Applications are constantly under attack. Unfortunately, nearly all applications have no capability of detecting an attacker or responding before a breach occurs. Those applications sit passively and allow the attacker to constantly unleash attack after attack. Let's change the game and equip our application with the resources to detect an attack with high accuracy and respond in real time to prevent a compromise by eliminating the threat from the system.
In this talk we'll cover the OWASP AppSensor project – a project that details how to instrument an application to become attack aware and immediately respond to neutralize threats. This project is backed by multiple talented security experts that have been advancing the project for the past three years. AppSensor has been featured in the Department of Defense Cross Talk journal, presented at the US Department of Homeland Security resilient software conference and at security conferences around the world.
2. • Chairman OWASP Board
• Shape Security: Director of Product Security
Background – 12 years of security adventures
• Built and lead security program protecting 450 million
Firefox users & Mozilla systems
• Secured code processing millions of dollars daily
• Bypassed electronic voting systems
• Defended fortune 100 global network
• Infiltrated telco for mobile networks in Asia and Middle
east
• “Talked” my way into bank server rooms & to obtain user
passwords
@_mwc
3. Billion Dollar Cybercrime
~US $350 Billion – Global Drug Trafficking Estimates
US $170 Billion – Apple Annual Revenue 2013
US $263 Billion – Hong Kong 2012 Gross Domestic Product (GDP)
US $469 Billion – Walmart Annual Revenue 2013
US $95 Billion – Morocco 2012 Gross Domestic Product (GDP)
US $112 Billion – Hewlett-Packard Annual Revenue 2013
US $104 Billion – Honda Annual Revenue 2012
4. Billion Dollar Cybercrime
~US $350 Billion – Global Drug Trafficking Estimates
US $170 Billion – Apple Annual Revenue 2013
US $263 Billion – Hong Kong 2012 Gross Domestic Product (GDP)
US $469 Billion – Walmart Annual Revenue 2013
US $95 Billion – Morocco 2012 Gross Domestic Product (GDP)
US $112 Billion – Hewlett-Packard Annual Revenue 2013
US $104 Billion – Honda Annual Revenue 2012
US $113 Billion – Global price tag of consumer cybercrime
5. Cost of Security
• Cybercrime cost to companies
– 26% increase 2012 to 2013
• Cybercrime cost to individual
– 50% increase 2012 to 2013
• Cost per breached record to company
– Average US $136
6. Largest Single Culprit : Hacking
Verizon Data Breach Report 20132013 Incidents by Breach Type
datalossdb.org
48% from Hacking 52% involved
Hacking
7. Opportunistic Scanners
• Scan web for common vulnerabilities
• Highly leverage automation
• Often untargeted
75% Attacks Opportunistic
Verizon Data Breach Report 2013
8. Underground Market Prices
2013 Dell SecureWorks
USD
Visa, American Express, Discover $4-$8
Credit Card with track 1 and 2 data $12
Full user information $25
1,000 Infected Computers $20
DDOS Attacks (per hour) $3-$5
9. The Objective
• Protect the most critical data
• Handle known and unknown attacks
• Identify attackers before compromise
• Automated – no humans needed
10. Critical Data
Applications stored & allow access to critical data –
by design
Name
Email
Address
Credit Card
Bank Information
Medical Information
Purchase History
Affiliations
…
11. Gut Check
Current Defenses Are Failing
• Custom code
• unique vulnerabilities -> tailored patches
• Unrealistic defensive postures
• Signatures only protect against last generic attack
• Human required interaction is too slow
• Valid signals are lost / ignored
• Attackers constantly probe and attack
applications without deterrence
20. Detecting Attacks
• 50+ attack detection
points and growing
• Signature & Behavioral
• Many have nearly zero
false positive rate
– Can’t be encountered
accidentally by user
– POST vs Get
– ‘ OR ‘1’=‘1’
http://www.owasp.org/index.php/AppSensor_DetectionPoints
21. Centralize Attack Detection
Knowledge
• Detection Points
Report to Central
Location
• AppSensor
Integrates w/User
Store
• Enables Response
Actions against
User Object
22. Detect & Eliminate Threat
• Strong control of
authenticated
portion
– Lockout user
– Disable account
• Effective attack
reporting for
unauthenticated
portion
29. Alternatives?
• Self Defending
– in the app, full user object interaction, full app
knowledge
• Web Application Firewall (stand alone)
– generic attack detection
• Log Analysis
– slow, reactive, ineffective, ignored
32. Example
• Grant Permission Page site.com/UpdatePermission
– Inputs:
• targetUser - Integer
• grantPerm - Integer (1,2,3) (Read, Write Delete)
– Access Control Requirement:
• Page Access: Power User
• Functionality Access: Power User
• Target User: Non-admin
33. Abuse Cases
• Non-integer submitted for targetUser
• Invalid number submitted for grantPerm
• Force browsing to page from unauthorized account (HTTP
GET)
• Force submission to page from unauthorized account (HTTP
Post)
• Target user is admin account
• Unexpected rate of use (100 perm changes in 10 seconds?)
39. Common Event Format (CEF)
• Emerging standard
on logging format
• Easily parsed by
security integration
manager (sim)
• Enables AppSensor
Logging
CEF:0|Mozilla|MozFooApp|1.0
|ACE0|Access Control Violation|8|rt=01 31 2010
18:30:01 suser=janedoe suid=55
act=Action Denied src=1.2.3.4 dst=2.3.4.5
requestMethod=POST
request=http://foo.mozilla.org/foo/abc.php?a=b
cs1Label=requestClientApplication cs1=Mozilla/5.0
(Macintosh; U; Intel Mac OS X 10.6; en-US; rv:1.9.2.2)
Gecko/20100316 Firefox/3.6.2
msg=Additional Data here