THE SMARTEST WAY TO PROTECT WEBSITES AND WEB APPS FROM ATTACKS. Junos WebApp Secure Junos Spotlight Secure

Transcription

1 THE SMARTEST WAY TO PROTECT WEBSITES AND WEB APPS FROM ATTACKS Junos WebApp Secure Junos Spotlight Secure

2 INCONVENIENT STATISTICS 70% of ALL threats are at the Web application layer. Gartner 73% of organizations have been hacked in the past two years through insecure Web apps. Ponemon Institute 2

3 THE COST OF AN ATTACK PONEMON INSTITUTE AVERAGE BREACH COSTS $214 PER RECORD STOLEN Sony Stolen Records 100M Theft Sony Lawsuits $1-2B Reputation Revenue Sony Direct Costs $171M 23 day network closure Lost customers Security improvements 3

4 FIRST, A LITTLE HISTORY Junos WebApp Secure, formerly Mykonos was created by the Mykonos team to fill the perceived gap in existing Web Application Firewalls. Acquired by Juniper Networks in early Renamed Junos WebApp Secure (JWAS) at RSA in March

5 UNDERSTANDING WEB APPLICATION ATTACKS The Reconnaissance Phase Library IP Scan Attacks Script run against multiple sites seeking a specific vulnerability. Targeted Scans Targets a specific site for any vulnerability. Scripts Kiddie & Tool Exploits Generic scripts and tools against one site. The Attack Phase Botnet Script loaded onto a bot network to carry out attack. Human Advanced Hacker Persistent Sophisticated, targeted attack (APT). Low and slow to avoid detection. JAN JUN E DE C 5

6 WEB APPLICATION ATTACKS: RECON IP Scanning: Usually looking for a single known vulnerability across many, many, sites. Attacker looking for any target of opportunity rather than trying to attack a specific target. Targeted Scan: Usually targeting a specific site looking for any possible vulnerability. May try to exploit any of hundreds, or even thousands, of known attack vectors Attacker looking to exploit a specific target. 6

7 WEB APPLICATION ATTACKS: ATTACK SCENARIOS Tools and scripts: Many tools and scripts available. Can often be semi-automated from either an IP or targeted scan. Botnets: Distributing scans, or attacks, across hundreds, or even thousands, of machines, vastly speeding up scanning for vulnerabilities and exploiting vulnerable systems. Live Attacker: The Advanced Persistent Threat (APT). The slowest and most resource intensive kind of attack, but often the most successful and hardest to detect. Live attackers can find holes that an automated tool or script may not be aware of. 7

8 WEB APP SECURITY TECHNOLOGY Web Application Firewall Web Intrusion Deception System Detection Signatures Tar Traps Tracking IP address Browser, software and scripts Profiling IP address Browser, software and scripts Responses Block IP Block, warn and deceive attacker PCI Section 6.6 8

9 THE JUNOS WEBAPP SECURE ADVANTAGE DECEPTION-BASED SECURITY Detect Track Profile Respond Tar Traps detect threats without false positives. Track IPs, browsers, software and scripts. Understand attacker s capabilities and intents. Adaptive responses, including block, warn and deceive. 9

10 DETECTION BY DECEPTION Tar Traps Query String Parameters Network Perimeter Hidden Input Fields Client Firewall App Server Database Server Configuration 10

11 DECEPTION IN DEPTH: ATTACK SURFACES Attack Surface: All of the places where an attacker might find leverage to compromise a target Deception: The art of making something look like something else. Deceptive Attack Surface: Adding features that look like potential targets but, in reality, were placed by JWAS to trap a potential attacker. We call them Tar Traps 11

12 DECEPTION IN DEPTH: QUERY STRINGS Query String Manipulation: The actual query string The trapped query string The m4=true parameter is added by JWAS outbound to the client, and then stripped on the way back to the application server. The App Server never sees it, but any manipulation will trigger an incident. 12

13 DECEPTION IN DEPTH: HIDDEN FIELDS Hidden Form Fields: Inserted form field: <input type= hidden name= debug value = true > This field is inserted by JWAS outbound to the client and removed on the way back to the server. This field will not appear in a normal browser, but would look like a good target to a live attacker. Many attack scripts will manipulate hidden fields as part of their attack, and any manipulation will trigger an incident. 13

14 DECEPTION IN DEPTH: FAKE JAVASCRIPT Hidden Javascript: Adding fake javascript to the source gives an attacker more potential targets, all of which are fake. The actual page: <TITLE> Mike s old Personal Home Page</TITLE> <BODY BACKGROUND="./images/bg.gif" font color="#000000"> <CENTER><H1>Mike s Personal Page</H1></CENTER> With fake code injected: <TITLE> Mike s old Personal Home Page</TITLE> <script type="text/javascript" src="/geoserv.js"></script> <script type="text/javascript" src="/ihflakb.js"></script> <script type="text/javascript">document.sw_ver='qkic1aaqou2np2ekcnl9kq';</script> <link rel="stylesheet" href="/overhang.css"/></head> <BODY BACKGROUND="./images/bg.gif" font color="#000000"> <CENTER><H1>Mike s Personal Page</H1></CENTER> 14

15 DECEPTION IN DEPTH: FAKE CONFIGURATION FILES <files "sitemap_internal.txt"> AuthUserFile /var/www/public_html/.htpasswd AuthType Basic AuthName "Sitemap" require valid-user </files> Server configuration files can be a source of valuable information for an attacker. In this case, an Apache.htaccess file showing a protected resource. This resource doesn t exist. This configuration file was created by JWAS to give a potential attacker another false trail to follow. 15

16 TRACK ATTACKERS BEYOND THE IP Track IP Address Track Browser Attacks Persistent Token Capacity to persist in all browsers including various privacy control features. Track Software and Script Attacks Fingerprinting HTTP communications. 16

17 TRACKING ATTACKERS: IN DEPTH IP Addresses are not enough: Attackers can use dynamic IP s, proxies, the TOR network, etc., all of which make IP address a data point rather than a positive identification. Tracking other parameters: JWAS uses multiple parameters to track both browsers and scripts. Supercookies System profiles Network parameters Different parameters available from different systems Attacker profiles can be consolidated based on fingerprints and behaviors. 17

18 PROFILE EVERY ATTACKER Every attacker assigned a name Incident history Attacker threat level 18

19 CUSTOMIZABLE ATTACKER PROFILES Attacker profiles are customizable and let operators add case notes, etc., to the attacker s profile. As well as custom names and icons. 19

20 JUNOS SPOTLIGHT SECURE Junos Spotlight Secure Global Attacker Intelligence Service Attacker from San Francisco Junos WebApp Secure protected site in UK Attacker fingerprint uploaded Attacker fingerprint available for all sites protected by Junos WebApp Secure Detect Anywhere, Stop Everywhere 20

21 FINGERPRINT OF AN ATTACKER Timezone Browser version Fonts Browser add-ons 200+ attributes used to create the fingerprint. ~ Real Time availability of fingerprints IP Address False Positives nearly zero 21

22 SMART PROFILE OF ATTACKER Attacker local name (on machine) Attacker global name (in Spotlight) Attacker threat level Incident history 22

23 RESPOND AND DECEIVE Junos WebApp Secure Responses Human Hacker Botnet Targeted Scan IP Scan Scripts &Tools Exploits Warn attacker Block user Force CAPTCHA Slow connection Simulate broken application Force log-out All responses are available for any type of threat. Highlighted responses are most appropriate for each type of threat. 23

24 SECURITY ADMINISTRATION Web-based console Real-time On-demand threat information SMTP alerting Reporting (Pdf, HTML) CLI for exporting data into SIEM tool 24

25 UNIFIED PROTECTION ACROSS PLATFORMS Internal Virtualized Cloud 25

26 THE CLASSICAL PERIMETER Network Perimeter Client Firewall App Server Database The Network Perimeter may consist of conventional Firewalls, NAT Gateways, Load Balancers, or other edge devices. 26

27 JWAS INSERTED BETWEEN THE PERIMETER AND THE APPLICATION SERVERS Network Perimeter Client Firewall App Server Database A JWAS Appliance lives between the Network Perimeter and the protected Application Servers 27

28 OVERVIEW: CONFIGURATION Junos WebApp Secure: Installation and configuration in three easy steps 1. Install the appliance whether Virtual Machine, AMI Instance, or physical hardware 2. Initial configuration and initialization from the text console (Text User Interface or TUI) 3. Use the Web Interface (WebUI) to install the system s license and configure the defaults for the initial application It really is that easy. 28

29 CASE STUDY & CUSTOMERS Within 20 minutes,.we were looking at the activity taking place on our web applications. 10% of our traffic was malicious. Keir Asher Senior Technical Analyst Brown Printing 29

30 The smartest buy of the year for any organization with an online presence. 1 st Place Winner, Security Innovators Throwdown st Place Information Security Wall Street Journal Technology Innovation Awards 2011 SINET 16 Security Innovator Cool Vendor Application Security 30

31

32 JUNOS DDoS SECURE Advanced DDoS Mitigation Technology

33 JUNOS DDOS SECURE HIGHLIGHTS Mature Product Highly Differentiated Webscreen acquisition (Feb 2013) 13 years of development Low-and-slow application attack protection New attacks: protects before signatures exist $60B in revenue protected High tech, low touch: fire-and-forget 33

34 HISTORY OF DDOS 1999 SANS discovers first botnet First DDoS Proxy Service launched Russia accused of DDoS against Georgian Govt website Wikileaks Operation Payback attack Visa and Paypal DDoS becomes mainstream with attacks on US banks DDoS attacks take out ebay, CNN and Yahoo! First DDoS Mitigation Appliance launched Anonymous DDoS Habbo website Iranian voters flash crowd government sites to protest vote rigging LOIC popularized by Anonymous and LulzSec 34

35 THE MOTIVATIONS BEHIND DDOS ATTACKS Extortion Pay us or your site is going down Last Man Standing Hire a third party to take out your competition so that traffic is driven to your site Protest Flash Mobs Disaffected groups use social media to coordinate attacks on government & economic targets Sport Teams Fans Hooliganism Fans DDoS a rival club s website to preventing ticket purchases Diversionary Smokescreen DDoS to mask the theft of money, IP or client account data Flash Crowding Legitimate users flood a site, e.g. trying to purchase concert tix as soon as they go on sale. Cyber War Russia accused of using DDoS during invasion of Georgia. Individual Gamer DDoS d by other players because he was too good. Direct Criminal Activity Other Activity Political / Protest Revenge and Because I can 35

36 THE $900,000 CYBER HEIST USING A SOPHISTICATED DIVERSIONARY DDOS DDoS Attack DDoS Attack DDoS Attack DDoS Attack DDoS Attack DDoS Attack DDoS Attack DDoS Attack The Website DDoS Attack DDoS Attack $900,000 Theft DDoS Attack DDoS Attack DDoS Attack DDoS Attack DDoS Attack DDoS Attack DDoS Attack Source: Krebsonsecurity Copyright 2013 Blog Juniper Networks, Inc. 36

37 DDOS ATTACK VECTORS VOLUMETRIC Easy to detect. Attacks are getting bigger in size Frequency of attacks increasing at a moderate rate. ANYTHING THAT MAKES THE RESOURCES BUSY Flash mobs. Legitimate requests for a big event available at one time. SLOW AND LOW Growing faster than volumetric 25% of attacks in 2013 (source: Gartner) More sophisticated & difficult to detect Target back-end weaknesses Small volume of requests can take out a large web site. 37

38 TUTORIALS ON LAUNCHING DDOS ATTACKS 38

39 LOW ION ORBIT CANNON (LOIC) Flood any site Easy to download Simple to run 39

40 DDOS FOR ONE HOUR COSTS $5 40

41 Stealth EVOLVING ATTACK COMPLEXITY Signature-Based Scrubbers Volumetric Low-and-slow Challenge: Creating signatures for new attacks Emerging Battleground Challenge: manual management of IP thresholds in dynamic networks Thresholds & Netflow Analysis Known Newness Unknown 41

42 THE GAPS THAT DDOS SECURE ADDRESSES 1 New attacks: before the signature exists 2 Low-and-slow application attacks 42

43 KEY CONCEPT: CHARM CHARM: Real-time risk score for each source IP 100 Initial 50 Human-like Per packet Simple example: real human traffic typically bursty and irregular; machine/bot traffic is regular 0 Machine-like Algorithms updated regularly with characteristics of new attacks 43

44 Examples KEY CONCEPT: RESOURCE HEALTH Resource health: real-time view of status for every discrete thing on protected interface, based on stateful analysis of source and resource responsiveness Internet Traffic Internet Traffic Resources Internet Traffic DDoS Secure L7 L3-4 DNS/URL Response Time URL Rate, Pending counts HTTP Server Error Codes Backlog Queue (per resource, per port) TCP stats: SYN, SYN-ACK, CLS, RST, etc 44

45 JUNOS DDoS SECURE RESOURCE MANAGEMENT Resource Control The In this attack example, traffic to Resource 2 s reduces response as time the attackers starts to switch degrade the and attack the CHARM to Resource pass threshold 3. is increased to start the process of rate Once limiting again, the bad Junos traffic. DDoS Secure responds dynamically At this point by the increasing good traffic the will pass continue threshold to pass for Resource unhindered 3 whilst Limiting the bad traffic. attackers will start to believe their attack has been successful as their request fails. Resource 1 Resource 2 Resource 3 Resource N 45

46 JUNOS DDoS SECURE PACKET FLOW SEQUENCE CHARM Technology Resource Control IP Behavior Table Resource CHARM Threshold 1 Validates data packet Validates against defined filters Validates packet against RFCs Validates packet sequencing TCP Connection state 3 Behaviour is 4 Calculates recorded CHARM Threshold Supports up to 32M profiles Profiles aged on least used basis Responsiveness of Resource Packet Enters Syntax Screener OK So Far CHARM Generator With CHARM Value CHARM Screener Packet Exits Drop Packet 2 Calculates CHARM value for data packet References IP behaviour table Function of time and historical behaviour Better behaved = better CHARM 5 Drop Packet Allow or Drop CHARM Threshold CHARM value 46

47 HEURISTIC MITIGATION IN ACTION Normal Internet Traffic Normal Internet Traffic DDoS Attack Traffic Resources Normal Internet Traffic Junos DDoS Secure Heurisitc Analysis DDoS Attack Traffic Management PC Normal Internet traffic flows through the Junos DDoS Secure Appliance, while the software analyses the type, origin, flow, data rate, sequencing, style and protocol being utilized by all inbound and outbound traffic. The analysis is heuristic in nature and adjusts over time but is applied in real time, with minimal (store and forward) latency. 47

48 JUNOS DDOS SECURE VARIANTS 1Gbps Virtual Appliance (ESX and KVM) 10Gbps 1u appliance with failsafe / bypass Fiber (10G SR/LR) Copper (10M/100M/1G) All can be used Stand Alone or as Active Standby Pair Or Active Active (Asymmetric Routing) 48

49 JUNOS DDoS SECURE SUMMARY Defined Outstanding 24/7 support 80% Effective 10 mins after installation % effective after 6-12 hours Virtualized options available Dynamic Heuristic Technology Multi Tenanted and fully IPv6 compliant 1Gb to 10Gb HA appliances No Public IP address Layer 2 Transport Bridge 49

50 THE DATACENTER POSITIONING Junos Spotlight Secure Global Attacker Intelligence Service 2014 Q HACKING Junos WebApp Secure Enhanced Layer 7 DDoS SRX Firewall Data Center DDoS Junos DDoS Secure 50

51