1 / 19

Intrusion Deception Kyle Adams – Chief Software Architect for Junos WebApp Secure

Intrusion Deception Kyle Adams – Chief Software Architect for Junos WebApp Secure. Sorry Your Princess is in Another Castle: Intrusion Deception to Protect the Web. Intrusion Deception Overview. What is it? Exploit attacker psychology and attack economics

nova
Download Presentation

Intrusion Deception Kyle Adams – Chief Software Architect for Junos WebApp Secure

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript


  1. Intrusion DeceptionKyle Adams – Chief Software Architect for Junos WebApp Secure Sorry Your Princess is in Another Castle: Intrusion Deception to Protect the Web

  2. Intrusion DeceptionOverview • What is it? • Exploit attacker psychology and attack economics • Extensions of traditional honey pot techniques • Why do it? • Detect advanced hackers before they breach (even some zero-day attacks) • Waste attackers time • Decrease ROI of attacks • More effective then just blocking known attack vectors • What do you need? • Tracking technique (Cookies, IP) • Event management API • Detection points • Active counter responses

  3. Intrusion DeceptionHow does it work? Malicious HTTP Request • Step 1) Detecting Attackers: • Attacker issues attack to server • Server checks event manger for past events • No events, so server executes the request • Server detects request as attack and logs event • Server returns response for original request getEvents() <no events> HTTP Response logEvent() Web Server Event Manager Attacker

  4. Intrusion DeceptionHow does it work? Any HTTP Request • Step 2) Stopping Detected Attackers: • Attacker issues any request to server • Server checks event manger for past events • It has events, so alter the request • Server executes altered request • It has events, so alter the response • Server returns altered response getEvents() HAS EVENTS! Alter Response HTTP Response Web Server Event Manager Attacker

  5. Intrusion DeceptionTracking Technique • Attributing requests to an attacker • HTTP protocol is stateless • You can’t tell if requests are issued by the same person • Achieve state with a combination of • Cookies • IP Address • User-Agent • Be creative, there are less obvious ways ;) • State is still limited • Attacker can change cookies,IP and user-agents

  6. Intrusion DeceptionEvent Management API • Keeps track of detected attacks • Who issued an attack (based on tracking) • What was the attack • Simple Event Management API • getEvents(<tracking info>) :event[] • Get all events for a given user • logEvent(<tracking info>, <event>) :void • Record a new event for a given user

  7. Intrusion DeceptionDetection Points • Add a fake attack surface to the website • Fake inputs • Legitimate Validated Inputs • Fake files • Fake configuration • Fake code is cleanly blended with real code • Unlike traditional honeypot servers or services • Activity on fake attack surface • Guaranteed malicious • Send info to event management API

  8. Intrusion DeceptionDetection Points: Fake Inputs • Forms • URLs • Detection <form method=“POST” action=“search.php”> <input type=“hidden” name=“product” value=“435”> <input type=“hidden” name=“filter” value=“^[a-zA-Z0-9-_ ]+$”> <input type=“text” name=“query”> <input type=“submit” value=“Search”> </form> <a href=“rateProduct.php?prodId=435&rating=4&limitPerUser=1”>Rate: 4 Stars</a> <?php if ($_POST[“filter”] != “^[a-zA-Z0-9-_ ]+$”) EventAPI.logEvent(cookie, ip, user-agent, “Manipulated Hidden Input”); if ($_GET[“limitPerUser”] != “1”) EventAPI.logEvent(cookie, ip, ua, “Manipulated Query Parameter”); … REST OF YOUR WEBSITE CODE ….

  9. Intrusion DeceptionDetection Points: Validated Inputs • Forms • Detection <script> function validate() { return (/^[0-9]+$/.test(document.getElementById(‘prodid’).value)); } </script> <form method=“POST” action=“search.php” onsubmit=“validate()”> <input type=“hidden” name=“product” id=“prodid” value=“435”> <input type=“text” name=“query” id=“query”> <input type=“submit” value=“Search”> </form> <?php if (preg_match(“/^[0-9]+$/”, $_POST[“product”]) != 1) EventAPI.logEvent(cookie, ip, user-agent, “Invalid Product Value”); … REST OF YOUR WEBSITE CODE ….

  10. Intrusion DeceptionDetection Points: Fake Files • Create /admin.php • Create /config.php • Create /login.php • Be creative, you can do this for a lot of files • Detection <?php EventAPI.logEvent(cookie, ip, user-agent, “Accessed: ” . $SERVER[‘REQUEST_URI’]); … RETURN FAKE CONTENT (Login page, or whatever your pretending to be) ….

  11. Intrusion DeceptionDetection Points: Fake Configuration • Fake disallow directory in robots.txt • Detection (/wikiadmin/index.php) Sitemap: http://bsideswww.securitybsides.com/sitemap.xml User-agent: * Disallow: /session/ Disallow: /settings/ Disallow: /wikiadmin/ Disallow: /browse/ Disallow: /w/browse/ Disallow: /layout/ … <?php EventAPI.logEvent(cookie, ip, user-agent, “Disallow Directory Accessed”); … RETURN 403 ERROR ….

  12. Intrusion DeceptionHow does it work? Fake File Example GET /admin.php • Step 1) Detecting Attackers: • Attacker requests /admin.php • Fake script executes and logs event • Server returns fake response for /admin.php • Now you know they are malicious, what do you do about it? logEvent() Return Fake Login Page Web Server Event Manager Attacker

  13. Intrusion DeceptionActive Counter Responses • Stopping an attacker after the first attack • Check if the user has events • If they do, modify the request/response • Goes at the top of every php file (import?) • You can also do something similar throughout the script to alter the response data • Again, be creative, you can really confuse and mislead the attacker! <?php if (count(EventAPI.getEvents(cookie, ip, ua)) > 0) { // Modify request to make it safe to execute // Or return a response and end execution } … THE REST OF YOUR WEBSITE CODE ….

  14. Intrusion DeceptionActive Counter Responses: Simple • Simple BlockReturn a 500 error on all requests • Simple RedirectRedirects the user to wikipedia page on ethics <?php if (count(EventAPI.getEvents(cookie, ip, ua)) > 0) { http_response_code(500); exit(); } … THE REST OF YOUR WEBSITE CODE …. <?php if (count(EventAPI.getEvents(cookie, ip, ua)) > 0) { http_response_code(302); header(“Location: http://http://en.wikipedia.org/wiki/Ethics”); exit(); } … THE REST OF YOUR WEBSITE CODE ….

  15. Intrusion DeceptionActive Counter Responses: Advanced • Lock User’s AccountJust an example, would completely depend on your site implementation • Change DatabasesUse a sandboxed database that is refreshed nightly <?php if (count(EventAPI.getEvents(cookie, ip, ua)) > 0) UserAPI.lockAccount($_SESSION[‘account_id’], “Malicious Activity”); … THE REST OF YOUR WEBSITE CODE …. <?php if (count(EventAPI.getEvents(cookie, ip, ua)) > 0) $database = new mysqli(“freesqlserver.com”, “user”, “pass”, “junk”) else $database = new mysqli(“localhost”, “user”, “pass”, “master”); … THE REST OF YOUR WEBSITE CODE ….

  16. Intrusion DeceptionHow does it work? Returning 500 Errors GET /index.php • Step 2) Stopping Detected Attackers: • Attacker issues any request to server • Server checks event manger for past events • Server sees previous “/admin.php”a event • Server sets response code to 500 • Server returns 500 error without executing the rest of the script getEvents() HAS EVENTS! Set Status: 500 Return 500 Error Web Server Event Manager Attacker

  17. Intrusion DeceptionBuild or Buy? • JunosWebApp Secure (Commercial) • Reverse Proxy that introduces Intrusion Deception • No code changes required, improves with each release • Drops in quickly, minimal configuration • Highly advanced tracking techniques, detection points, and responses • OWASP App Sensor (Open Source) • Specification and design (No Code Provided) • https://owasp.org/index.php/OWASP_AppSensor_Project • Roll your own • Invent and integrate your own detection and responses • More flexibility, tighter integration

  18. Intrusion DeceptionConclusion • Download Slides after presentation • http://forums.juniper.net/t5/Security-Mobility-Now/bg-p/networkingnow • Information on Junos WebApp Secure (formerly Mykonos) • http://www.mykonossoftware.com • Want to work on this type of stuff every day? Junos WebApp Secure is hiring! See me after the presentation for details • Learn more at the Juniper RSA 2013 booth (#0000) • Contact Information • Twitter: @kadams_sec • Linked In: https://www.linkedin.com/in/adamsk

  19. Intrusion DeceptionExtras: What else can you do? • Anti-Spam Email Pollution • Put a hidden link on the page to “mailinglist.html” (a php script with an html extension) • Mailinglist.html is designed to display 100 random but believable email addresses • Mailinglist.html displays links to other aliases of “mailinglist.html” • How does it work? • Email harvesting Spider hits the site and sees the link for “mailinglist.html” • Spider follows the link and downloads mailinglist.html • Spider harvests the 100 fake email addresses • Spider sees the links to other pages from mailinglist.html • Spider follows the additional links • Repeat steps 1-5 for all additional links • The end result: Harvest spider hits hundreds of fake pages containing fake email addresses and effectively drowns out any good data from your actual site.

More Related