OWASP Cambridge Talk - Application Honeypot Threat ...
Transcript of OWASP Cambridge Talk - Application Honeypot Threat ...
![Page 2: OWASP Cambridge Talk - Application Honeypot Threat ...](https://reader031.fdocuments.net/reader031/viewer/2022012103/616a116b11a7b741a34e7366/html5/thumbnails/2.jpg)
Bio– AdrianWinckles• Director of Cyber Security, Networking & Big Data Research Group,Anglia Ruskin University, Cambridge.
• OWASP Activities– OWASP Cambridge Chapter Leader,– OWASP Europe Board Member– Project Leader – OWASP Web Honeypot Project– Project Leader – OWASP Application Security Curriculum Project
• Chair Cambridge Cluster of the UK Cyber Security Forum.• Vice Chair of the BCS Cyber Forensics Special Interest Group.
![Page 3: OWASP Cambridge Talk - Application Honeypot Threat ...](https://reader031.fdocuments.net/reader031/viewer/2022012103/616a116b11a7b741a34e7366/html5/thumbnails/3.jpg)
IntroductiontoHoneypots• Acomputersystemsetuptodetectorlureattacks.• Honeypottypes:
– Production(detect)– Research(lure)
• Honeypotinteractiontypes:– Low- emulatedservices,limitedtonoemulatedlogincapability(lowrisk).– Medium- emulatedservices,emulatedlogin,emulatedcommands.– High- Actualservices,systemlogins,andcommands(veryrisky).
![Page 4: OWASP Cambridge Talk - Application Honeypot Threat ...](https://reader031.fdocuments.net/reader031/viewer/2022012103/616a116b11a7b741a34e7366/html5/thumbnails/4.jpg)
IntroductionstoHoneypots(cont’d)• Aproductionhoneypothasnolegitimatebusinesspurposeandshouldneverseeanytraffic,unless...– Somethingismisconfiguredonthenetwork– Someoneismaliciousonthenetwork
Honeypotlogsarelowvolumeandhighvalue
![Page 5: OWASP Cambridge Talk - Application Honeypot Threat ...](https://reader031.fdocuments.net/reader031/viewer/2022012103/616a116b11a7b741a34e7366/html5/thumbnails/5.jpg)
WhyOWASPWebHoneypots(Part1)?
• SectorfocusisonHTTP(S)today• AccordingtoCAIDA,(Center forAppliedInternetDataAnalysis)webis~85%oftotalinternettraffic.
• 92%ofvulnerabilitiesnowintheapplication(NIST/Gartner)
![Page 6: OWASP Cambridge Talk - Application Honeypot Threat ...](https://reader031.fdocuments.net/reader031/viewer/2022012103/616a116b11a7b741a34e7366/html5/thumbnails/6.jpg)
WhyWebHoneypots?
![Page 7: OWASP Cambridge Talk - Application Honeypot Threat ...](https://reader031.fdocuments.net/reader031/viewer/2022012103/616a116b11a7b741a34e7366/html5/thumbnails/7.jpg)
WhyOWASPWebHoneypots(Part2)?• FocusisonHTTP(S)today• AccordingtoCAIDA,(CenterforAppliedInternetDataAnalysis)webis~85%oftotalinternettraffic.
• 92%ofvulnerabilitiesnowintheapplication(NIST/Gartner)• Webarchitectureiscomplicated• Italsomeanscomplicatedattacksareacceptable• Attacksthatwillonlyworkon0.01%ofusersarevaluable
![Page 8: OWASP Cambridge Talk - Application Honeypot Threat ...](https://reader031.fdocuments.net/reader031/viewer/2022012103/616a116b11a7b741a34e7366/html5/thumbnails/8.jpg)
TheWebisComplicated
![Page 9: OWASP Cambridge Talk - Application Honeypot Threat ...](https://reader031.fdocuments.net/reader031/viewer/2022012103/616a116b11a7b741a34e7366/html5/thumbnails/9.jpg)
WhyOWASPWebHoneypots(Part3)?• FocusisonHTTP(S)Today• Specialcareneedstobetakenhere• AccordingtoCAIDA,(CenterforAppliedInternetDataAnalysis)webis~85%oftotal
internettraffic• Asaresultwebarchitectureiscomplicated• Italsomeanscomplicatedattacksareacceptable• Attacksthatwillonlyworkon0.01%ofusersarevaluable• Diversityofattacksishighaswell(numberofvariations)
– Attackeronserver/Attackeronclient– Attackeronclientviaserver– Attackeronserverviaserver– Attackeronintermediary
![Page 10: OWASP Cambridge Talk - Application Honeypot Threat ...](https://reader031.fdocuments.net/reader031/viewer/2022012103/616a116b11a7b741a34e7366/html5/thumbnails/10.jpg)
Whatdowewanttocapture?
• ThinkaboutusingexistingtoolssothatyoucancatchautomatedwebattacktoolsthatarescanningIPnetworkrangeslookingforwebports.
• Insteadofdevelopinganddeployinganentirelynewhoneypotwebserverorapplication,wecaneasilyreusetheexistinglegitimatewebserverplatform’sorganisations arealreadyrunning.
![Page 11: OWASP Cambridge Talk - Application Honeypot Threat ...](https://reader031.fdocuments.net/reader031/viewer/2022012103/616a116b11a7b741a34e7366/html5/thumbnails/11.jpg)
ConsidertheWAF- WebApplicationFirewall• WAFsComeinmultipledifferentforms
![Page 12: OWASP Cambridge Talk - Application Honeypot Threat ...](https://reader031.fdocuments.net/reader031/viewer/2022012103/616a116b11a7b741a34e7366/html5/thumbnails/12.jpg)
TheWAFasaHoneypotorProbe?
• WAFsComeinmultipledifferentforms• Canbeplacedinseveralplacesonthenetwork
• Inline• Out-of-line• Loadbalancermirrorport• Onthewebserver
• DifferentTechnologies• Signatures• Heuristics
• OftendrivenbyPCIrequirements,asit’sanapprovedsecuritycontrol
• WhatisthedifferencebetweenanIDSversusWAF?
![Page 13: OWASP Cambridge Talk - Application Honeypot Threat ...](https://reader031.fdocuments.net/reader031/viewer/2022012103/616a116b11a7b741a34e7366/html5/thumbnails/13.jpg)
ModSecurity - AnOpenSourceWebApplicationFirewall
• ProbablythemostpopularWAF– Designedin2002– Currentlyonversion2.9.1withversion3.0intheworks
• DesignedtobeopenandsupportstheOWASPCoreRuleSet– Firstdevelopedin2009– AnOWASPprojectmeanttoprovidefreegenericrulestoModSecurity users
– CRSv3.0nowdeployed
![Page 14: OWASP Cambridge Talk - Application Honeypot Threat ...](https://reader031.fdocuments.net/reader031/viewer/2022012103/616a116b11a7b741a34e7366/html5/thumbnails/14.jpg)
ModSecurity’s ApacheRequestCycleHooks
![Page 15: OWASP Cambridge Talk - Application Honeypot Threat ...](https://reader031.fdocuments.net/reader031/viewer/2022012103/616a116b11a7b741a34e7366/html5/thumbnails/15.jpg)
< A generic, plug-n-play set of WAF rules< Choose your mode of operation
4 Standard vs. Anomaly Scoring< Detection Categories:
4 Protocol Validation4 Malicious Client Identification4 Generic Attack Signatures4 Known Vulnerabilities Signatures4 Trojan/Backdoor Access4 Outbound Data Leakage4 Anti-Virus and DoS utility scripts
WhatistheOWASPCoreRuleSet(CRS)?
![Page 16: OWASP Cambridge Talk - Application Honeypot Threat ...](https://reader031.fdocuments.net/reader031/viewer/2022012103/616a116b11a7b741a34e7366/html5/thumbnails/16.jpg)
CRS Traditional Detection Mode – Birth of a Honeypot Probe
< IDS/IPS mode with “self-contained” rules< Like HTTP itself – the rules are stateless
4 No intelligence is shared between rules4 If a rule triggers, it will execute a disruptive/logging action
< Easier for the new user to understand< Not optimal from a rules management perspective (handling false
positives/exceptions)< Not optimal from a security perspective
4 Not every site has the same risk tolerance4 Lower severity alerts are largely ignored
![Page 17: OWASP Cambridge Talk - Application Honeypot Threat ...](https://reader031.fdocuments.net/reader031/viewer/2022012103/616a116b11a7b741a34e7366/html5/thumbnails/17.jpg)
Event Logging - Standard vs. Correlated Events
< Standard mode4 Rules log event data to both the Apache error_log and the ModSecurity
Audit log can be relayed using mlogc http/json< Correlated mode
4 Basic rules are considered reference events and do not directly log to the Apache error_log
4 Correlation rules in the logging phase analyze inbound/outbound events and generate special events
4 modsecurity_crs_60_correlation.conf
![Page 18: OWASP Cambridge Talk - Application Honeypot Threat ...](https://reader031.fdocuments.net/reader031/viewer/2022012103/616a116b11a7b741a34e7366/html5/thumbnails/18.jpg)
Modsecurity Log Collector (mlogc) – Event Logging
![Page 19: OWASP Cambridge Talk - Application Honeypot Threat ...](https://reader031.fdocuments.net/reader031/viewer/2022012103/616a116b11a7b741a34e7366/html5/thumbnails/19.jpg)
ProjectAims&Objectives
• TheOWASPHoneypotProjectprovides:– Real-time,detailedWebApplicationAttackData– ThreatReportstothecommunity
• Whatdoweneed– Volunteerstorunhoneypots/probesintheirnetwork– Contributor’stotheproject
![Page 20: OWASP Cambridge Talk - Application Honeypot Threat ...](https://reader031.fdocuments.net/reader031/viewer/2022012103/616a116b11a7b741a34e7366/html5/thumbnails/20.jpg)
Target Site WASC Honeypot Sensor
Inbound Attack for Target Site
ProjectArchitectureAttacker
1=1/../../Session ID =UX8serwderakvcx
Script%23%.aspHacker.exe123
Payload
ModSecurity Inspects HTTP Payload and Identifies it as an Attack
WASC Analyst
Central Logging HostModSecurity Management Appliance
Honeypot Sends 200 Status Code
Mlogc json/http log
Normal web comms
![Page 21: OWASP Cambridge Talk - Application Honeypot Threat ...](https://reader031.fdocuments.net/reader031/viewer/2022012103/616a116b11a7b741a34e7366/html5/thumbnails/21.jpg)
WASC Honeypot Sensor
WASC Honeypot Sensor
WASC Honeypot Sensor
Attacker
VM Based WAF Probes
Automated Web Attacks using OWASP ZAP
-mlogcHTTP audit log data
Audit data passed to PHP script and logged to MySQL
Project Test BedAudit Console (Apache Webserver)
![Page 22: OWASP Cambridge Talk - Application Honeypot Threat ...](https://reader031.fdocuments.net/reader031/viewer/2022012103/616a116b11a7b741a34e7366/html5/thumbnails/22.jpg)
Distributed Probes Model
![Page 23: OWASP Cambridge Talk - Application Honeypot Threat ...](https://reader031.fdocuments.net/reader031/viewer/2022012103/616a116b11a7b741a34e7366/html5/thumbnails/23.jpg)
![Page 24: OWASP Cambridge Talk - Application Honeypot Threat ...](https://reader031.fdocuments.net/reader031/viewer/2022012103/616a116b11a7b741a34e7366/html5/thumbnails/24.jpg)
Ongoing&FutureWork
• SetupProofofConcepttounderstandhowModSecuritybaed Honeypot/Probeinteractswithareceivingconsole(developaVMand/orDockerbasedtestsolutiontostorelogsfrommultipleprobes)DONE
• Evaluateconsoleoptionstovisualise threatdatareceivedfromModSecurityHoneypots/probesinModSecurity AuditConsole,WAF-FLE,Fluentandbespokescriptsforsingleandmultipleprobes.Ongoing
• DevelopamechanismtoconvertfromstoredMySQLtoJSONformat.• ProvideamechanismtoconvertModSecurity mlogc auditlogoutputintoJSON
format.• Provideamechanismtoconvertmlogc auditlogoutputdirectlyintoELK
(ElasticSearch/Logstash/Kibana)tovisualise thedata.
![Page 25: OWASP Cambridge Talk - Application Honeypot Threat ...](https://reader031.fdocuments.net/reader031/viewer/2022012103/616a116b11a7b741a34e7366/html5/thumbnails/25.jpg)
Ongoing&FutureWork(cont’d)• Provideamechanism toforwardhonestoutputintothreatintelligenceformatsuch
asSTIXusingsomethingliketheMISPproject(https://www.misp-project.org)toshareThreatdatacomingfromtheHoneypotsmakingiteasytoexport/importdatafromformatssuchasSTIXandTAXII.,mayrequireuseofconcurrentlogsinaformatthatMISPcandealwith.
• ConsidernewalternativesforlogtransferincludingtheuseofMLOGC-NGorotherpossibleapproaches.
• DevelopanewVMbasedhoneypot/robebasedonCRSv3.0.• Developnewalternativesmallfootprinthoneypot/probeformatsutilising Docker
&RaspberryPi.• Developmachinelearningapproachtoautomaticallybeabletoupdatetherule
setbeingusedbytheprobebasedoncyberthreatintelligencereceived.
![Page 26: OWASP Cambridge Talk - Application Honeypot Threat ...](https://reader031.fdocuments.net/reader031/viewer/2022012103/616a116b11a7b741a34e7366/html5/thumbnails/26.jpg)
AnyQuestions?