1.
LONDON 18-19 OCT 2018
What happened to
Attack Aware Applications?
MATTHEW PENDLEBURY

2.
LONDON 18-19 OCT 2018
Agenda
• What do I mean “Attack Aware Applications?”
• Where has the idea come from?
• What is happening in this space?
• What can you do with this?
• Future thoughts

3.
LONDON 18-19 OCT 2018
I am known by many names…
…but you may call me
• Applications Responding to Security Events
• Reactive Applications
• Attack Aware Applications
• Real Time Event Detection and Response
• Incident Detection and Automated Response
• Self Defending Applications
• OWASP AppSensor

4.
LONDON 18-19 OCT 2018
An application that can detect
malicious behaviour and respond to it

5.
LONDON 18-19 OCT 2018
The Application – what could it possibly know?

6.
LONDON 18-19 OCT 2018
Your application
• Smart teams have designed it
• It took a lot of hard work
• It has a lot of thinking invested in it
• It has the best CONTEXT

7.
LONDON 18-19 OCT 2018
Credential Stuffing

8.
LONDON 18-19 OCT 2018
Credential stuffing
Image : https://www.troyhunt.com/the-111-million-pemiblanc-credential-stuffing-list/

9.
LONDON 18-19 OCT 2018
Credential stuffing - What to do?
• Log: <App> reports that it has been subject to credential stuffing from <IP
address/Session>

10.
LONDON 18-19 OCT 2018
Credential stuffing - What to do?
• Log: <App> reports that it has been subject to credential stuffing from <IP
address/Session>. It has responded by saying “unavailable”.

11.
LONDON 18-19 OCT 2018
Credential stuffing - What to do?
• Log: <App> reports that it has been subject to credential stuffing from <IP
address>. It has responded by asked firewall to drop traffic from <IP
Address> for 30 mins.

12.
LONDON 18-19 OCT 2018
Credential stuffing - What to do?
• Log: <App> reports that it is probably suffering a credential stuffing attack
from <IP address> future successful attempts from this address will
require additional 2FA challenge.

13.
LONDON 18-19 OCT 2018
Credential stuffing - What to do?
• Log: <App> reports that it is suffering a credential stuffing attack from <IP
address> and that future successful attempts will give an “invalid
credentials” response but will send the user to a password reset journey
via the call centre.

14.
LONDON 18-19 OCT 2018
Honey values

15.
LONDON 18-19 OCT 2018
Honey values or Canary tokens/fields
• Something that shouldn’t be modified/visited
• userid=987654
• https://www.example.com/admin
• Very high fidelity alert

16.
LONDON 18-19 OCT 2018
What to do?
• Tell your SOC
• Drop traffic
• Present a static site
• Route to sandboxed copy of the site – no live data
• Application specific response

17.
LONDON 18-19 OCT 2018
The sum of small suspicions

18.
LONDON 18-19 OCT 2018
The sum of small suspicions
• Kali user agent
• Spidering the site
• Not following a recognized user journey

19.
LONDON 18-19 OCT 2018
That’s not right!

20.
LONDON 18-19 OCT 2018
That’s not right
• Web banking application
• User is authenticated as Alice
• Transfer $$$ from Bob to Mallory

21.
LONDON 18-19 OCT 2018
That’s not right
• Implemented as a code check
• Pseudo code:
if (source_account.owner != current_user)
{
flag_alert(“Transfer attempted from wrong user…!”);
}
else
{
transfer_funds(source_account, destination_account, amount);
}

22.
LONDON 18-19 OCT 2018
Origins

23.
LONDON 18-19 OCT 2018
Origins
• 2010 ish
• Michael Coates
• Director of Security Assurance Mozilla
• CISO Twitter
• OWASP Board
• AppSensor project

24.
LONDON 18-19 OCT 2018
OWASP AppSensor
• OWASP Project
• Reference implementation
• Estate of applications
• Central analysis
• https://www.owasp.org/index.php/OWASP_AppSensor_Project

25.
LONDON 18-19 OCT 2018
AppSensor model
App
estate
Analysis
engine
SOC
Attacker
Events
Alerts
Response

26.
What’s happening with this idea
• RASP and Next Gen WAF, behavioural analysis, ML…

27.
LONDON 18-19 OCT 2018
So what happened?
• Cannibalisation?
• RASP & WAF
• COTS
• Can detect unusual behavioural patterns or traffic
• Tuning with fast delivery & false positives

28.
LONDON 18-19 OCT 2018
RASP & WAF - characteristics
• Quicker to deploy
• Known technology
• Secure SDLC not needed
• May be good enough?

29.
LONDON 18-19 OCT 2018
Attack Aware Apps - characteristics
• Deeper insight through context
• Requires building in
• Relatively unknown

30.
LONDON 18-19 OCT 2018
But what can you do with it?

31.
LONDON 18-19 OCT 2018
But what can you do with it?
• Rallying cry for developers
• Consolidates security thinking
• Generate momentum

32.
LONDON 18-19 OCT 2018
Think of the responses
• Adversarial relationships with pen testers
• Play with their minds
• Applications that aren’t consistent

33.
LONDON 18-19 OCT 2018
Advice
• Standardise on/start with the AppSensor detection points
• Thinking has already been done
• In the future there may be more things in this space
• https://www.owasp.org/index.php/AppSensor_DetectionPoints

34.
LONDON 18-19 OCT 2018
Attack Aware Applications as part of a future
Active Defence?
• In military terms active defence means offensive measures to deny
advantage or position to the enemy
• In the cyber domain, it is taken to cover offensive actions within and
beyond corporate network
• UK National Security Strategy and US Active Defense Certainty Act
indicate government policy and legal position is changing

35.
LONDON 18-19 OCT 2018
Thank you