1 / 39

Attack Detection and Prevention with OWASP AppSensor

Attack Detection and Prevention with OWASP AppSensor. Colin Watson Watson Hall Ltd colin @ watsonhall.com. OWASP AppSensor. AppSensor. Established Summer 2008 Presented at multiple conferences in US & Europe Recent video presentations by Michael Coates

dolan
Download Presentation

Attack Detection and Prevention with OWASP AppSensor

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Attack Detection and Prevention with OWASP AppSensor • Colin Watson • Watson Hall Ltd • colin@watsonhall.com

  2. OWASP AppSensor

  3. AppSensor • Established Summer 2008 • Presented at multiple conferences in US & Europe • Recent video presentations by Michael Coates • Real Time Application Defenses - The Reality ofAppSensor & ESAPIhttp://vimeo.com/15726323 • Automated Application Defenses to Thwart Advanced Attackershttp://michael-coates.blogspot.com/2010/06/online-presentation-thursday-automated.html • Application Based Intrusion Detection highlighted in OWASP Top Ten 2010 “What’s Coming”

  4. AppSensor Team • Core team: • Michael Coates • John Melton • Colin Watson • Contributors: • Ryan Barnett • Simon Bennetts • August Detlefsen • Randy Janida • Jim Manico • Giri Nambari • Eric Sheridan • John Stevens • Kevin Wall

  5. AppSensor concepts

  6. Add AppSensor to your own applications • Build it into requirements • Develop your own • ESAPI • AppSensor integration into Java ESAPI imminent • Security Information/Event Management • Add detection points into application • Integrate logging into real time monitor

  7. AppSensor detection points • A detection point is a highly-tuned instrumentation sensor (typically with the application’s code) and used to identify a particular type of suspicious or malicious activity • Over 50 detection points • 12 exception types • 9 signature based (request, authentication, session, etc) • 3 behavior based (user, system, reputation) • Latest list of detection points with descriptions, considerations and examples is maintained at:http://www.owasp.org/index.php/AppSensor_DetectionPoints

  8. “blocking requests using the TRACE HTTP method” “limiting each session to a particular IP address” • “locking a user account after multiple failed authentication attempts” Detection point exception types

  9. AppSensor response actions • Response actions describe a change to the application’s behavior • 14 response actions • Many ways to classify them, including: • Effect on user / application • Target of response • Duration of response • Latest list of response actions with descriptions, considerations and examples is maintained at:http://www.owasp.org/index.php/AppSensor_ResponseActions

  10. Response actions from the user’s viewpoint

  11. Implementation planning methodology • Preliminary requirements • Detection point selection • Response action selection • Then • Procure/develop • Deploy • Verify • Monitor and tune

  12. 1. Preliminary requirements

  13. 1a) Application risk assessment • Many alternative methods and processes: • http://www.whitehouse.gov/sites/default/files/omb/memoranda/fy04/m04-04.pdf • http://csrc.nist.gov/publications/nistpubs/800-30/sp800-30.pdf • http://csrc.nist.gov/publications/fips/fips199/FIPS-PUB-199-final.pdf • http://www.sans.org/reading_room/whitepapers/auditing/introduction-information-system-risk-management_1204 • http://www.owasp.org/index.php/OWASP_Risk_Rating_Methodology • http://www.owasp.org/index.php/Threat_Risk_Modeling • http://www.nr.no/~abie/RiskAnalysis.htm • Application risk ranking

  14. 1b) Secure coding • Build the application securely • Governance • Construction • Verification • Deployment • Software Assurance Maturity Modelhttp://www.owasp.org/index.php/Category:Software_Assurance_Maturity_Model • Application Security Verification Standardhttp://www.owasp.org/index.php/ASVS • OWASP Development, Code Review and Testing Guides

  15. 1c) Application logging • How to Do Application Logging RightAnton Chuvakin and Gunnar Peterson, IEEE Security & Privacy Journal http://arctecgroup.net/pdf/howtoapplogging.pdf • Securosis Blog - Monitoring Up the Stack serieshttp://securosis.com/blog/monitoring-up-the-stack-app-monitoring-part-1http://securosis.com/blog/monitoring-up-the-stack-app-monitoring-part-2 • OWASP AppSensorDemo2 Intrusion Store (HSQLDB)http://code.google.com/p/appsensor/source/browse/#svn/trunk/AppSensorDemo2 • OWASP ESAPI Java Edition documentationhttp://code.google.com/p/owasp-esapi-java/ • NIST SP 800-92 Guide to Computer Security Log Managementhttp://csrc.nist.gov/publications/nistpubs/800-92/SP800-92.pdf

  16. 2. Detection point selection

  17. 2a) Categorization • Exception types • Signature or behavior based • Suspicious events or attacks • Outcome/result of the request, or request properties • Classes: • Discrete • Generic pre-processing • Business layer • Aggregating • Modifying

  18. 2a) Categorization (continued)

  19. 2b) Requirements • Approaches: • Application risk classification • Threat assessment • Class categorization • Discrete • Generic pre-processing • Business layer • Aggregating • Modifying

  20. 2c) Model development • Requirements for each detection point: • purpose • general statement of its functionality • details of any prerequisites • related detection points. • Duplicate codes • Aggregating detection points

  21. 2c) Model development (continued)

  22. 2c) Model development (continued)

  23. 2d) Optimization • Three aims • Ensure we maintain a low false positive rate through adjusting the sensitivity • Consider relationships with other systems and the effects these may have on detection points • Identify if any detection points can be removed to eliminate overlaps and duplicates • Test cases

  24. 2e) Code location • Instrumentation not new functionality • Process • Procurement • Development • Frameworks • Libraries • Common code / business layer

  25. 2f) Attack analysis • Attack vectors • Threat modelling • WASC Threat Classification v2.0http://projects.webappsec.org/Threat-Classification • OWASP Top Ten 2010http://www.owasp.org/index.php/Category:OWASP_Top_Ten_Project • Common Attack Pattern Enumeration and Classification http://capec.mitre.org/ • Check the model • Detection points are activation • Human error

  26. 3. Response action selection

  27. 3a) Strategic requirements • Organizational risk tolerance • User experience • Application’s purpose “Do not prevent users doing anything, but log, monitor and alert fervently.” “Authenticated administrators who have access to the most functionality and the greatest data access permissions should have the strictest thresholds before a response action is undertaken.” “Application functionality will not be changed unless the user's source location is in a higher-risk country.”

  28. 3b) Thresholds • Approaches • Role dependent • Per detection point / per application • Weightings of suspicious and attack events • User events and user trends • Individual detection points • Overall number of security events • System trend detection points • Modifying detection points

  29. 3b) Thresholds (continued)

  30. 3c) Model tuning • Attacks • Typical user activities • Speed of use • Static content • Missing content • Actions that disable features or the application • Other systems • Business metrics

  31. 3c) Model tuning (continued) • Only log • Source location override • Export • Vulnerability management programmes • Security integration manager (SIM) systems • Secure development practices

  32. Plan execution

  33. Implementation • Secure development practices: • Risk analysis • Design and code review • Testing • Operational enablement • Change management • Monitoring and tuning • Ongoing testing

  34. Lightweight implementation

  35. Piloting AppSensor / fast-track approach • Focus on input, signature based detection points that detect attacks rather than suspicious events in the discrete class: • Request exceptions (RE1, 2, 3 and 4 ) • Access control exception (ACE1 and 2) • Input exceptions (IE1, 2 and 3) • Authentication exceptions (AE1, 2 and 3) and Session Management exceptions (SE5 and 6) when authentication & session management is use • And limit response actions to additional logging (ASR-A), administrator notification (ASR-B), account logout (ASR-J) & account lockout (ASR-K). • Do it with ESAPI

  36. Concluding thoughts

  37. Supporting materials • AppSensor Project: • Home pagehttp://www.owasp.org/index.php/Category:OWASP_AppSensor_Project • Detection pointshttp://www.owasp.org/index.php/AppSensor_DetectionPoints • Response actionshttp://www.owasp.org/index.php/AppSensor_ResponseActions • Mailing lists • https://lists.owasp.org/mailman/listinfo/owasp-appsensor-project • https://lists.owasp.org/mailman/listinfo/owasp-appsensor-dev • Planning guide and workbookhttp://www.owasp.org/index.php/File:Appsensor-planning.zip

  38. Related presentations at AppSec DC 2010 • Application Portfolio Risk Ranking: Banishing FUD With Structure and NumbersDan Cornellhttp://www.owasp.org/index.php/Application_Portfolio_Risk_Ranking:_Banishing_FUD_With_Structure_and_Numbers • Solving Real World Problems with ESAPIChris Schmidthttp://www.owasp.org/index.php/Solving_Real_World_Problems_with_ESAPI • Next: OWASP ModSecurity Core Rule SetRyan Barnett http://www.owasp.org/index.php/OWASP_ModSecurity_Core_Rule_Set

  39. Questions and feedback • Now • During the last two breaks today • Subsequently • colin @ watsonhall.com • +44 20 7183 3710 Photographs: Machinery and instrumentation at the Discovery Museum,Tyne & Wear Archives and Museums, Newcastle-upon-Tyne, England

More Related