10.jpg)
Critical Data
Applications stored & allow access to critical data – by design
NameEmail
AddressCredit Card
Bank InformationMedical Information
Purchase HistoryAffiliations
…
![Page 11: Self Defending Applications](https://reader037.vdocument.in/reader037/viewer/2022102716/54b70f944a7959a8588b4664/html5/thumbnails/11.jpg)
Gut Check
Current Defenses Are Failing
• Custom code • unique vulnerabilities -> tailored patches
• Unrealistic defensive postures• Signatures only protect against last generic attack• Human required interaction is too slow • Valid signals are lost / ignored
• Attackers constantly probe and attack applications without deterrence
![Page 12: Self Defending Applications](https://reader037.vdocument.in/reader037/viewer/2022102716/54b70f944a7959a8588b4664/html5/thumbnails/12.jpg)
Self Defending Applications
The Attacker
![Page 13: Self Defending Applications](https://reader037.vdocument.in/reader037/viewer/2022102716/54b70f944a7959a8588b4664/html5/thumbnails/13.jpg)
Attack Points: Requests, Auth, Session
![Page 14: Self Defending Applications](https://reader037.vdocument.in/reader037/viewer/2022102716/54b70f944a7959a8588b4664/html5/thumbnails/14.jpg)
Attack Points: Access Control
![Page 15: Self Defending Applications](https://reader037.vdocument.in/reader037/viewer/2022102716/54b70f944a7959a8588b4664/html5/thumbnails/15.jpg)
Attack Points: Input Validation
![Page 16: Self Defending Applications](https://reader037.vdocument.in/reader037/viewer/2022102716/54b70f944a7959a8588b4664/html5/thumbnails/16.jpg)
Attack Points: Business Logic
![Page 17: Self Defending Applications](https://reader037.vdocument.in/reader037/viewer/2022102716/54b70f944a7959a8588b4664/html5/thumbnails/17.jpg)
Self Defending Applications
In The Code
![Page 18: Self Defending Applications](https://reader037.vdocument.in/reader037/viewer/2022102716/54b70f944a7959a8588b4664/html5/thumbnails/18.jpg)
Attack Exposure
![Page 19: Self Defending Applications](https://reader037.vdocument.in/reader037/viewer/2022102716/54b70f944a7959a8588b4664/html5/thumbnails/19.jpg)
Defend with: Detection Points
![Page 20: Self Defending Applications](https://reader037.vdocument.in/reader037/viewer/2022102716/54b70f944a7959a8588b4664/html5/thumbnails/20.jpg)
Detecting Attacks
• 50+ attack detection points and growing
• Signature & Behavioral
• Many have nearly zero false positive rate
– Can’t be encountered accidentally by user
– POST vs Get
– ‘ OR ‘1’=‘1’
http://www.owasp.org/index.php/AppSensor_DetectionPoints
![Page 21: Self Defending Applications](https://reader037.vdocument.in/reader037/viewer/2022102716/54b70f944a7959a8588b4664/html5/thumbnails/21.jpg)
Centralize Attack Detection Knowledge
• Detection Points Report to Central Location
• AppSensor Integrates w/User Store
• Enables Response Actions against User Object
![Page 22: Self Defending Applications](https://reader037.vdocument.in/reader037/viewer/2022102716/54b70f944a7959a8588b4664/html5/thumbnails/22.jpg)
Detect & Eliminate Threat
• Strong control of authenticated portion– Lockout user– Disable account
• Effective attack reporting for unauthenticated portion
![Page 23: Self Defending Applications](https://reader037.vdocument.in/reader037/viewer/2022102716/54b70f944a7959a8588b4664/html5/thumbnails/23.jpg)
App Defense Eliminates Threats
![Page 24: Self Defending Applications](https://reader037.vdocument.in/reader037/viewer/2022102716/54b70f944a7959a8588b4664/html5/thumbnails/24.jpg)
App Defense Eliminates Threats
Block attacker & minimize threat
![Page 25: Self Defending Applications](https://reader037.vdocument.in/reader037/viewer/2022102716/54b70f944a7959a8588b4664/html5/thumbnails/25.jpg)
Humans & Automation
• Detection Points – Human driven attacks• Trend Analysis – Automated driven attacks
![Page 26: Self Defending Applications](https://reader037.vdocument.in/reader037/viewer/2022102716/54b70f944a7959a8588b4664/html5/thumbnails/26.jpg)
Human Driven
![Page 27: Self Defending Applications](https://reader037.vdocument.in/reader037/viewer/2022102716/54b70f944a7959a8588b4664/html5/thumbnails/27.jpg)
Automated
![Page 28: Self Defending Applications](https://reader037.vdocument.in/reader037/viewer/2022102716/54b70f944a7959a8588b4664/html5/thumbnails/28.jpg)
Attack Aware Resources
• Cross Talk Sept, 2011 - crosstalkonline.org• Software Assurance -
buildsecurityin.us-cert.gov/swa/attackaware.html
![Page 29: Self Defending Applications](https://reader037.vdocument.in/reader037/viewer/2022102716/54b70f944a7959a8588b4664/html5/thumbnails/29.jpg)
Alternatives?
• Self Defending – in the app, full user object interaction, full app
knowledge• Web Application Firewall (stand alone) – generic attack detection
• Log Analysis – slow, reactive, ineffective, ignored
![Page 30: Self Defending Applications](https://reader037.vdocument.in/reader037/viewer/2022102716/54b70f944a7959a8588b4664/html5/thumbnails/30.jpg)
Self Defending Applications
In The Lifecycle & Organization
![Page 31: Self Defending Applications](https://reader037.vdocument.in/reader037/viewer/2022102716/54b70f944a7959a8588b4664/html5/thumbnails/31.jpg)
Threat Modeling
– Identify critical business functionality
– Capture abuse cases
– Define detection methods
![Page 32: Self Defending Applications](https://reader037.vdocument.in/reader037/viewer/2022102716/54b70f944a7959a8588b4664/html5/thumbnails/32.jpg)
Example
• Grant Permission Page site.com/UpdatePermission
– Inputs:
• targetUser - Integer
• grantPerm - Integer (1,2,3) (Read, Write Delete)
– Access Control Requirement:
• Page Access: Power User
• Functionality Access: Power User
• Target User: Non-admin
![Page 33: Self Defending Applications](https://reader037.vdocument.in/reader037/viewer/2022102716/54b70f944a7959a8588b4664/html5/thumbnails/33.jpg)
Abuse Cases
• Non-integer submitted for targetUser
• Invalid number submitted for grantPerm
• Force browsing to page from unauthorized account (HTTP GET)
• Force submission to page from unauthorized account (HTTP Post)
• Target user is admin account
• Unexpected rate of use (100 perm changes in 10 seconds?)
![Page 34: Self Defending Applications](https://reader037.vdocument.in/reader037/viewer/2022102716/54b70f944a7959a8588b4664/html5/thumbnails/34.jpg)
Risk Analysis
• Tolerance for Fraud & Abuse• Define Acceptable Response– Alert Admins– Logout / Lock Accounts– Limit Functionality
![Page 35: Self Defending Applications](https://reader037.vdocument.in/reader037/viewer/2022102716/54b70f944a7959a8588b4664/html5/thumbnails/35.jpg)
Response Options
![Page 36: Self Defending Applications](https://reader037.vdocument.in/reader037/viewer/2022102716/54b70f944a7959a8588b4664/html5/thumbnails/36.jpg)
Timing & Flow
Attack Detection PointsCommon
Attack Vectors Design
Requirements
Threat Modeling
Unique App
Attack Vectors
Risk Analysis
Response Policy/Pla
n
Response Capabiliti
es
![Page 37: Self Defending Applications](https://reader037.vdocument.in/reader037/viewer/2022102716/54b70f944a7959a8588b4664/html5/thumbnails/37.jpg)
Organization Support
Who Action
Architects, Developers, Biz Owners, Security SMEs
Threat Modeling, Determine Detection Points
Biz Owners, Architects, Security SMEs Determine Response Actions
Architects, Security SMEs Design Response Architecture
Operations Team, Security SMEs System Communication for Detection Logging & Response
Developers, Security SMEs Implement Detection Point & Response Code
Monitoring Team, Security SMEs Define monitoring thresholds, alerting/action requirements
![Page 38: Self Defending Applications](https://reader037.vdocument.in/reader037/viewer/2022102716/54b70f944a7959a8588b4664/html5/thumbnails/38.jpg)
Self Defending Applications
Live Implementations
![Page 39: Self Defending Applications](https://reader037.vdocument.in/reader037/viewer/2022102716/54b70f944a7959a8588b4664/html5/thumbnails/39.jpg)
Common Event Format (CEF)
• Emerging standard on logging format
• Easily parsed by security integration manager (sim)
• Enables AppSensor Logging
CEF:0|Mozilla|MozFooApp|1.0 |ACE0|Access Control Violation|8|rt=01 31 2010 18:30:01 suser=janedoe suid=55 act=Action Denied src=1.2.3.4 dst=2.3.4.5 requestMethod=POST request=http://foo.mozilla.org/foo/abc.php?a\=b cs1Label=requestClientApplication cs1=Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10.6; en-US; rv:1.9.2.2) Gecko/20100316 Firefox/3.6.2 msg=Additional Data here
![Page 40: Self Defending Applications](https://reader037.vdocument.in/reader037/viewer/2022102716/54b70f944a7959a8588b4664/html5/thumbnails/40.jpg)
SIM Deployment
![Page 41: Self Defending Applications](https://reader037.vdocument.in/reader037/viewer/2022102716/54b70f944a7959a8588b4664/html5/thumbnails/41.jpg)
Full Stack Knowledge
• Application Layer - Custom attack / abuse notification
• Network Layer - IDS activity, firewall failures• OS Layer - OS commands (AuditD), System
event logs
![Page 42: Self Defending Applications](https://reader037.vdocument.in/reader037/viewer/2022102716/54b70f944a7959a8588b4664/html5/thumbnails/42.jpg)
Data Analysis
Failed Captcha on Create User Account
Created
User Authentication Failed
![Page 43: Self Defending Applications](https://reader037.vdocument.in/reader037/viewer/2022102716/54b70f944a7959a8588b4664/html5/thumbnails/43.jpg)
Trend Analysis
![Page 44: Self Defending Applications](https://reader037.vdocument.in/reader037/viewer/2022102716/54b70f944a7959a8588b4664/html5/thumbnails/44.jpg)
Top Users Failing Auth within Application
![Page 45: Self Defending Applications](https://reader037.vdocument.in/reader037/viewer/2022102716/54b70f944a7959a8588b4664/html5/thumbnails/45.jpg)
App Use Mapping
Operation
IP Address
Account
![Page 46: Self Defending Applications](https://reader037.vdocument.in/reader037/viewer/2022102716/54b70f944a7959a8588b4664/html5/thumbnails/46.jpg)
Auth Failed
New Account
Change Password
![Page 47: Self Defending Applications](https://reader037.vdocument.in/reader037/viewer/2022102716/54b70f944a7959a8588b4664/html5/thumbnails/47.jpg)
1 IP Address, Multiple Users
Auth Fail, New Account
acct1 - pw changeacct 2 - auth failed
![Page 48: Self Defending Applications](https://reader037.vdocument.in/reader037/viewer/2022102716/54b70f944a7959a8588b4664/html5/thumbnails/48.jpg)
Summary
Self Defending Applications:• Detect Malicious Activity in Critical Apps• Enable Immediate Response• Prevent/Limit Compromise• Require Organization Support
![Page 49: Self Defending Applications](https://reader037.vdocument.in/reader037/viewer/2022102716/54b70f944a7959a8588b4664/html5/thumbnails/49.jpg)
AppSensor Project
• AppSensor: Version 2 of Book• Sub-project: Preventing Automated Attacks
– owasp.org/index.php/OWASP_AppSensor_Project/PAA– Evaluating current approaches, costs & efficacy
• CAPTCHA, IP Blocking, Reputation, Human Analysis, etc
• Join Us! – owasp.org/index.php/Category:OWASP_AppSensor_Project– [email protected]