Application Intrusion Detection - Black Hat · PDF fileApplication Intrusion Detection ¥...
Transcript of Application Intrusion Detection - Black Hat · PDF fileApplication Intrusion Detection ¥...
![Page 1: Application Intrusion Detection - Black Hat · PDF fileApplication Intrusion Detection ¥ Introduction ... — Email Notification ... — FBI, etc. ¥ Third-Party Vendors — Credit](https://reader030.fdocuments.net/reader030/viewer/2022011800/5ab98d487f8b9ac60e8e314b/html5/thumbnails/1.jpg)
Application Intrusion Detection
Drew MillerBlack Hat Consulting
![Page 2: Application Intrusion Detection - Black Hat · PDF fileApplication Intrusion Detection ¥ Introduction ... — Email Notification ... — FBI, etc. ¥ Third-Party Vendors — Credit](https://reader030.fdocuments.net/reader030/viewer/2022011800/5ab98d487f8b9ac60e8e314b/html5/thumbnails/2.jpg)
Application Intrusion Detection
• Introduction• Mitigating Exposures• Monitoring Exposures• Response Times• Proactive Risk Analysis• Summary
![Page 3: Application Intrusion Detection - Black Hat · PDF fileApplication Intrusion Detection ¥ Introduction ... — Email Notification ... — FBI, etc. ¥ Third-Party Vendors — Credit](https://reader030.fdocuments.net/reader030/viewer/2022011800/5ab98d487f8b9ac60e8e314b/html5/thumbnails/3.jpg)
Introduction
• What is Application Intrusion Detection?
• Why would I use Application IntrusionDetection?
• What about IDS (Intrusion DetectionSystems)?
• Exposures
![Page 4: Application Intrusion Detection - Black Hat · PDF fileApplication Intrusion Detection ¥ Introduction ... — Email Notification ... — FBI, etc. ¥ Third-Party Vendors — Credit](https://reader030.fdocuments.net/reader030/viewer/2022011800/5ab98d487f8b9ac60e8e314b/html5/thumbnails/4.jpg)
What is Application IntrusionDetection?
• You design the application• You know the operating constraints• Your code performs checks to maintain
stability and functionality• Why not add code that allows your
application to “do something” when it isbeing attacked?
![Page 5: Application Intrusion Detection - Black Hat · PDF fileApplication Intrusion Detection ¥ Introduction ... — Email Notification ... — FBI, etc. ¥ Third-Party Vendors — Credit](https://reader030.fdocuments.net/reader030/viewer/2022011800/5ab98d487f8b9ac60e8e314b/html5/thumbnails/5.jpg)
What is Application IntrusionDetection? (cont.)
• Design explicitly
• Failure cases are attacks– Functional vs. Security
• Detect deviations
• Notify Personnel
![Page 6: Application Intrusion Detection - Black Hat · PDF fileApplication Intrusion Detection ¥ Introduction ... — Email Notification ... — FBI, etc. ¥ Third-Party Vendors — Credit](https://reader030.fdocuments.net/reader030/viewer/2022011800/5ab98d487f8b9ac60e8e314b/html5/thumbnails/6.jpg)
Explicit Design
• User requests must be defined
• State machine determines when requestscan be made and by whom
• Server defines data sizes
![Page 7: Application Intrusion Detection - Black Hat · PDF fileApplication Intrusion Detection ¥ Introduction ... — Email Notification ... — FBI, etc. ¥ Third-Party Vendors — Credit](https://reader030.fdocuments.net/reader030/viewer/2022011800/5ab98d487f8b9ac60e8e314b/html5/thumbnails/7.jpg)
Failure Cases
if( request.Length > 32 ){
// then do work}else{
// buffer overflow attack in progress}
![Page 8: Application Intrusion Detection - Black Hat · PDF fileApplication Intrusion Detection ¥ Introduction ... — Email Notification ... — FBI, etc. ¥ Third-Party Vendors — Credit](https://reader030.fdocuments.net/reader030/viewer/2022011800/5ab98d487f8b9ac60e8e314b/html5/thumbnails/8.jpg)
Failure Cases (cont.)
if( request == “Login” ){
// check state machineif( user logged in == true ){
// out of state request, race condition or logical// attack in progress
}}
![Page 9: Application Intrusion Detection - Black Hat · PDF fileApplication Intrusion Detection ¥ Introduction ... — Email Notification ... — FBI, etc. ¥ Third-Party Vendors — Credit](https://reader030.fdocuments.net/reader030/viewer/2022011800/5ab98d487f8b9ac60e8e314b/html5/thumbnails/9.jpg)
Failure Cases (cont.)
• Testing vs. Real World Deployment– Bugs or Hacks
• Functional failures in an application duringruntime in deployment are security flaws,not just functional flaws, and they should betreated as such!
![Page 10: Application Intrusion Detection - Black Hat · PDF fileApplication Intrusion Detection ¥ Introduction ... — Email Notification ... — FBI, etc. ¥ Third-Party Vendors — Credit](https://reader030.fdocuments.net/reader030/viewer/2022011800/5ab98d487f8b9ac60e8e314b/html5/thumbnails/10.jpg)
Notification
• Monitoring system is notified when attackpossibilities are detected
• Notify People– Number of attempts
– Type of attempt
![Page 11: Application Intrusion Detection - Black Hat · PDF fileApplication Intrusion Detection ¥ Introduction ... — Email Notification ... — FBI, etc. ¥ Third-Party Vendors — Credit](https://reader030.fdocuments.net/reader030/viewer/2022011800/5ab98d487f8b9ac60e8e314b/html5/thumbnails/11.jpg)
Introduction (cont.)
• What is Application Intrusion Detection?
• Why would I use Application IntrusionDetection?
• What about IDS (Intrusion DetectionSystems)?
• Exposures
![Page 12: Application Intrusion Detection - Black Hat · PDF fileApplication Intrusion Detection ¥ Introduction ... — Email Notification ... — FBI, etc. ¥ Third-Party Vendors — Credit](https://reader030.fdocuments.net/reader030/viewer/2022011800/5ab98d487f8b9ac60e8e314b/html5/thumbnails/12.jpg)
Why would I use ApplicationIntrusion Detection?
• Detection
• Prevention
• Protection
![Page 13: Application Intrusion Detection - Black Hat · PDF fileApplication Intrusion Detection ¥ Introduction ... — Email Notification ... — FBI, etc. ¥ Third-Party Vendors — Credit](https://reader030.fdocuments.net/reader030/viewer/2022011800/5ab98d487f8b9ac60e8e314b/html5/thumbnails/13.jpg)
Detection
• Will users forget passwords?– Yes.
• Will the authentication system notify such failuresand security events?– Yes.
• Can the system be tuned to allow a certaindeviation in authentication failures so that a singleuser doesn’t set off emergency alarms, but a bruteforce attack would?– Yes.
![Page 14: Application Intrusion Detection - Black Hat · PDF fileApplication Intrusion Detection ¥ Introduction ... — Email Notification ... — FBI, etc. ¥ Third-Party Vendors — Credit](https://reader030.fdocuments.net/reader030/viewer/2022011800/5ab98d487f8b9ac60e8e314b/html5/thumbnails/14.jpg)
Prevention
• The security event logs show that there is amassive amount of brute forcing of possible tableindices for my web application. What does thatmean?
• Verify that your authorization model doesn’t allowaccess to records that the user should not access.Gives you time to add more defenses such ashashing (index+magic value) table indices tonegate index brute forcing completely.
![Page 15: Application Intrusion Detection - Black Hat · PDF fileApplication Intrusion Detection ¥ Introduction ... — Email Notification ... — FBI, etc. ¥ Third-Party Vendors — Credit](https://reader030.fdocuments.net/reader030/viewer/2022011800/5ab98d487f8b9ac60e8e314b/html5/thumbnails/15.jpg)
Protection
• Where are you protected?
• Where are you not protected?
• Real time auditing information that is generatedfrom your application helps determine how wellyou are protected and gives you functional andeven legally binding data about what is going on.
![Page 16: Application Intrusion Detection - Black Hat · PDF fileApplication Intrusion Detection ¥ Introduction ... — Email Notification ... — FBI, etc. ¥ Third-Party Vendors — Credit](https://reader030.fdocuments.net/reader030/viewer/2022011800/5ab98d487f8b9ac60e8e314b/html5/thumbnails/16.jpg)
Introduction (cont.)
• What is Application Intrusion Detection?
• Why would I use Application IntrusionDetection?
• What about IDS (Intrusion DetectionSystems)?
• Exposures
![Page 17: Application Intrusion Detection - Black Hat · PDF fileApplication Intrusion Detection ¥ Introduction ... — Email Notification ... — FBI, etc. ¥ Third-Party Vendors — Credit](https://reader030.fdocuments.net/reader030/viewer/2022011800/5ab98d487f8b9ac60e8e314b/html5/thumbnails/17.jpg)
What about IDS (IntrusionDetection Systems)?
• Application layer packet filtering?
• Application layer state management?
• IDS must see data to analyze… what if my data isencrypted (which it should be)
• Application level intrusion detection cannot beduplicated successfully by a network IDS.
![Page 18: Application Intrusion Detection - Black Hat · PDF fileApplication Intrusion Detection ¥ Introduction ... — Email Notification ... — FBI, etc. ¥ Third-Party Vendors — Credit](https://reader030.fdocuments.net/reader030/viewer/2022011800/5ab98d487f8b9ac60e8e314b/html5/thumbnails/18.jpg)
Introduction (cont.)
• What is Application Intrusion Detection?
• Why would I use Application IntrusionDetection?
• What about IDS (Intrusion DetectionSystems)?
• Exposures
![Page 19: Application Intrusion Detection - Black Hat · PDF fileApplication Intrusion Detection ¥ Introduction ... — Email Notification ... — FBI, etc. ¥ Third-Party Vendors — Credit](https://reader030.fdocuments.net/reader030/viewer/2022011800/5ab98d487f8b9ac60e8e314b/html5/thumbnails/19.jpg)
Exposures
• An exposure is a general term that refers to theknowledge a hacker has. It allows him or her togain more information or use your system in waysthat are not intended given the user.– Buffer Overflows– Injections– Information Leakage– Replay Attacks– Session Hijacking
![Page 20: Application Intrusion Detection - Black Hat · PDF fileApplication Intrusion Detection ¥ Introduction ... — Email Notification ... — FBI, etc. ¥ Third-Party Vendors — Credit](https://reader030.fdocuments.net/reader030/viewer/2022011800/5ab98d487f8b9ac60e8e314b/html5/thumbnails/20.jpg)
Application Intrusion Detection
• Introduction
• Mitigating Exposures
• Monitoring Exposures
• Response Times
• Proactive Risk Analysis
• Summary
![Page 21: Application Intrusion Detection - Black Hat · PDF fileApplication Intrusion Detection ¥ Introduction ... — Email Notification ... — FBI, etc. ¥ Third-Party Vendors — Credit](https://reader030.fdocuments.net/reader030/viewer/2022011800/5ab98d487f8b9ac60e8e314b/html5/thumbnails/21.jpg)
Mitigating Exposures
• These are exposures that we know we are stoppingand we should know that we stop them.
• Data Restrictions– Buffer Overflows– Injections– Brute Forcing
• State– Race Conditions– Privilege Escalation– Authorization
![Page 22: Application Intrusion Detection - Black Hat · PDF fileApplication Intrusion Detection ¥ Introduction ... — Email Notification ... — FBI, etc. ¥ Third-Party Vendors — Credit](https://reader030.fdocuments.net/reader030/viewer/2022011800/5ab98d487f8b9ac60e8e314b/html5/thumbnails/22.jpg)
Data Restrictions
• Buffer Overflow Detection Demonstration
• A simple bounds checking routine willdetect that a string is too large. If your clientprogram was written to only allow thecorrect size, then someone is hacking yourapplication.
![Page 23: Application Intrusion Detection - Black Hat · PDF fileApplication Intrusion Detection ¥ Introduction ... — Email Notification ... — FBI, etc. ¥ Third-Party Vendors — Credit](https://reader030.fdocuments.net/reader030/viewer/2022011800/5ab98d487f8b9ac60e8e314b/html5/thumbnails/23.jpg)
Data Restrictions (cont.)
• Brute Forcing Detection Demonstration
• Never deny access for more than a fewseconds, or else brute force attacks can beused to cause denial of service to yourclients.
![Page 24: Application Intrusion Detection - Black Hat · PDF fileApplication Intrusion Detection ¥ Introduction ... — Email Notification ... — FBI, etc. ¥ Third-Party Vendors — Credit](https://reader030.fdocuments.net/reader030/viewer/2022011800/5ab98d487f8b9ac60e8e314b/html5/thumbnails/24.jpg)
State
• Out-of-State User Request Demonstration
• Authorization models can be implementedwith state machines to control who mayaccess specific resources.
![Page 25: Application Intrusion Detection - Black Hat · PDF fileApplication Intrusion Detection ¥ Introduction ... — Email Notification ... — FBI, etc. ¥ Third-Party Vendors — Credit](https://reader030.fdocuments.net/reader030/viewer/2022011800/5ab98d487f8b9ac60e8e314b/html5/thumbnails/25.jpg)
State (cont.)
• Authorization Failure Demonstration
• When users fail authorization checks, itmakes you wonder if the application shouldeven allow the user to make the request…
![Page 26: Application Intrusion Detection - Black Hat · PDF fileApplication Intrusion Detection ¥ Introduction ... — Email Notification ... — FBI, etc. ¥ Third-Party Vendors — Credit](https://reader030.fdocuments.net/reader030/viewer/2022011800/5ab98d487f8b9ac60e8e314b/html5/thumbnails/26.jpg)
Application Intrusion Detection
• Introduction
• Mitigating Exposures
• Monitoring Exposures
• Response Times
• Proactive Risk Analysis
• Summary
![Page 27: Application Intrusion Detection - Black Hat · PDF fileApplication Intrusion Detection ¥ Introduction ... — Email Notification ... — FBI, etc. ¥ Third-Party Vendors — Credit](https://reader030.fdocuments.net/reader030/viewer/2022011800/5ab98d487f8b9ac60e8e314b/html5/thumbnails/27.jpg)
Monitoring Exposures
• These are exposures that we know we cannot stop which makes it more important toknow when they occur
• Local Protection (Modification Detection)– Log Files– Secrets– User Databases
![Page 28: Application Intrusion Detection - Black Hat · PDF fileApplication Intrusion Detection ¥ Introduction ... — Email Notification ... — FBI, etc. ¥ Third-Party Vendors — Credit](https://reader030.fdocuments.net/reader030/viewer/2022011800/5ab98d487f8b9ac60e8e314b/html5/thumbnails/28.jpg)
Log Files
• Created during deployment
• Recreated immediately after backup
• Log files should always exist
• Applications should always append data andnever overwrite data
![Page 29: Application Intrusion Detection - Black Hat · PDF fileApplication Intrusion Detection ¥ Introduction ... — Email Notification ... — FBI, etc. ¥ Third-Party Vendors — Credit](https://reader030.fdocuments.net/reader030/viewer/2022011800/5ab98d487f8b9ac60e8e314b/html5/thumbnails/29.jpg)
Log Files (cont.)
• Log Files Demonstration
• Can’t be modified without detection. Allowfor non-repudiation in legal cases. Can helpforensics when and if a system is exploitedby a hacker.
![Page 30: Application Intrusion Detection - Black Hat · PDF fileApplication Intrusion Detection ¥ Introduction ... — Email Notification ... — FBI, etc. ¥ Third-Party Vendors — Credit](https://reader030.fdocuments.net/reader030/viewer/2022011800/5ab98d487f8b9ac60e8e314b/html5/thumbnails/30.jpg)
Secrets
• If a secret can’t be found, fail to closeinstead of fail to open.
• This is purposefully causing yourself denialof service. Is that better than allowinghackers to have a free for all with yournetwork application?
![Page 31: Application Intrusion Detection - Black Hat · PDF fileApplication Intrusion Detection ¥ Introduction ... — Email Notification ... — FBI, etc. ¥ Third-Party Vendors — Credit](https://reader030.fdocuments.net/reader030/viewer/2022011800/5ab98d487f8b9ac60e8e314b/html5/thumbnails/31.jpg)
User Databases
• Vulnerability– A missing user database means free access?
• Solution– Backup as often as performance allows when you are
sure the system is clean. Deploy old backup to restoremissing files deleted by hacker. Don’t allow access tothe application without authentication and authorizationin place, even in such extreme situations as a worm orvirus infecting your deployment system.
![Page 32: Application Intrusion Detection - Black Hat · PDF fileApplication Intrusion Detection ¥ Introduction ... — Email Notification ... — FBI, etc. ¥ Third-Party Vendors — Credit](https://reader030.fdocuments.net/reader030/viewer/2022011800/5ab98d487f8b9ac60e8e314b/html5/thumbnails/32.jpg)
User Databases (cont.)
• User Database Demonstration
• System Administrator vs. ApplicationSystem Administrator
• Backups and Deployment
![Page 33: Application Intrusion Detection - Black Hat · PDF fileApplication Intrusion Detection ¥ Introduction ... — Email Notification ... — FBI, etc. ¥ Third-Party Vendors — Credit](https://reader030.fdocuments.net/reader030/viewer/2022011800/5ab98d487f8b9ac60e8e314b/html5/thumbnails/33.jpg)
Application Intrusion Detection
• Introduction
• Mitigating Exposures
• Monitoring Exposures
• Response Times
• Proactive Risk Analysis
• Summary
![Page 34: Application Intrusion Detection - Black Hat · PDF fileApplication Intrusion Detection ¥ Introduction ... — Email Notification ... — FBI, etc. ¥ Third-Party Vendors — Credit](https://reader030.fdocuments.net/reader030/viewer/2022011800/5ab98d487f8b9ac60e8e314b/html5/thumbnails/34.jpg)
Response Times
• Time to Hack vs. Time to Detect• People
– Pager Notification– Email Notification– On Duty Security Personnel
• Authorities– FBI, etc.
• Third-Party Vendors– Credit Card Companies
![Page 35: Application Intrusion Detection - Black Hat · PDF fileApplication Intrusion Detection ¥ Introduction ... — Email Notification ... — FBI, etc. ¥ Third-Party Vendors — Credit](https://reader030.fdocuments.net/reader030/viewer/2022011800/5ab98d487f8b9ac60e8e314b/html5/thumbnails/35.jpg)
Application Intrusion Detection
• Introduction
• Mitigating Exposures
• Monitoring Exposures
• Response Times
• Proactive Risk Analysis
• Summary
![Page 36: Application Intrusion Detection - Black Hat · PDF fileApplication Intrusion Detection ¥ Introduction ... — Email Notification ... — FBI, etc. ¥ Third-Party Vendors — Credit](https://reader030.fdocuments.net/reader030/viewer/2022011800/5ab98d487f8b9ac60e8e314b/html5/thumbnails/36.jpg)
Proactive Risk Analysis
• The Business Decision– We will take the risk to deploy with a known
vulnerability.• Is detection as cheap as mitigation?
• Historical Data– Limited budgets, resources and/or performance limit
security infrastructure. Use historical data to monitor ormitigate your most vulnerable areas.
![Page 37: Application Intrusion Detection - Black Hat · PDF fileApplication Intrusion Detection ¥ Introduction ... — Email Notification ... — FBI, etc. ¥ Third-Party Vendors — Credit](https://reader030.fdocuments.net/reader030/viewer/2022011800/5ab98d487f8b9ac60e8e314b/html5/thumbnails/37.jpg)
Application Intrusion Detection
• Introduction
• Mitigating Exposures
• Monitoring Exposures
• Response Times
• Proactive Risk Analysis
• Summary
![Page 38: Application Intrusion Detection - Black Hat · PDF fileApplication Intrusion Detection ¥ Introduction ... — Email Notification ... — FBI, etc. ¥ Third-Party Vendors — Credit](https://reader030.fdocuments.net/reader030/viewer/2022011800/5ab98d487f8b9ac60e8e314b/html5/thumbnails/38.jpg)
Summary
• Plan for exposure mitigation and monitoring• Build common data, error handling, and auditing
routines.• Determine which exposures that are accessed by
hackers should notify real people immediately.• Build a response process to secure forensic data
and restore the application to a known secure andworking state after hackers attempt to break in.