190 likes | 343 Views
Intrusion Deception Kyle Adams – Chief Software Architect for Junos WebApp Secure. Sorry Your Princess is in Another Castle: Intrusion Deception to Protect the Web. Intrusion Deception Overview. What is it? Exploit attacker psychology and attack economics
E N D
Intrusion DeceptionKyle Adams – Chief Software Architect for Junos WebApp Secure Sorry Your Princess is in Another Castle: Intrusion Deception to Protect the Web
Intrusion DeceptionOverview • What is it? • Exploit attacker psychology and attack economics • Extensions of traditional honey pot techniques • Why do it? • Detect advanced hackers before they breach (even some zero-day attacks) • Waste attackers time • Decrease ROI of attacks • More effective then just blocking known attack vectors • What do you need? • Tracking technique (Cookies, IP) • Event management API • Detection points • Active counter responses
Intrusion DeceptionHow does it work? Malicious HTTP Request • Step 1) Detecting Attackers: • Attacker issues attack to server • Server checks event manger for past events • No events, so server executes the request • Server detects request as attack and logs event • Server returns response for original request getEvents() <no events> HTTP Response logEvent() Web Server Event Manager Attacker
Intrusion DeceptionHow does it work? Any HTTP Request • Step 2) Stopping Detected Attackers: • Attacker issues any request to server • Server checks event manger for past events • It has events, so alter the request • Server executes altered request • It has events, so alter the response • Server returns altered response getEvents() HAS EVENTS! Alter Response HTTP Response Web Server Event Manager Attacker
Intrusion DeceptionTracking Technique • Attributing requests to an attacker • HTTP protocol is stateless • You can’t tell if requests are issued by the same person • Achieve state with a combination of • Cookies • IP Address • User-Agent • Be creative, there are less obvious ways ;) • State is still limited • Attacker can change cookies,IP and user-agents
Intrusion DeceptionEvent Management API • Keeps track of detected attacks • Who issued an attack (based on tracking) • What was the attack • Simple Event Management API • getEvents(<tracking info>) :event[] • Get all events for a given user • logEvent(<tracking info>, <event>) :void • Record a new event for a given user
Intrusion DeceptionDetection Points • Add a fake attack surface to the website • Fake inputs • Legitimate Validated Inputs • Fake files • Fake configuration • Fake code is cleanly blended with real code • Unlike traditional honeypot servers or services • Activity on fake attack surface • Guaranteed malicious • Send info to event management API
Intrusion DeceptionDetection Points: Fake Inputs • Forms • URLs • Detection <form method=“POST” action=“search.php”> <input type=“hidden” name=“product” value=“435”> <input type=“hidden” name=“filter” value=“^[a-zA-Z0-9-_ ]+$”> <input type=“text” name=“query”> <input type=“submit” value=“Search”> </form> <a href=“rateProduct.php?prodId=435&rating=4&limitPerUser=1”>Rate: 4 Stars</a> <?php if ($_POST[“filter”] != “^[a-zA-Z0-9-_ ]+$”) EventAPI.logEvent(cookie, ip, user-agent, “Manipulated Hidden Input”); if ($_GET[“limitPerUser”] != “1”) EventAPI.logEvent(cookie, ip, ua, “Manipulated Query Parameter”); … REST OF YOUR WEBSITE CODE ….
Intrusion DeceptionDetection Points: Validated Inputs • Forms • Detection <script> function validate() { return (/^[0-9]+$/.test(document.getElementById(‘prodid’).value)); } </script> <form method=“POST” action=“search.php” onsubmit=“validate()”> <input type=“hidden” name=“product” id=“prodid” value=“435”> <input type=“text” name=“query” id=“query”> <input type=“submit” value=“Search”> </form> <?php if (preg_match(“/^[0-9]+$/”, $_POST[“product”]) != 1) EventAPI.logEvent(cookie, ip, user-agent, “Invalid Product Value”); … REST OF YOUR WEBSITE CODE ….
Intrusion DeceptionDetection Points: Fake Files • Create /admin.php • Create /config.php • Create /login.php • Be creative, you can do this for a lot of files • Detection <?php EventAPI.logEvent(cookie, ip, user-agent, “Accessed: ” . $SERVER[‘REQUEST_URI’]); … RETURN FAKE CONTENT (Login page, or whatever your pretending to be) ….
Intrusion DeceptionDetection Points: Fake Configuration • Fake disallow directory in robots.txt • Detection (/wikiadmin/index.php) Sitemap: http://bsideswww.securitybsides.com/sitemap.xml User-agent: * Disallow: /session/ Disallow: /settings/ Disallow: /wikiadmin/ Disallow: /browse/ Disallow: /w/browse/ Disallow: /layout/ … <?php EventAPI.logEvent(cookie, ip, user-agent, “Disallow Directory Accessed”); … RETURN 403 ERROR ….
Intrusion DeceptionHow does it work? Fake File Example GET /admin.php • Step 1) Detecting Attackers: • Attacker requests /admin.php • Fake script executes and logs event • Server returns fake response for /admin.php • Now you know they are malicious, what do you do about it? logEvent() Return Fake Login Page Web Server Event Manager Attacker
Intrusion DeceptionActive Counter Responses • Stopping an attacker after the first attack • Check if the user has events • If they do, modify the request/response • Goes at the top of every php file (import?) • You can also do something similar throughout the script to alter the response data • Again, be creative, you can really confuse and mislead the attacker! <?php if (count(EventAPI.getEvents(cookie, ip, ua)) > 0) { // Modify request to make it safe to execute // Or return a response and end execution } … THE REST OF YOUR WEBSITE CODE ….
Intrusion DeceptionActive Counter Responses: Simple • Simple BlockReturn a 500 error on all requests • Simple RedirectRedirects the user to wikipedia page on ethics <?php if (count(EventAPI.getEvents(cookie, ip, ua)) > 0) { http_response_code(500); exit(); } … THE REST OF YOUR WEBSITE CODE …. <?php if (count(EventAPI.getEvents(cookie, ip, ua)) > 0) { http_response_code(302); header(“Location: http://http://en.wikipedia.org/wiki/Ethics”); exit(); } … THE REST OF YOUR WEBSITE CODE ….
Intrusion DeceptionActive Counter Responses: Advanced • Lock User’s AccountJust an example, would completely depend on your site implementation • Change DatabasesUse a sandboxed database that is refreshed nightly <?php if (count(EventAPI.getEvents(cookie, ip, ua)) > 0) UserAPI.lockAccount($_SESSION[‘account_id’], “Malicious Activity”); … THE REST OF YOUR WEBSITE CODE …. <?php if (count(EventAPI.getEvents(cookie, ip, ua)) > 0) $database = new mysqli(“freesqlserver.com”, “user”, “pass”, “junk”) else $database = new mysqli(“localhost”, “user”, “pass”, “master”); … THE REST OF YOUR WEBSITE CODE ….
Intrusion DeceptionHow does it work? Returning 500 Errors GET /index.php • Step 2) Stopping Detected Attackers: • Attacker issues any request to server • Server checks event manger for past events • Server sees previous “/admin.php”a event • Server sets response code to 500 • Server returns 500 error without executing the rest of the script getEvents() HAS EVENTS! Set Status: 500 Return 500 Error Web Server Event Manager Attacker
Intrusion DeceptionBuild or Buy? • JunosWebApp Secure (Commercial) • Reverse Proxy that introduces Intrusion Deception • No code changes required, improves with each release • Drops in quickly, minimal configuration • Highly advanced tracking techniques, detection points, and responses • OWASP App Sensor (Open Source) • Specification and design (No Code Provided) • https://owasp.org/index.php/OWASP_AppSensor_Project • Roll your own • Invent and integrate your own detection and responses • More flexibility, tighter integration
Intrusion DeceptionConclusion • Download Slides after presentation • http://forums.juniper.net/t5/Security-Mobility-Now/bg-p/networkingnow • Information on Junos WebApp Secure (formerly Mykonos) • http://www.mykonossoftware.com • Want to work on this type of stuff every day? Junos WebApp Secure is hiring! See me after the presentation for details • Learn more at the Juniper RSA 2013 booth (#0000) • Contact Information • Twitter: @kadams_sec • Linked In: https://www.linkedin.com/in/adamsk
Intrusion DeceptionExtras: What else can you do? • Anti-Spam Email Pollution • Put a hidden link on the page to “mailinglist.html” (a php script with an html extension) • Mailinglist.html is designed to display 100 random but believable email addresses • Mailinglist.html displays links to other aliases of “mailinglist.html” • How does it work? • Email harvesting Spider hits the site and sees the link for “mailinglist.html” • Spider follows the link and downloads mailinglist.html • Spider harvests the 100 fake email addresses • Spider sees the links to other pages from mailinglist.html • Spider follows the additional links • Repeat steps 1-5 for all additional links • The end result: Harvest spider hits hundreds of fake pages containing fake email addresses and effectively drowns out any good data from your actual site.