Web  Application  Defense  using  CAPEC  data.  Jerome  Athias   Page 1 of 9  

     Web  Application  Defense,  Breaking  the  Kill  Chain    Advanced  Web  Defense  using  CAPEC  data,  Behavioral  Analysis  and  Strategic  Security  Controls                            

 Jerome  Athias  

DRAFT  March  2014  

                                 

Trademarks  are  property  of  their  respective  owners  

   

Web  Application  Defense  using  CAPEC  data.  Jerome  Athias   Page 2 of 9  

Introduction    Web  Applications  are  subject  to  a  large  exposure,  and  so  high  risk  of  attacks  (exploitation  of  vulnerabilities  resulting  of  exposed  weaknesses).    A  proper  SDLC  is  mandatory,  including  Best  Practices  of  Secure  Web  Development.  https://www.owasp.org/index.php/Secure_SDLC_Cheat_Sheet  https://www.owasp.org/index.php/Secure_Coding_Principles  https://www.cert.org/secure-­‐coding/  https://www.owasp.org/index.php/Cheat_Sheets  https://www.owasp.org/index.php/Security_Code_Review_in_the_SDLC  This  is  part  of  a  Secure  Web  Applications  Strategy.  http://www.opensamm.org    Reducing  the  attack  surface  is  a  must  for  Web  Application  Security.  https://www.owasp.org/index.php/Identify_attack_surface  https://www.owasp.org/index.php/Attack_Surface_Analysis_Cheat_Sheet  http://websec.io/2013/01/28/Core-­‐Concepts-­‐Attack-­‐Surface.html  http://www.slideshare.net/OWASP_Ottawa/pierre-­‐ernst-­‐xml-­‐attack-­‐surface-­‐owasp-­‐ottawa  http://publications.drdo.gov.in/ojs/index.php/dsj/article/view/1291    The  Threat  Modeling  SDLC’s  activity  is  a  highly  efficient  process.  http://en.wikipedia.org/wiki/Threat_model  https://www.owasp.org/index.php/Application_Threat_Modeling  https://www.owasp.org/images/7/79/AppSecEU09_OWASP_EU_Threat_Modeling.ppt  http://imi.nku.edu/security/Powerpoints/Marco_Morana.pdf    As  part  of  all  Information  Security  Management  System  (or  in  Risk  Management),  a  selection  of  relevant  and  applicable  Security  Requirements  has  to  be  performed.  e.g.    OWASP  ASVS  https://www.owasp.org/index.php/Category:OWASP_Application_Security_Verification_Standard_Project  Based  on  the  Security  Requirements  (Confidentiality,  Integrity,  Availability),  appropriate  and  efficient  Security  Controls  (see  the  Orange  Book)  must  be  used.  The  Security  Controls  (safeguards)  must  be  selected  correctly  (ROI  can  play  a  role  here),  applied,  checked  and  monitored  efficiently.    Methodologies  exist  for  Secure  Code  Review  and  Web  Application  Security  Assessment  (Web  Vulnerability  Assessment,  Web  Application  Penetration  Testing).  https://www.owasp.org/index.php/OWASP_Testing_Project  http://www.isecom.org/research/osstmm.html    Common  Weaknesses  (root  cause  of  breaches)  are  now  well  defined.  https://www.owasp.org/index.php/Category:OWASP_Top_Ten_Project  http://projects.webappsec.org/Threat-­‐Classification  https://cwe.mitre.org    However,  there  is  not  too  much  available  regarding  an  effective  strategic  methodology  for  technical  security  controls  selection.      

Web  Application  Defense  using  CAPEC  data.  Jerome  Athias   Page 3 of 9  

CAPEC™    A  Common  Attack  Pattern  Enumeration  and  Classification  repository,  managed  by  MITRE.  http://capec.mitre.org    CAPEC  is  directly  mapped  to  CWE,  WASC  and  OWASP  Top  10,  making  it  easy  to  use.    

Attack  Execution  Flow    Inside  the  various  useful  information  of  CAPEC,  there  is  the  Attack  Execution  Flow,  described  as  progressive  Attack  Step  Techniques.    

   One  familiar  with  Threat  Modeling  could  directly  think  about  of  mapping  this  to  an  Attack  Tree  or  complement  of  a  Data  Flow  Diagram.    Going  further,  the  dissection  of  the  Attack  Execution  Flows  described  in  CAPEC  offer  an  opportunity  for  Intelligence-­‐Driven  Web  Application  Defense  by  Analysis  of  Adversary  Tactics,  Techniques  and  Procedures  (TTP)  and  Intrusion  Kill  Chains.    Reference:  Intelligence-­‐Driven  Computer  Network  Defense  Informed  by  Analysis  of  Adversary  Campaigns  and  Intrusion  Kill  Chains,  Lockheed  Martin  Corporation  http://www.lockheedmartin.com/content/dam/lockheed/data/corporate/documents/LM-­‐White-­‐Paper-­‐Intel-­‐Driven-­‐Defense.pdf        

Web  Application  Defense  using  CAPEC  data.  Jerome  Athias   Page 4 of 9  

Kill  Chain    As  part  of  Cyber  defense  strategy  against  Advanced  Persistent  Threats,  an  objective  could  be  a  Defensible  Security  Posture.  http://nigesecurityguy.wordpress.com/2013/06/04/defensible-­‐security-­‐posture/    A  kill  chain  defines  the  progressive  steps  of  an  attack.  People  familiar  with  forensics  and  incident  response  will  easily  understand  the  analogy  between  the  Kill  Chain  and  the  Attack  Execution  Flow.    In  the  context  of  Web  Applications,  a  defensible  actions  matrix  (technical  security  controls  per  attack  step)  could  be  defined  using  the  CAPEC’s  attack  scenarios.  The  goal:  breaking  the  kill  chain  in  its  earlier  stages,  by  using  appropriate  countermeasures  slowing  down  an  attack.    A  top-­‐down,  or  waterfall,  approach  could  be  used  to  perform  a  security  controls  selection  and  use  of  defensive  programming  techniques  for  proactive  detection  and  mitigation  of  attacks.  Following  the  defense-­‐in-­‐depth  security  principle,  these  mechanisms  will  help  to  extend  the  intrusion  detection  window.  For  the  implementation,  and  prioritization,  CAPEC  offers  also  information  about  the  Typical  Likelihood  of  Exploit,  the  CIA  Impact  (Attack  Motivation-­‐Consequences).  Furthermore,  the  Effectiveness  and  Cost  of  the  security  controls  will  be  evaluated  (tip:  see  the  CWEs  corresponding  to  a  CAPEC  entry).    In  terms  of  Threat  Assessment/Analysis  or  Threat  Intelligence,  CAPEC  is  also  interesting,  for  example  providing  information  related  to  the  Attacker  Skills  or  Knowledge  Required,  which  is  interesting  for  the  characterization  of  the  Threat  Actors  and  could  be  valuable  for  Computer  Incident  Response  Teams.  (e.g.  using  STIX  http://stix.mitre.org/)          

Web  Application  Defense  using  CAPEC  data.  Jerome  Athias   Page 5 of 9  

Strategy    For  effective  detection  and  mitigation  of  the  attack  techniques,  particular  attention  will  be  paid  to  the  Probing  Techniques  listed  in  CAPEC.  These  can  be  mapped,  for  example,  to  the  OWASP  Testing  Guide  methodology  for  effective  prioritization  and  maximizing  the  effectiveness  of  our  defense  strategy.  Some  of  our  defensive  programmatic  mechanisms  will  take  this  into  account  to  perform  a  contextual  and  behavioral  analysis,  making  them  more  intelligent  and  effective  (less  prone  to  false-­‐positives),  and  could  lead  attackers  to  sinkholes  or  honeypots  while  generating  alerts.  This  will  be  useful  for  continuous  monitoring  and  situational  awareness.    Remark:  the  various  CAPEC  Indicators  and  Warning  of  Attacks  are  useful  as  Indicators  of  Compromise  (IOC)    Note:  of  course,  as  per  the  defense-­‐in-­‐depth  principle,  all  the  listed  mechanisms  must  come  with  a  defense  of  the  perimeter,  boundaries  protected  by  a  layered  security  such  as  at  the  network  level.      

Web  Application  Defense  using  CAPEC  data.  Jerome  Athias   Page 6 of 9  

CAPEC™  Data  Usage    CAPEC  is  not  easily  usable  as  is.  To  be  more  practical,  we  will  perform  a  transformation  of  the  CAPEC  XML  feed,  by  extraction,  to  a  database.  As  part  of  the  XORCISM  project  (eXpandable  Open  Research  on  Cyber  Information  Security  Management),  a  tool  is  available  to  achieve  this  step.  https://github.com/athiasjerome/XORCISM    With  CAPEC  parsed  and  imported  into  an  XORCISM  database,  it  becomes  more  convenient  to  manipulate  the  data.    

Checklist    Using  the  Attack  Steps  in  the  form  of  a  checklist  is  interesting  and  valuable.  This  could  be  used  into  a  simple  spreadsheet,  or  better  using  OCIL.  Examples:  

• For  the  definition  of  security  requirements  • For  the  development  team  self-­‐assessment  

Similarly  to  OWASP  ASVS,  the  data  will  be  turned  into  the  question  “Do  you  have  proper  security  requirements/controls  in  place  to  prevent  or  mitigate  the  following  attack  steps?”    Example:  Selection  of  CAPEC  Attack  Step  Techniques    Fingerprinting  of  the  operating  system   In  order  to  create  a  valid  file  injection,  the  attacker  

needs  to  know  what  the  underlying  OS  is.    Spider   Using  a  browser  or  an  automated  tool,  an  attacker  

follows  all  public  links  on  a  web  site.  He  records  all  the  entry  points  (input)  that  becomes  part  of  generated  HTTP  header  (not  only  GET/POST/COOKIE,  but  also  Content-­‐Type,  etc.)  

Forceful  browsing   When  the  attacker  targets  the  current  application  or  another  one  (through  CSRF  vulnerabilities),  the  user  will  then  be  the  one  who  perform  the  attacks  without  being  aware  of  it.  These  attacks  are  mostly  targeting  application  logic  flaws,  but  it  can  also  be  used  to  create  a  widespread  attack  against  a  particular  website  on  the  user's  current  network  (Internet  or  not).  

Attempt  well-­‐known  or  guessable  resource  locations  

Using  an  automated  tool,  an  attacker  requests  a  variety  of  well-­‐known  URLs  that  correspond  to  administrative,  debugging,  or  other  useful  internal  actions.  He  records  all  the  positive  responses  from  the  server.  

Survey  the  Application  to  Identify  User-­‐controllable  Inputs  

The  attacker  surveys  the  target  application  to  identify  all  user-­‐controllable  inputs,  possibly  as  a  valid  and  authenticated  user  

Probe  identified  potential  entry  points  for  XSS  vulnerability  

The  attacker  uses  the  entry  points  gathered  in  the  "Explore"  phase  as  a  target  list  and  injects  various  

Web  Application  Defense  using  CAPEC  data.  Jerome  Athias   Page 7 of 9  

common  script  payloads  to  determine  if  an  entry  point  actually  represents  vulnerability  and  to  characterize  the  extent  to  which  the  vulnerability  can  be  exploited.  He  records  all  the  responses  from  the  server  that  include  unmodified  versions  of  his  script.  The  attacker  tries  also  to  inject  extra-­‐parameter  to  the  HTTP  request  to  see  if  they  are  reflected  back  in  the  web  page  or  in  the  HTTP  response.  

Attempt  well-­‐known  or  guessable  resource  locations  

Using  an  automated  tool,  an  attacker  requests  a  variety  of  well-­‐known  URLs  that  correspond  to  administrative,  debugging,  or  other  useful  internal  actions.  He  records  all  the  positive  responses  from  the  server.  

View  unauthorized  data   The  attacker  discovers  and  views  unprotected  sensitive  data.  

Vary  inputs,  looking  for  malicious  results.   Depending  on  whether  the  application  being  exploited  is  a  remote  or  local  one  the  attacker  crafts  the  appropriate  malicious  input,  containing  OS  commands,  to  be  passed  to  the  application  

Execute  malicious  commands   The  attacker  may  steal  information,  install  a  back  door  access  mechanism,  elevate  privileges  or  compromise  the  system  in  some  other  way.  

Steal  session  IDs,  credentials,  page  content,  etc.   As  the  attacker  succeeds  in  exploiting  the  vulnerability,  he  can  choose  to  steal  user's  credentials  in  order  to  reuse  or  to  analyze  them  later  on.  

Determine  Application's  Log  File  Format   The  first  step  is  exploratory  meaning  the  attacker  observes  the  system.  The  attacker  looks  for  action  and  data  that  are  likely  to  be  logged.  The  attacker  may  be  familiar  with  the  log  format  of  the  system.  

Manipulate  Log  Files   The  attacker  alters  the  log  contents  either  directly  through  manipulation  or  forging  or  indirectly  through  injection  of  specially  crafted  input  that  the  target  software  will  write  to  the  logs.  This  type  of  attack  typically  follows  another  attack  and  is  used  to  try  to  cover  the  traces  of  the  previous  attack.  

Explore  legitimate  website  and  create  duplicate   An  attacker  creates  a  website  (optionally  at  a  URL  that  looks  similar  to  the  original  URL)  that  closely  resembles  the  website  that  he  or  she  is  trying  to  impersonate.  That  website  will  typically  have  a  login  form  for  the  victim  to  put  in  their  authentication  credentials.  There  can  be  different  variations  on  a  theme  here.  

Convince  user  to  enter  sensitive  information  on  attacker's  site.  

An  attacker  sends  an  e-­‐mail  to  the  victim  that  has  some  sort  of  a  call  to  action  to  get  the  user  to  click  on  the  link  included  in  the  e-­‐mail  (which  takes  the  victim  to  attacker's  website)  and  log  in.  The  key  is  to  get  the  victim  to  believe  that  the  e-­‐mail  is  coming  from  a  legitimate  entity  with  which  the  victim  does  business  and  that  the  website  pointed  

Web  Application  Defense  using  CAPEC  data.  Jerome  Athias   Page 8 of 9  

to  by  the  URL  in  the  e-­‐mail  is  the  legitimate  website.  A  call  to  action  will  usually  need  to  sound  legitimate  and  urgent  enough  to  prompt  action  from  the  user.  

Use  stolen  credentials  to  log  into  legitimate  site   Once  the  attacker  captures  some  sensitive  information  through  phishing  (login  credentials,  credit  card  information,  etc.)  the  attacker  can  leverage  this  information.  For  instance,  the  attacker  can  use  the  victim's  login  credentials  to  log  into  their  bank  account  and  transfer  money  to  an  account  of  their  choice.  

     

Web  Application  Defense  using  CAPEC  data.  Jerome  Athias   Page 9 of 9  

Security  Controls    Starting  from  the  list  of  Attack  Steps,  it  becomes  easy  to  think  about  them  and  defines  security  mechanisms  at  the  Web  Application  level.  Examples:  Fingerprinting  of  the  operating  system  Chances  are  high  that  this  would  be  performed  in  the  early  stages  of  an  attack.  https://www.owasp.org/index.php/Fingerprint_Web_Server_%28OTG-­‐INFO-­‐002%29  Proper  Configuration  Management,  with  the  use  of  Hardening  Guidelines  should  prevent  information  leakage  from  the  Web  Application  Framework,  Web  Server  and  Operating  System.  !  Firewall  ACLs,  limiting  allowed  HTTP  methods,  IDS/IPS  detecting  a  port  scan  (nmap)  https://benchmarks.cisecurity.org/downloads/benchmarks/  This  is  a  basic  and  mandatory  activity  to  reduce  the  attack  surface.    Spidering  Attempt  well-­‐known  or  guessable  resource  locations  A  brute  force  enumeration  of  the  web  resources  (i.e.  pages)  accessible  into  the  web  application  is  a  common  preliminary  step  of  not  well  skilled  attackers.  Indicators  would  be:  

• User  agent  of  known  tools  (e.g.  DirBuster,  w3af,  sqlmap)  • Number  of  HTTP  requests  in  a  short  period  of  time  (eventually  coming  from  the  same  IP  

address)  • Requests  coming  from  a  suspicious  IP  address  range  (IP  Geolocation,  use  of  a  proxy,  IP  

reputation/blacklist)  Implementing  programmatic  functions  to  analyze,  detect,  log,  prevent,  alert  when  these  events  occur  is  a  relatively  easy  and  inexpensive  task.  It  represents  cost  effective  defensive  controls,  even  if  the  effectiveness  is  disputable.    Probe  identified  potential  entry  points  for  XSS  vulnerability  Vary  inputs,  looking  for  malicious  results.  Execute  malicious  commands  Common  injection  patterns  could  easily  be  detected  (in  the  meantime  they  are  blocked  by  whitelisting  or  blacklisting)  at  the  application  level,  logged  and  reported.  The  Web  Application  could  include  self-­‐defense  mechanisms  (e.g.  fail2ban  approach).  Web  Application  Firewall  rules  could  be  improved,  IP  reputation  database  updated,  firewall  rules  enhanced,  defects  identified,  potential  unknown  vulnerabilities  (0day)  detected  faster,  etc.    Explore  legitimate  website  and  create  duplicate  This  is  a  common  technique  that  is  somehow  detectable  (for  example  by  financial  CERTs)  by  searching/monitoring  the  web  for  duplicated  images  or  content.  https://www.tineye.com/    Steal  session  IDs,  credentials,  page  content,  etc.  A  common  outcome  of  databases  leakage  is  for  attackers  to  disclose  the  stolen  information,  for  example  on  pastebin.  As  part  of  continuous  monitoring  and  threat  intelligence  activities,  APIs  or  tools  could  be  used  to  help  detecting  such  information  disclosure.  https://github.com/xme/pastemon  https://en.mention.com/