Intrusion Deception Kyle Adams – Chief Software Architect for

Download Report

Transcript Intrusion Deception Kyle Adams – Chief Software Architect for 

Intrusion Deception
Kyle Adams – Chief Software Architect for Junos WebApp Secure
Sorry Your Princess is in Another
Castle: Intrusion Deception to Protect
the Web
Intrusion Deception
Overview
• What is it?
– Exploit attacker psychology and attack economics
– Extensions of traditional honey pot techniques
• Why do it?
–
–
–
–
Detect advanced hackers before they breach (even some zero-day attacks)
Waste attackers time
Decrease ROI of attacks
More effective then just blocking known attack vectors
• What do you need?
–
–
–
–
Tracking technique (Cookies, IP)
Event management API
Detection points
Active counter responses
Intrusion Deception
How does it work?
Malicious HTTP Request
getEvents()
<no events>
HTTP Response
Attacker
logEvent()
Web Server
Event Manager
• Step 1) Detecting Attackers:
–
–
–
–
–
Attacker issues attack to server
Server checks event manger for past events
No events, so server executes the request
Server detects request as attack and logs event
Server returns response for original request
Intrusion Deception
How does it work?
Any HTTP Request
getEvents()
HAS EVENTS!
Alter Response
HTTP Response
Attacker
Web Server
• Step 2) Stopping Detected Attackers:
–
–
–
–
–
–
Attacker issues any request to server
Server checks event manger for past events
It has events, so alter the request
Server executes altered request
It has events, so alter the response
Server returns altered response
Event Manager
Intrusion Deception
Tracking Technique
• Attributing requests to an attacker
– HTTP protocol is stateless
• You can’t tell if requests are issued by the same person
– Achieve state with a combination of
•
•
•
•
Cookies
IP Address
User-Agent
Be creative, there are less obvious ways ;)
• State is still limited
– Attacker can change cookies,
IP and user-agents
Intrusion Deception
Event Management API
• Keeps track of detected attacks
– Who issued an attack (based on tracking)
– What was the attack
• Simple Event Management API
– getEvents(<tracking info>) :event[]
• Get all events for a given user
– logEvent(<tracking info>, <event>) :void
• Record a new event for a given user
Intrusion Deception
Detection Points
• Add a fake attack surface to the website
–
–
–
–
Fake inputs
Legitimate Validated Inputs
Fake files
Fake configuration
• Fake code is cleanly blended with real code
– Unlike traditional honeypot servers or services
• Activity on fake attack surface
– Guaranteed malicious
– Send info to event management API
Intrusion Deception
Detection Points: Fake Inputs
• Forms
<form method=“POST” action=“search.php”>
<input type=“hidden” name=“product” value=“435”>
<input type=“hidden” name=“filter” value=“^[a-zA-Z0-9-_ ]+$”>
<input type=“text” name=“query”>
<input type=“submit” value=“Search”>
</form>
• URLs
<a href=“rateProduct.php?prodId=435&rating=4&limitPerUser=1”>Rate: 4 Stars</a>
• Detection
<?php
if ($_POST[“filter”] != “^[a-zA-Z0-9-_ ]+$”)
EventAPI.logEvent(cookie, ip, user-agent, “Manipulated Hidden Input”);
if ($_GET[“limitPerUser”] != “1”)
EventAPI.logEvent(cookie, ip, ua, “Manipulated Query Parameter”);
… REST OF YOUR WEBSITE CODE ….
Intrusion Deception
Detection Points: Validated Inputs
• Forms
<script>
function validate() {
return (/^[0-9]+$/.test(document.getElementById(‘prodid’).value));
}
</script>
<form method=“POST” action=“search.php” onsubmit=“validate()”>
<input type=“hidden” name=“product” id=“prodid” value=“435”>
<input type=“text” name=“query” id=“query”>
<input type=“submit” value=“Search”>
</form>
• Detection
<?php
if (preg_match(“/^[0-9]+$/”, $_POST[“product”]) != 1)
EventAPI.logEvent(cookie, ip, user-agent, “Invalid Product Value”);
… REST OF YOUR WEBSITE CODE ….
Intrusion Deception
Detection Points: Fake Files
•
•
•
•
Create /admin.php
Create /config.php
Create /login.php
Be creative, you can do this for a lot of files
• Detection
<?php
EventAPI.logEvent(cookie, ip, user-agent, “Accessed: ” . $SERVER[‘REQUEST_URI’]);
… RETURN FAKE CONTENT (Login page, or whatever your pretending to be) ….
Intrusion Deception
Detection Points: Fake Configuration
• Fake disallow directory in robots.txt
Sitemap: http://bsideswww.securitybsides.com/sitemap.xml
User-agent: *
Disallow: /session/
Disallow: /settings/
Disallow: /wikiadmin/
Disallow: /browse/
Disallow: /w/browse/
Disallow: /layout/
…
• Detection (/wikiadmin/index.php)
<?php
EventAPI.logEvent(cookie, ip, user-agent, “Disallow Directory Accessed”);
… RETURN 403 ERROR ….
Intrusion Deception
How does it work?
Fake File Example
GET /admin.php
logEvent()
Return Fake Login Page
Attacker
Web Server
• Step 1) Detecting Attackers:
– Attacker requests /admin.php
– Fake script executes and logs event
– Server returns fake response for /admin.php
– Now you know they are malicious,
what do you do about it?
Event Manager
Intrusion Deception
Active Counter Responses
• Stopping an attacker after the first attack
– Check if the user has events
– If they do, modify the request/response
– Goes at the top of every php file (import?)
<?php
if (count(EventAPI.getEvents(cookie, ip, ua)) > 0) {
// Modify request to make it safe to execute
// Or return a response and end execution
}
… THE REST OF YOUR WEBSITE CODE ….
– You can also do something similar throughout the script to alter the
response data
– Again, be creative, you can really confuse and mislead the attacker!
Intrusion Deception
Active Counter Responses: Simple
• Simple Block
Return a 500 error on all requests
<?php
if (count(EventAPI.getEvents(cookie, ip, ua)) > 0) {
http_response_code(500);
exit();
}
… THE REST OF YOUR WEBSITE CODE ….
• Simple Redirect
Redirects the user to wikipedia page on ethics
<?php
if (count(EventAPI.getEvents(cookie, ip, ua)) > 0) {
http_response_code(302);
header(“Location: http://http://en.wikipedia.org/wiki/Ethics”);
exit();
}
… THE REST OF YOUR WEBSITE CODE ….
Intrusion Deception
Active Counter Responses: Advanced
• Lock User’s Account
Just an example, would completely depend on your site implementation
<?php
if (count(EventAPI.getEvents(cookie, ip, ua)) > 0)
UserAPI.lockAccount($_SESSION[‘account_id’], “Malicious Activity”);
… THE REST OF YOUR WEBSITE CODE ….
• Change Databases
Use a sandboxed database that is refreshed nightly
<?php
if (count(EventAPI.getEvents(cookie, ip, ua)) > 0)
$database = new mysqli(“freesqlserver.com”, “user”, “pass”, “junk”)
else
$database = new mysqli(“localhost”, “user”, “pass”, “master”);
… THE REST OF YOUR WEBSITE CODE ….
Intrusion Deception
How does it work?
Returning 500 Errors
GET /index.php
getEvents()
HAS EVENTS!
Set Status: 500
Return 500 Error
Attacker
Web Server
Event Manager
• Step 2) Stopping Detected Attackers:
–
–
–
–
–
Attacker issues any request to server
Server checks event manger for past events
Server sees previous “/admin.php”a event
Server sets response code to 500
Server returns 500 error without executing the rest of
the script
Intrusion Deception
Build or Buy?
•
Junos WebApp Secure (Commercial)
– Reverse Proxy that introduces Intrusion Deception
– No code changes required, improves with each release
– Drops in quickly, minimal configuration
– Highly advanced tracking techniques, detection points, and responses
•
OWASP App Sensor (Open Source)
– Specification and design (No Code Provided)
– https://owasp.org/index.php/OWASP_AppSensor_Project
•
Roll your own
– Invent and integrate your own detection and responses
– More flexibility, tighter integration
Intrusion Deception
Conclusion
•
Download Slides after presentation
–
•
http://forums.juniper.net/t5/Security-Mobility-Now/bg-p/networkingnow
Information on Junos WebApp Secure (formerly Mykonos)
–
http://www.mykonossoftware.com
– Want to work on this type of stuff every day?
Junos WebApp Secure is hiring!
See me after the presentation for details
– Learn more at the Juniper RSA 2013 booth (#0000)
•
Contact Information
–
–
Twitter: @kadams_sec
Linked In: https://www.linkedin.com/in/adamsk
Intrusion Deception
Extras: What else can you do?
•
Anti-Spam Email Pollution
– Put a hidden link on the page to “mailinglist.html” (a php script with an html extension)
– Mailinglist.html is designed to display 100 random but believable email addresses
– Mailinglist.html displays links to other aliases of “mailinglist.html”
– How does it work?
1) Email harvesting Spider hits the site and sees the link for “mailinglist.html”
2) Spider follows the link and downloads mailinglist.html
3) Spider harvests the 100 fake email addresses
4) Spider sees the links to other pages from mailinglist.html
5) Spider follows the additional links
6) Repeat steps 1-5 for all additional links
• The end result: Harvest spider hits hundreds of fake pages containing fake email
addresses and effectively drowns out any good data from your actual site.