Enviar búsqueda
Cargar
Repsheet: A Behavior Based Approach to Web Application Security
•
6 recomendaciones
•
3,699 vistas
Aaron Bedra
Seguir
This is a presentation on how to approach analyzing web application security.
Leer menos
Leer más
Tecnología
Denunciar
Compartir
Denunciar
Compartir
1 de 140
Descargar ahora
Descargar para leer sin conexión
Recomendados
Paul Asadoorian - Bringing Sexy Back
Paul Asadoorian - Bringing Sexy Back
Source Conference
Unsupervised Learning with Apache Spark
Unsupervised Learning with Apache Spark
DB Tsai
(SEC323) New: Securing Web Applications with AWS WAF
(SEC323) New: Securing Web Applications with AWS WAF
Amazon Web Services
Richcast general 2013 02
Richcast general 2013 02
Ron Nath Mukherjee
Cw15 conoce drupal_v28
Cw15 conoce drupal_v28
Hiberus Tecnologia
Presentacion e conciencia te desmarcate ¡YA!
Presentacion e conciencia te desmarcate ¡YA!
desmarcate YA!
Praktijk In De Onderbouw Vmbo
Praktijk In De Onderbouw Vmbo
Mike Seijger
Senati
Senati
Jose Ronald Estela Horna
Recomendados
Paul Asadoorian - Bringing Sexy Back
Paul Asadoorian - Bringing Sexy Back
Source Conference
Unsupervised Learning with Apache Spark
Unsupervised Learning with Apache Spark
DB Tsai
(SEC323) New: Securing Web Applications with AWS WAF
(SEC323) New: Securing Web Applications with AWS WAF
Amazon Web Services
Richcast general 2013 02
Richcast general 2013 02
Ron Nath Mukherjee
Cw15 conoce drupal_v28
Cw15 conoce drupal_v28
Hiberus Tecnologia
Presentacion e conciencia te desmarcate ¡YA!
Presentacion e conciencia te desmarcate ¡YA!
desmarcate YA!
Praktijk In De Onderbouw Vmbo
Praktijk In De Onderbouw Vmbo
Mike Seijger
Senati
Senati
Jose Ronald Estela Horna
Training & Development (Train The Trainer ) Workshop
Training & Development (Train The Trainer ) Workshop
Consultants for Business Leaders
Programación Anual 4 años A
Programación Anual 4 años A
rociocabrera81
Fr E Routing Slm V40
Fr E Routing Slm V40
boukna abdou
Big data app meetup 2016-06-15
Big data app meetup 2016-06-15
Illia Polosukhin
Understanding User Behavior Online
Understanding User Behavior Online
Karen McGrane
Ogarnij swoje cele - Geek Girls Carrots
Ogarnij swoje cele - Geek Girls Carrots
Julitta Dębska
Momumentos de valledupar 2
Momumentos de valledupar 2
majopemo96
Auto administra
Auto administra
Luis Eduardo Calderon Yanchapaxi
Autocontrol hsj 2011 (2)
Autocontrol hsj 2011 (2)
Norma Allel
Academic Record 2016
Academic Record 2016
Timothy van der Merwe
99CLUBS_PDF
99CLUBS_PDF
slider13
Presentacion Proyecto # 42 Premio Eureka 2011 Mención Innovatividad Técnica
Presentacion Proyecto # 42 Premio Eureka 2011 Mención Innovatividad Técnica
Proyecto Red Eureka
ReThink at Google
ReThink at Google
Eric Miltsch
ThoughtWorks Quarterly Technology Briefing June 2013, Berlin
ThoughtWorks Quarterly Technology Briefing June 2013, Berlin
Thoughtworks
Armorizing applications
Armorizing applications
Iftach Ian Amit
OWASP Top 10 2013
OWASP Top 10 2013
markstory
Writing SaltStack Modules - OpenWest 2013
Writing SaltStack Modules - OpenWest 2013
SaltStack
Front-End Performance Starts On the Server
Front-End Performance Starts On the Server
Jon Arne Sæterås
How to be a Chef (Developer Edition)
How to be a Chef (Developer Edition)
Rodrigo Ayala
2013 - Mark story - Avoiding the Owasp
2013 - Mark story - Avoiding the Owasp
PHP Conference Argentina
JSDay 2013 - Practical Responsive Web Design
JSDay 2013 - Practical Responsive Web Design
Jonathan Klein
Running At 99%: Mitigating App DoS
Running At 99%: Mitigating App DoS
ryan_huber
Más contenido relacionado
Destacado
Training & Development (Train The Trainer ) Workshop
Training & Development (Train The Trainer ) Workshop
Consultants for Business Leaders
Programación Anual 4 años A
Programación Anual 4 años A
rociocabrera81
Fr E Routing Slm V40
Fr E Routing Slm V40
boukna abdou
Big data app meetup 2016-06-15
Big data app meetup 2016-06-15
Illia Polosukhin
Understanding User Behavior Online
Understanding User Behavior Online
Karen McGrane
Ogarnij swoje cele - Geek Girls Carrots
Ogarnij swoje cele - Geek Girls Carrots
Julitta Dębska
Momumentos de valledupar 2
Momumentos de valledupar 2
majopemo96
Auto administra
Auto administra
Luis Eduardo Calderon Yanchapaxi
Autocontrol hsj 2011 (2)
Autocontrol hsj 2011 (2)
Norma Allel
Academic Record 2016
Academic Record 2016
Timothy van der Merwe
99CLUBS_PDF
99CLUBS_PDF
slider13
Presentacion Proyecto # 42 Premio Eureka 2011 Mención Innovatividad Técnica
Presentacion Proyecto # 42 Premio Eureka 2011 Mención Innovatividad Técnica
Proyecto Red Eureka
ReThink at Google
ReThink at Google
Eric Miltsch
Destacado
(13)
Training & Development (Train The Trainer ) Workshop
Training & Development (Train The Trainer ) Workshop
Programación Anual 4 años A
Programación Anual 4 años A
Fr E Routing Slm V40
Fr E Routing Slm V40
Big data app meetup 2016-06-15
Big data app meetup 2016-06-15
Understanding User Behavior Online
Understanding User Behavior Online
Ogarnij swoje cele - Geek Girls Carrots
Ogarnij swoje cele - Geek Girls Carrots
Momumentos de valledupar 2
Momumentos de valledupar 2
Auto administra
Auto administra
Autocontrol hsj 2011 (2)
Autocontrol hsj 2011 (2)
Academic Record 2016
Academic Record 2016
99CLUBS_PDF
99CLUBS_PDF
Presentacion Proyecto # 42 Premio Eureka 2011 Mención Innovatividad Técnica
Presentacion Proyecto # 42 Premio Eureka 2011 Mención Innovatividad Técnica
ReThink at Google
ReThink at Google
Similar a Repsheet: A Behavior Based Approach to Web Application Security
ThoughtWorks Quarterly Technology Briefing June 2013, Berlin
ThoughtWorks Quarterly Technology Briefing June 2013, Berlin
Thoughtworks
Armorizing applications
Armorizing applications
Iftach Ian Amit
OWASP Top 10 2013
OWASP Top 10 2013
markstory
Writing SaltStack Modules - OpenWest 2013
Writing SaltStack Modules - OpenWest 2013
SaltStack
Front-End Performance Starts On the Server
Front-End Performance Starts On the Server
Jon Arne Sæterås
How to be a Chef (Developer Edition)
How to be a Chef (Developer Edition)
Rodrigo Ayala
2013 - Mark story - Avoiding the Owasp
2013 - Mark story - Avoiding the Owasp
PHP Conference Argentina
JSDay 2013 - Practical Responsive Web Design
JSDay 2013 - Practical Responsive Web Design
Jonathan Klein
Running At 99%: Mitigating App DoS
Running At 99%: Mitigating App DoS
ryan_huber
Bkbiet day1
Bkbiet day1
mihirio
How to get involved in Mozilla
How to get involved in Mozilla
Andreea-Zenovia Popescu
Data Breaking Bad at Berlin Buzzwords
Data Breaking Bad at Berlin Buzzwords
MapR Technologies
Mobilism 2013: A story of how we built Responsive BBC News
Mobilism 2013: A story of how we built Responsive BBC News
John Cleveley
ExpressionEngine Conference: Rock Solid - Securing You Client's ExpressionEng...
ExpressionEngine Conference: Rock Solid - Securing You Client's ExpressionEng...
David Dexter
Malware SPAM - March 2013
Malware SPAM - March 2013
Brent Muir
Bring the Noise
Bring the Noise
Jon Cowie
e-Business World 2013 - Βεντούρης Χρήστος: The Landscape of 2013 … Mind your ...
e-Business World 2013 - Βεντούρης Χρήστος: The Landscape of 2013 … Mind your ...
InfoCom Conferences
Making your websites fast and scalable - Deri Jones CEO, SciVisum Ltd
Making your websites fast and scalable - Deri Jones CEO, SciVisum Ltd
SciVisum Ltd
The Future is Responsive
The Future is Responsive
Jonathan Smiley
Node.js Introduction
Node.js Introduction
Sira Sujjinanont
Similar a Repsheet: A Behavior Based Approach to Web Application Security
(20)
ThoughtWorks Quarterly Technology Briefing June 2013, Berlin
ThoughtWorks Quarterly Technology Briefing June 2013, Berlin
Armorizing applications
Armorizing applications
OWASP Top 10 2013
OWASP Top 10 2013
Writing SaltStack Modules - OpenWest 2013
Writing SaltStack Modules - OpenWest 2013
Front-End Performance Starts On the Server
Front-End Performance Starts On the Server
How to be a Chef (Developer Edition)
How to be a Chef (Developer Edition)
2013 - Mark story - Avoiding the Owasp
2013 - Mark story - Avoiding the Owasp
JSDay 2013 - Practical Responsive Web Design
JSDay 2013 - Practical Responsive Web Design
Running At 99%: Mitigating App DoS
Running At 99%: Mitigating App DoS
Bkbiet day1
Bkbiet day1
How to get involved in Mozilla
How to get involved in Mozilla
Data Breaking Bad at Berlin Buzzwords
Data Breaking Bad at Berlin Buzzwords
Mobilism 2013: A story of how we built Responsive BBC News
Mobilism 2013: A story of how we built Responsive BBC News
ExpressionEngine Conference: Rock Solid - Securing You Client's ExpressionEng...
ExpressionEngine Conference: Rock Solid - Securing You Client's ExpressionEng...
Malware SPAM - March 2013
Malware SPAM - March 2013
Bring the Noise
Bring the Noise
e-Business World 2013 - Βεντούρης Χρήστος: The Landscape of 2013 … Mind your ...
e-Business World 2013 - Βεντούρης Χρήστος: The Landscape of 2013 … Mind your ...
Making your websites fast and scalable - Deri Jones CEO, SciVisum Ltd
Making your websites fast and scalable - Deri Jones CEO, SciVisum Ltd
The Future is Responsive
The Future is Responsive
Node.js Introduction
Node.js Introduction
Más de Aaron Bedra
The Cost of Complexity
The Cost of Complexity
Aaron Bedra
AWS Security Essentials
AWS Security Essentials
Aaron Bedra
Leveling the playing field
Leveling the playing field
Aaron Bedra
Windy City Rails - Layered Security
Windy City Rails - Layered Security
Aaron Bedra
Focus, SCNA 2011
Focus, SCNA 2011
Aaron Bedra
Pontificating quantification
Pontificating quantification
Aaron Bedra
Clojure in the Field
Clojure in the Field
Aaron Bedra
The Art of the Spike
The Art of the Spike
Aaron Bedra
Más de Aaron Bedra
(8)
The Cost of Complexity
The Cost of Complexity
AWS Security Essentials
AWS Security Essentials
Leveling the playing field
Leveling the playing field
Windy City Rails - Layered Security
Windy City Rails - Layered Security
Focus, SCNA 2011
Focus, SCNA 2011
Pontificating quantification
Pontificating quantification
Clojure in the Field
Clojure in the Field
The Art of the Spike
The Art of the Spike
Último
AXA XL - Insurer Innovation Award Americas 2024
AXA XL - Insurer Innovation Award Americas 2024
The Digital Insurer
A Beginners Guide to Building a RAG App Using Open Source Milvus
A Beginners Guide to Building a RAG App Using Open Source Milvus
Zilliz
Apidays Singapore 2024 - Modernizing Securities Finance by Madhu Subbu
Apidays Singapore 2024 - Modernizing Securities Finance by Madhu Subbu
apidays
A Year of the Servo Reboot: Where Are We Now?
A Year of the Servo Reboot: Where Are We Now?
Igalia
Ransomware_Q4_2023. The report. [EN].pdf
Ransomware_Q4_2023. The report. [EN].pdf
Overkill Security
Polkadot JAM Slides - Token2049 - By Dr. Gavin Wood
Polkadot JAM Slides - Token2049 - By Dr. Gavin Wood
Juan lago vázquez
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe
apidays
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Miguel Araújo
EMPOWERMENT TECHNOLOGY GRADE 11 QUARTER 2 REVIEWER
EMPOWERMENT TECHNOLOGY GRADE 11 QUARTER 2 REVIEWER
MadyBayot
Apidays Singapore 2024 - Scalable LLM APIs for AI and Generative AI Applicati...
Apidays Singapore 2024 - Scalable LLM APIs for AI and Generative AI Applicati...
apidays
ICT role in 21st century education and its challenges
ICT role in 21st century education and its challenges
rafiqahmad00786416
Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...
Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...
Jeffrey Haguewood
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Safe Software
Data Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt Robison
Anna Loughnan Colquhoun
Navi Mumbai Call Girls 🥰 8617370543 Service Offer VIP Hot Model
Navi Mumbai Call Girls 🥰 8617370543 Service Offer VIP Hot Model
Deepika Singh
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
apidays
Exploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone Processors
debabhi2
Boost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdf
sudhanshuwaghmare1
Manulife - Insurer Transformation Award 2024
Manulife - Insurer Transformation Award 2024
The Digital Insurer
Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024
The Digital Insurer
Último
(20)
AXA XL - Insurer Innovation Award Americas 2024
AXA XL - Insurer Innovation Award Americas 2024
A Beginners Guide to Building a RAG App Using Open Source Milvus
A Beginners Guide to Building a RAG App Using Open Source Milvus
Apidays Singapore 2024 - Modernizing Securities Finance by Madhu Subbu
Apidays Singapore 2024 - Modernizing Securities Finance by Madhu Subbu
A Year of the Servo Reboot: Where Are We Now?
A Year of the Servo Reboot: Where Are We Now?
Ransomware_Q4_2023. The report. [EN].pdf
Ransomware_Q4_2023. The report. [EN].pdf
Polkadot JAM Slides - Token2049 - By Dr. Gavin Wood
Polkadot JAM Slides - Token2049 - By Dr. Gavin Wood
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
EMPOWERMENT TECHNOLOGY GRADE 11 QUARTER 2 REVIEWER
EMPOWERMENT TECHNOLOGY GRADE 11 QUARTER 2 REVIEWER
Apidays Singapore 2024 - Scalable LLM APIs for AI and Generative AI Applicati...
Apidays Singapore 2024 - Scalable LLM APIs for AI and Generative AI Applicati...
ICT role in 21st century education and its challenges
ICT role in 21st century education and its challenges
Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...
Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Data Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt Robison
Navi Mumbai Call Girls 🥰 8617370543 Service Offer VIP Hot Model
Navi Mumbai Call Girls 🥰 8617370543 Service Offer VIP Hot Model
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
Exploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone Processors
Boost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdf
Manulife - Insurer Transformation Award 2024
Manulife - Insurer Transformation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024
Repsheet: A Behavior Based Approach to Web Application Security
1.
Repsheet A Behavior Based
Approach to Web Application Security Aaron Bedra Application Security Lead Braintree Payments Wednesday, July 10, 13
2.
Right now, your
web applications are being attacked Wednesday, July 10, 13
3.
And it will
happen again, and again, and again Wednesday, July 10, 13
4.
But not always
in the way you think Wednesday, July 10, 13
5.
Let’s take a
look at typical application security measures Wednesday, July 10, 13
6.
User Requests Web Server Application
Environment Wednesday, July 10, 13
7.
Wednesday, July 10,
13
8.
roland : 12345 Wednesday,
July 10, 13
9.
roland : 12345 Wednesday,
July 10, 13
10.
And we go
on with our day Wednesday, July 10, 13
11.
How many of
you stop there? Wednesday, July 10, 13
12.
It’s time to
start asking more questions Wednesday, July 10, 13
13.
But remember… Wednesday, July
10, 13
14.
Don’t impact user experience! Wednesday,
July 10, 13
15.
??? Wednesday, July 10,
13
16.
• Signature based
detection • Anomaly detection • Reputational intelligence • Action • Repsheet Wednesday, July 10, 13
17.
Signatures Wednesday, July 10,
13
18.
Mod Security Wednesday, July
10, 13
19.
Web Application Firewall Wednesday, July
10, 13
20.
Rule based detection Wednesday,
July 10, 13
21.
Allows you to
block or alert if traffic matches a signature Wednesday, July 10, 13
22.
Improved by the OWASP
Core Rule Set Wednesday, July 10, 13
23.
A great tool
to add to your stack Wednesday, July 10, 13
24.
Works with Apache, nginx,
and IIS Wednesday, July 10, 13
25.
Works well with
Apache Wednesday, July 10, 13
26.
Like most signature based
tools it requires tuning Wednesday, July 10, 13
27.
And has a
high possibility of false positives Wednesday, July 10, 13
28.
Great for helping
with 0-day attacks Wednesday, July 10, 13
29.
Favor alerting over blocking
in most scenarios Wednesday, July 10, 13
30.
User Requests Web Server ModSecurity Application
Environment Wednesday, July 10, 13
31.
Anomalies Wednesday, July 10,
13
32.
10.20.253.8 - -
[23/Apr/2013:14:20:21 +0000] "POST /login HTTP/1.1" 200 267"-" "Mozilla/ 5.0 (Windows NT 6.1; WOW64; rv:8.0) Gecko/ 20100101 Firefox/8.0" "77.77.165.233" Wednesday, July 10, 13
33.
10.20.253.8 - -
[23/Apr/2013:14:20:22 +0000] "POST /users/king-roland/credit_cards HTTP/ 1.1" 302 2085 "-" "Mozilla/5.0 (Windows NT 6.1; WOW64; rv:8.0) Gecko/20100101 Firefox/ 8.0" "77.77.165.233" Wednesday, July 10, 13
34.
10.20.253.8 - -
[23/Apr/2013:14:20:23 +0000] "POST /users/king-roland/credit_cards HTTP/ 1.1" 302 2083 "-" "Mozilla/5.0 (Windows NT 6.1; WOW64; rv:8.0) Gecko/20100101 Firefox/ 8.0" "77.77.165.233" Wednesday, July 10, 13
35.
10.20.253.8 - -
[23/Apr/2013:14:20:24 +0000] "POST /users/king-roland/credit_cards HTTP/ 1.1" 302 2085 "-" "Mozilla/5.0 (Windows NT 6.1; WOW64; rv:8.0) Gecko/20100101 Firefox/ 8.0" "77.77.165.233" Wednesday, July 10, 13
36.
What do you
see? Wednesday, July 10, 13
37.
I see a
website getting carded Wednesday, July 10, 13
38.
??? Wednesday, July 10,
13
39.
Play by play Wednesday,
July 10, 13
40.
10.20.253.8 - -
[23/Apr/2013:14:20:21 +0000] "POST /login HTTP/1.1" 200 267"-" "Mozilla/ 5.0 (Windows NT 6.1; WOW64; rv:8.0) Gecko/ 20100101 Firefox/8.0" "77.77.165.233" Login Request Wednesday, July 10, 13
41.
10.20.253.8 - -
[23/Apr/2013:14:20:22 +0000] "POST /users/king-roland/credit_cards HTTP/ 1.1" 302 2085 "-" "Mozilla/5.0 (Windows NT 6.1; WOW64; rv:8.0) Gecko/20100101 Firefox/ 8.0" "77.77.165.233" Add credit card to account #1 1 sec delay Wednesday, July 10, 13
42.
10.20.253.8 - -
[23/Apr/2013:14:20:23 +0000] "POST /users/king-roland/credit_cards HTTP/ 1.1" 302 2083 "-" "Mozilla/5.0 (Windows NT 6.1; WOW64; rv:8.0) Gecko/20100101 Firefox/ 8.0" "77.77.165.233" 1 sec delay Add credit card to account #2 FF 8 on Windows 7 or Bot? Wednesday, July 10, 13
43.
10.20.253.8 - -
[23/Apr/2013:14:20:24 +0000] "POST /users/king-roland/credit_cards HTTP/ 1.1" 302 2085 "-" "Mozilla/5.0 (Windows NT 6.1; WOW64; rv:8.0) Gecko/20100101 Firefox/ 8.0" "77.77.165.233" 1 sec delay Add credit card to account #3 FF 8 on Windows 7 or Bot? Plovdiv Bulgaria Wednesday, July 10, 13
44.
And this continues… Wednesday,
July 10, 13
45.
10,000 more times Wednesday,
July 10, 13
46.
Those were the
only requests that IP address made Wednesday, July 10, 13
47.
Aside from the
number of requests what else gave it away? Wednesday, July 10, 13
48.
5% 5% 4% 27% 59% GET POST
HEAD PUT DELETE Wednesday, July 10, 13
49.
HTTP method distribution is important Wednesday,
July 10, 13
50.
When an actor
deviates significantly, there must be a reason! Wednesday, July 10, 13
51.
Let’s talk GeoIP Wednesday,
July 10, 13
52.
Adding GeoIP information is generically
useful Wednesday, July 10, 13
53.
But it also
helps in the face of an attack Wednesday, July 10, 13
54.
It can help
protect you and your users Wednesday, July 10, 13
55.
Scenario Wednesday, July 10,
13
56.
King Roland gets
his GMail account hacked Wednesday, July 10, 13
57.
Hacker sends a password
reset request to your server Wednesday, July 10, 13
58.
Normally, you would email
the reset Wednesday, July 10, 13
59.
Unless... Wednesday, July 10,
13
60.
You realize that
King Roland always logs in from Druidia Wednesday, July 10, 13
61.
But the hacker
is requesting the reset from Spaceball City Wednesday, July 10, 13
62.
Instead of sending
the reset, you now ask some questions Wednesday, July 10, 13
63.
And hopefully protect King
Roland from further bad actions Wednesday, July 10, 13
64.
GeoIP detection also helps
you block traffic from unwanted countries Wednesday, July 10, 13
65.
User Requests Web Server ModSecurity Application
Environment GeoIP Wednesday, July 10, 13
66.
Other Anomalies • Request
Rate • TCP Fingerprint vs. User Agent • Account Create/Delete/Subscribe • Anything you can imagine Wednesday, July 10, 13
67.
What do they
have in common? Wednesday, July 10, 13
68.
Does the behavior
fit an equation? Wednesday, July 10, 13
69.
If so, your
detection is simple Wednesday, July 10, 13
70.
Request rate > Threshold Wednesday,
July 10, 13
71.
TCP fingerprint != User
Agent Wednesday, July 10, 13
72.
But the HTTP
method deviation is harder Wednesday, July 10, 13
73.
100% GET requests with
a known UA (e.g. Google) is ok Wednesday, July 10, 13
74.
100% POST requests
is not Wednesday, July 10, 13
75.
But it’s not
always that simple Wednesday, July 10, 13
76.
Scenario Wednesday, July 10,
13
77.
A high rate
of account create requests are coming from a single address Wednesday, July 10, 13
78.
Is it a
NATted IP or a fraud/spam bot? Wednesday, July 10, 13
79.
We have patterns
and data… Wednesday, July 10, 13
80.
What’s the next
step? Wednesday, July 10, 13
81.
Quantitative Analysis Wednesday, July
10, 13
82.
Quantitative Analysis Wednesday, July
10, 13
83.
Quantitative Analysis Security as
a Data Science Probelm Wednesday, July 10, 13
84.
We can apply
some machine learning to the data in an attempt to classify it Wednesday, July 10, 13
85.
Classifier ??? User Requests Web Server ModSecurity Application
Environment GeoIP Wednesday, July 10, 13
86.
This is where
a lot of the value comes from Wednesday, July 10, 13
87.
And combined with signature
detection helps correlate attack events Wednesday, July 10, 13
88.
But you still
need a way to keep track of it all Wednesday, July 10, 13
89.
Reputational Intelligence Wednesday, July 10,
13
90.
Who’s naughty and who’s
really naughty Wednesday, July 10, 13
91.
Built up from
the tools/ techniques mentioned previously Wednesday, July 10, 13
92.
Provides local reputation Wednesday, July
10, 13
93.
You can also
purchase external reputation feeds Wednesday, July 10, 13
94.
The combination gives you
solid awareness of bad actors Wednesday, July 10, 13
95.
Reputational Intelligence External Reputation Classifier ??? User Requests Web Server ModSecurity Application
Environment GeoIP ??? Wednesday, July 10, 13
96.
Action Wednesday, July 10,
13
97.
So now you
have a ton of new information Wednesday, July 10, 13
98.
What do you
do with it? Wednesday, July 10, 13
99.
Options • Block the
traffic • Honeypot the attacker • Modify your response • Attack back • Contact the authorities Wednesday, July 10, 13
100.
Blocking the traffic
is straight forward Wednesday, July 10, 13
101.
Block at the
web server level (403) Wednesday, July 10, 13
102.
Block at the
firewall level Wednesday, July 10, 13
103.
Both have advantages/ disadvantages Wednesday,
July 10, 13
104.
Honeypots are much more
interesting Wednesday, July 10, 13
105.
LB LB LB Engine Fake Real DB
DBPartial Replication Wednesday, July 10, 13
106.
When you honeypot, the
attacker doesn’t know they’ve been caught Wednesday, July 10, 13
107.
And it allows
you to study their behavior Wednesday, July 10, 13
108.
And update your approach
to preventing attacks Wednesday, July 10, 13
109.
But all of
this requires a way to manage state and act on bad behavior Wednesday, July 10, 13
110.
Reputational Intelligence External Reputation Classifier ??? User Requests Web Server ModSecurity Application
Environment GeoIP ??? State State Where do you act? Here? Wednesday, July 10, 13
111.
Repsheet Wednesday, July 10,
13
112.
Reputation Engine Wednesday, July
10, 13
113.
Redis Repsheet Backend External Reputation Feeds User Requests Web Server ModSecurity Application
Environment GeoIP Repsheet Wednesday, July 10, 13
114.
Redis Repsheet Backend External Reputation Feeds User Requests Web Server ModSecurity Application
Environment GeoIP Repsheet Wednesday, July 10, 13
115.
Redis Repsheet Backend External Reputation Feeds User Requests Web Server ModSecurity Application
Environment GeoIP Repsheet Recorder Wednesday, July 10, 13
116.
Redis Repsheet Backend External Reputation Feeds User Requests Web Server ModSecurity Application
Environment GeoIP Repsheet Managed State Recorder Wednesday, July 10, 13
117.
Redis Repsheet Backend External Reputation Feeds User Requests Web Server ModSecurity Application
Environment GeoIP Repsheet Managed State ActorRecorder Wednesday, July 10, 13
118.
Redis Repsheet Backend External Reputation Feeds User Requests Web Server ModSecurity Application
Environment GeoIP Repsheet Managed State Classifier, Feed Integration, Learning Models ActorRecorder Wednesday, July 10, 13
119.
Wednesday, July 10,
13
120.
Wednesday, July 10,
13
121.
Repsheet helps put everything
together Wednesday, July 10, 13
122.
Web server module records
activity and looks for offenders in the cache Wednesday, July 10, 13
123.
It listens to ModSecurity
and adds offending IPs to it’s list Wednesday, July 10, 13
124.
It provides notification and/or
blocking of offenders Wednesday, July 10, 13
125.
Blocking happens at
the web server level Wednesday, July 10, 13
126.
But you can
send the Repsheet data to your firewall for TCP level blocking Wednesday, July 10, 13
127.
Notification sends headers to
the downstream application Wednesday, July 10, 13
128.
Which allows each
app to chose how it is going to respond Wednesday, July 10, 13
129.
For instance, show
a captcha on signup if Repsheet alerts Wednesday, July 10, 13
130.
Back end looks
at the recorded data for bad behavior Wednesday, July 10, 13
131.
And updates the
cache when it finds offenders Wednesday, July 10, 13
132.
You can supply
your own learning models for the data Wednesday, July 10, 13
133.
github.com/repsheet/ repsheet Wednesday, July 10,
13
134.
Summary Wednesday, July 10,
13
135.
There are lots
of indicators of attack in your traffic Wednesday, July 10, 13
136.
Build up a
system that can capture the data and sort good from bad Wednesday, July 10, 13
137.
Tools • ModSecurity • GeoIP •
Custom rules (velocity triggers, fingerprinting, device id, etc) • Custom behavioral classification • Repsheet Wednesday, July 10, 13
138.
And Remember… Wednesday, July
10, 13
139.
Wednesday, July 10,
13
140.
Questions? Wednesday, July 10,
13
Descargar ahora