SlideShare ist ein Scribd-Unternehmen logo

Web Application Security

MarketingArrowECS_CZ
MarketingArrowECS_CZ

Prezentace z konference Virtualization Forum 2019 Praha, 3.10.2019 Sál F5 Networks

Technologie
1 von 63
Downloaden Sie, um offline zu lesen
Web Application Security Radovan Gibala Senior Systems Engineer F5 Networks gigi@f5.com
© F5 Networks, Inc 2 Common attacks on web applications BIG-IP ASM delivers comprehensive protection against critical web attacks CSRF Cookie manipulation OWASP top 10 Brute force attacks Forceful browsing Buffer overflows Web scraping Parameter tampering SQL injections Information leakage Field manipulation Session high jacking Cross-site scripting Zero-day attacks Command injection ClickJacking Bots Business logic flaws
© F5 Networks, Inc 4 Traditional Security Devices vs. WAF Known Web Worms Unknown Web Worms Known Web Vulnerabilities Unknown Web Vulnerabilities Illegal Access to Web-server files Forceful Browsing File/Directory Enumerations Buffer Overflow Cross-Site Scripting SQL/OS Injection Cookie Poisoning Hidden-Field Manipulation Parameter Tampering Layer 7 DoS Attacks Brute Force Login Attacks App. Security and Acceleration Credential Stuffing Password Field obfuscation BotNet protection ✓ ✓ ✓ ✓ ✓ ✓ ✓ ✓ ✓ ✓ ✓ ✓ ✓ ✓ ✓ ✓ ✓ ✓ ✓ WAF X X X X X X X Network/Next Gen Firewall Limited Limited Limited Limited Limited IPS Limited Partial Limited Limited Limited Limited Limited X X X ✓ X X X X X Limited Limited Limited Limited X X X X XLimited
Web Application Firewall
© F5 Networks, Inc 6 Negative vs. Positive Security Model • Negative Security Model • Lock Known Attacks • Everything else is Allowed • Patches implementation is quick and easy (Protection against Day Zero Attacks) • Positive Security Model • (Automatic) Analysis of Web Application • Allow wanted Transactions • Everything else is Denied • Implicit Security against New, yet Unknown Attacks (Day Zero Attacks)
FULL-PROXY ARCHITECTURE
© F5 Networks, Inc 8 Full-proxy architecture iRule iRule iRule TCP SSL HTTP TCP SSL HTTP iRule iRule iRule ICMP flood SYN flood SSL renegotiation Data leakageSlowloris attackXSS Network Firewall WAF WAF
© F5 Networks, Inc 9 Application Access Network Access Network Firewall Network DDoS Protection SSL DDoS Protection DNS DDoS Protection Application DDoS Protection Web Application Firewall Fraud Protection F5 provides comprehensive application security Virtual Patching
Volumetric take-downs Consume bandwidth of target Network layer attack Consume connection state tables Application layer Consume application resources 2005 8 Gbps 2013 300 Gbps 2016 1.2 Tbps Source: How DDoS attacks evolved in the past 20 years, BetaNews
© F5 Networks, Inc 12 Different attack/issue types Application SSL DNS Network
© F5 Networks, Inc 13 DoS is Not a Rocket Science!
DDoS attacks are easy to launch hping3 nmap Low Orbit ION High Orbit IONkillapache.pl slowloris metasploitslowhttptest RussKill Pandora Dirt Jumper PhantomJS …, Jmeter, Scapy, Httpflooder, PhantomJS, SSLyze, THC-SSL-DOS, and many, many more…
Source: Securelist, Kaspersky Lab, March 2017 Low sophistication, high accessibility • Accessible Booters/stressers easy to find • Lucrative Profit margins of up to 95% • Effective Many DDoS victims pay up
1.2 Tbps1 Tbps620 Gbps Mirai DDoS attacks Source: The Hunt for IoT: The Rise of Thingbots, F5 Labs, August 2017
Critical info on threat source and attack type trends Application Threat Intelligence
SOLUTION Customer Cloud Network and App Protection DDoS attacker DMZ Cloud-Based DDoS Mitigation Platform DDoS Hybrid Defender PROBLEM
© F5 Networks, Inc 19 Rate Limit to Protect the Server Detect and Block Bots and Bad Actors Create and Enforce Dynamic Signatures Analyze Application Stress and Continually Tune Mitigations. Start of Attack Identify Attackers Advanced Attacks Persistent Attacks Multiple Layers of Protection Even basic attacks can take an unprotected server down quickly. Persistent attackers will adjust tools, targets, sources and attack volume to defeat static DOS defenses. The f5 approach protects the server from the first moment of the attack and then analyzes the attack tools, sources and patterns to refine mitigations. These sophisticated protections maximize application availability while minimizing false positives.
• Detect L7 DDoS Attacks by monitoring TPS, Latency (Automatic), Heavy URLs, URLs, IPs, Heavy URLs and Behavioral DDoS detection • Mitigate L7 DDoS by various methods: Block, Rate limit, Client challenges (bot detection) and Behavioral DDoS mitigation • Leverage Bot Signatures & Geolocation • Proactive Bot Defense for desktop and mobile applications
© F5 Networks, Inc 21 Browser Types TTL 1 2 2 5 5 SRC-IP lower 1 2 2 5 5 DstPort 1 5 6 4 k Server Health 6 4 8 0 Other L3/L4 Predicates Val min Val max URI H 1 Referrer H 1 H N # Headers 1 N Other L7 Predicates Val min Val max H N Max (Chrome) Load (EPS) Chrome Firefox IE / Cortana Safari Opera Threshold Min (Chrome) Max (Chrome) Load (EPS) Threshold Min (Chrome) VR-N VR-A VR-B VR-C VR-D Max (Chrome) Load (EPS) Threshold Min (Chrome) VR-N VR-A VR-B VR-C VR-D ….
© F5 Networks, Inc 22 Browser Types tN>t Load (PPS) Chrome Firefox IE / Cortana Safari Opera Max (Chrome) Threshold Fixed during attack Min (Chrome) Current Value URI H 1 Referrer H 1 H N # Headers 1 N Other L7 Predicates Val min Val max H N Max (Chrome) Load (EPS) Threshold Min (Chrome) VR-N VR-A VR-B VR-C VR-D Max (Chrome) Load (EPS) Threshold Min (Chrome) VR-N VR-A VR-B VR-C VR-D Max (Chrome) Load (EPS) Threshold Min (Chrome) VR-N VR-A VR-B VR-C VR-D Server Health
Use Case - DDoS Attacks DDOS Managed Service Hacker Bots Silverline Cloud Services Users Layer 3 DDOS Protection On-Premises Layer 7 DDOS Protection Core DDoS Hybrid Defender Advanced WAF Users Option: consolidate into a single layer 3-7 solution Silverline Always On under attack Communication (signaling) Problem: • DDOS attacks are growing, but your resources are not • DDoS mitigation time is slow due to manual initiation and difficult policy tuning Benefits: • On-premise hardware acts immediately and automatically to mitigate attacks. • Silverline cloud services minimizes the risk of larger attacks crippling your site or applications Solution: • Always-on protection with on-premises hardware • Mitigate with layered defense strategy and cloud services • F5 SOC monitoring with portal • Protect against all attacks with granular control • Eliminate time-consuming manual tuning with machine learning
of Internet traffic is automated of 2016 web application breaches involved the use of bots 98.6M bots observed Source: Internet Security Threat Report, Symantec, April 2017
Client-Side Attacks Malware Ransomware Man-in-the-browser Session hijacking Cross-site request forgery Cross-site scripting DDoS Attacks SYN, UDP, and HTTP floods SSL renegotiation DNS amplification Heavy URL App Infrastructure Attacks Man-in-the-middle Key disclosure Eavesdropping DNS cache poisoning DNS spoofing DNS hijacking Protocol abuse Dictionary attacks Web Application Attacks API attacks Cross-site scripting Injection Cross-site request forgery Malware Abuse of functionality Man-in-the-middle Credential theft Credential stuffing Phishing Certificate spoofing Protocol abuse Acommon source of many threat vectors Malware Ransomware Man-in-the-browser Cross-site scripting Dictionary attacks SYN, UDP, and HTTP floods SSL renegotiation DNS amplication Heavy URL API attacks Cross-site scripting Injection Malware Abuse of functionality Credential stuffing Phishing
Application Threat Intelligence Reaper panic The latest thingbot making press waves was predicted in "The Hunt for IoT" volume 3
Thingbots: Multi-purpose Attack Bots 2008 2009 2010 2011 2012 2013 2014 2015 2016 2017 2018 7 Bots SORA OWARI UPnPProxy OMNI RoamingMantis Wicked VPNFilter 1 Bot Brickerbot 2 Bots WireX Reaper 3 Bots Mirai BigBrother Rediation 1 Bot Remaiten 1 Bot Moon 1 Bot Aidra 1 Bot Hydra 3 Bots Satori Fam Amnesia Persirai 6 Bots Masuta PureMasuta Hide ‘N Seek JenX OMG DoubleDoor 1 Bot Crash override 1 Bot Gafgyt Family 2 Bots Darlloz Marcher 1 Bot Psyb0t 4 Bots Hajime Trickbot IRC Telnet Annie Shifting from primarily DDoS to multi-purpose DNS Hijack DDoS PDoS Proxy Servers Unknown… Rent-a-bot Install-a-bot Multi-purpose Bot Fraud trojan ICS protocol monitoring Tor Node Sniffer Credential Collector Crypto-miner Thingbot Attack Type
Shortcomings of Today’s Approach Code-level security Difficultly differentiating between humans and modern bots Lags behind rapid pace of bot evolution IP blocking Sheer volume of IPs difficult to track and block Ineffective at blocking TOR-based bots Traditional WAF Designed to protect against OWASP Top 10 Rely solely on captcha for bot protection
What is Required for Accurate Bot Detection? Bot Signatures + DNS Checks JS Challenge + Browser Fingerprinting Browser Capabilities Human Detection Optional CAPTCHA Anomalies Server should not receive traffic
Web Scraping Protection Pro-Active Bot Prevention L7 DoS WAF SOLUTION PROBLEM Behavioural analysis to identify malicious bots
© F5 Networks, Inc 32 Bots that simulate browsers Web Server I’m a Bot that simulate browser ASM: ok, what are your capability ? If you will not answer right you will have to answer a CAPTCHA No you are not, bye bye -> block this guy. DNS Server Bummer Capability ? CATPCHA ?
Bot that simulates browser Headless Chrome Sentry MBA
© F5 Networks, Inc 34 How bots that simulate browsers are evaluated and scored Evaluating request High Score Pass Low Score Send CAPTCHA and If valid CAPTCHA – Pass Otherwise - Block 0 – 59 – browser 60 – 99 – Unknown 100 – Bot
Detect GET flood attacks against Heavy URIs Identify non-human surfing patterns Fingerprint to identify beyond IP address Operating system Geolocation Browser • Screen size and colour depth • Plugin details • Time zone • HTTP_ACCEPT headers • Language • System fonts • Touch support • Extensions Behavioural Analysis and Fingerprinting
How unique are you? Browsers attributes
Web HybridNative
• • • •
• No prior breach • Dozens of account takeovers left users picking up food bills they never ordered • Unsuspecting victims received receipts via email, after it was too late Fraudsters eat for free as Deliveroo accounts hit by mystery breach
70 MILLION 427 MILLION 150 MILLION 3 BILLION In the last 8 years more than 7.1 billion identities have been exposed in data breaches1 1) Symantec Internet Security Threat Report, April 2017 2) Password Statistics: The Bad, the Worse and the Ugly, Entrepreneur Media 117 MILLION “Nearly 3 out of 4 consumers use duplicate passwords, many of which have not been changed in five years or more”2 3 out of 4
USERNAME Credit Card Data USERNAME Intellectual Property USERNAME Healthcare Data USERNAME Passport Data USERNAME Financial Data USERNAME USERNAME USERNAME USERNAME USERNAME USERNAME USERNAME USERNAME USERNAME USERNAME USERNAME USERNAME USERNAME USERNAME
Info on emerging threats What is it? Who does it affect? Protection strategy recommendations Application Threat Intelligence
Breached Credential Database Comparison WAF SOLUTION PROBLEM Distributed brute force protection
In the first quarter of 2017, a new specimen of malware emerged every 4.2 seconds 1 in every 131 emails included malware in 2016 of all breaches in 2016 involved some form of malware Sources: 1) Malware trends 2017, G DATA Software 2) Symantec Internet Security Threat Report, April 2017 3) WannaCry Update, Rapid7 Blog, May 2017 4.2 seconds 1 in every 131 Over half (51%)
Use our research to learn about new types of malware Application Threat Intelligence
Injects into running processes Hooks functions inside Windows DLLs MitM – sends credentials to command and control center
WAF Man-in-the-Browser malware Online users SOLUTION PROBLEM
• • • • • • •
F5 ADVANCED WAF
F5 Advanced WAF Protect against bots, credential attacks, and app-layer DoS Key Benefits: • Protects Web and mobile apps from exploits, bots, theft, app-layer DoS • Prevent malware from stealing data and credentials • Prevent Brute Force attacks that use stolen credentials • Eliminate time-consuming manual tuning for App-layer DoS protection Defend against bots • Proactive bot defense • Anti-bot mobile SDK • Client and server monitoring Protect apps from DoS • Auto-tuning • Behavioral analytics • Dynamic signatures Prevent Account Takeover • App-level encryption • Mobile app tampering • Brute Force protection Mobile Bot Mitigation Credential Protection App-Layer DoS Hacker Anti-bot Mobile SDK Bots F5 Advanced WAF Users credentials
F5 ASM L7 DDoS (BaDos Limited) Base ADC Anti Bot ASM
F5 Advanced WAF L7 DDoS (BaDos Limited) Base ADC Anti Bot ASM DataSafe BaDoS Unlimited Credential Stuffing (S) (A) Anti. Bot Mobile (S)ubscription License (A)dd On License(I)ncluded in the AWAF Threat Campaigns (S) (A) API Security Upstream Signaling C. Device ID (S)
What are LTM features available on ASM? Starting with BIG-IP ASM version 13.1.0.1 The following LB capabilities have been added to ASM (with no need for LTM license) • Up to 3 Pool Members • LB Methods Supported • Round Robin • Ratio (member) • Ratio (Node)
What are LTM features available on AWAF? Starting with BIG-IP version 13.1.0.2 the following LTM features are part of AWAF (Advanced WAF) license: Load Balancing • No limit on IP Pool Members number • LB Methods Supported • Round Robin • Ratio (member) • Least Connections (member) • Ratio (node) • Least Connections (node) • Weighted Least Connection (member) • Weighted Least Connection (node) • Ratio Least Connection (member) • Ratio Least Connection (node) Persistency • Cookie Persistency • Source Address • Host • Destination Address
Summary
Hybrid DDoS Protection Fraud Prevention Access Control Powerful WAF
ANTI- DDoS APP INFRASTRUCTURE ANTI-DDoS DNSTLS/SSL ADVANCED WEB APPLICATION FIREWALL Web Application Attacks App Infrastructure Attacks DDoS Attacks Client-Side Attacks ANTI-DDoS BOT DEFENSE CREDENTIAL PROTECTION WEB ACCESS MANAGEMENT WAF IDENTITY ACCESS MGMT IAM DDoS Hybrid Defender Advanced WAF Access Management SSL Orchestrator
Web Application Security

Empfohlen

F5 SIRT - F5 ASM WAF - DDoS protection
F5 SIRT - F5 ASM WAF - DDoS protection F5 SIRT - F5 ASM WAF - DDoS protection
F5 SIRT - F5 ASM WAF - DDoS protection
Lior Rotkovitch
 
Lior rotkovitch ASM WAF unified learning – building policy with asm v12
Lior rotkovitch ASM WAF unified learning – building policy with asm v12Lior rotkovitch ASM WAF unified learning – building policy with asm v12
Lior rotkovitch ASM WAF unified learning – building policy with asm v12
Lior Rotkovitch
 
F5 ASM v12 DDoS best practices
F5 ASM v12 DDoS best practices F5 ASM v12 DDoS best practices
F5 ASM v12 DDoS best practices
Lior Rotkovitch
 
WAF ASM / Advance WAF - Brute force lior rotkovitch f5 sirt v5 clean
WAF ASM / Advance WAF - Brute force lior rotkovitch f5 sirt v5 cleanWAF ASM / Advance WAF - Brute force lior rotkovitch f5 sirt v5 clean
WAF ASM / Advance WAF - Brute force lior rotkovitch f5 sirt v5 clean
Lior Rotkovitch
 
F5 - BigIP ASM introduction
F5 - BigIP ASM introductionF5 - BigIP ASM introduction
F5 - BigIP ASM introduction
Jimmy Saigon
 
F5 DDoS Protection
F5 DDoS ProtectionF5 DDoS Protection
F5 DDoS Protection
MarketingArrowECS_CZ
 
F5 Web Application Security
F5 Web Application SecurityF5 Web Application Security
F5 Web Application Security
MarketingArrowECS_CZ
 
Introduction To OWASP
Introduction To OWASPIntroduction To OWASP
Introduction To OWASP
Marco Morana
 

Empfohlen

F5 SIRT - F5 ASM WAF - DDoS protection
F5 SIRT - F5 ASM WAF - DDoS protection F5 SIRT - F5 ASM WAF - DDoS protection
F5 SIRT - F5 ASM WAF - DDoS protection
Lior Rotkovitch
 
Lior rotkovitch ASM WAF unified learning – building policy with asm v12
Lior rotkovitch ASM WAF unified learning – building policy with asm v12Lior rotkovitch ASM WAF unified learning – building policy with asm v12
Lior rotkovitch ASM WAF unified learning – building policy with asm v12
Lior Rotkovitch
 
F5 ASM v12 DDoS best practices
F5 ASM v12 DDoS best practices F5 ASM v12 DDoS best practices
F5 ASM v12 DDoS best practices
Lior Rotkovitch
 
WAF ASM / Advance WAF - Brute force lior rotkovitch f5 sirt v5 clean
WAF ASM / Advance WAF - Brute force lior rotkovitch f5 sirt v5 cleanWAF ASM / Advance WAF - Brute force lior rotkovitch f5 sirt v5 clean
WAF ASM / Advance WAF - Brute force lior rotkovitch f5 sirt v5 clean
Lior Rotkovitch
 
F5 - BigIP ASM introduction
F5 - BigIP ASM introductionF5 - BigIP ASM introduction
F5 - BigIP ASM introduction
Jimmy Saigon
 
F5 DDoS Protection
F5 DDoS ProtectionF5 DDoS Protection
F5 DDoS Protection
MarketingArrowECS_CZ
 
F5 Web Application Security
F5 Web Application SecurityF5 Web Application Security
F5 Web Application Security
MarketingArrowECS_CZ
 
Introduction To OWASP
Introduction To OWASPIntroduction To OWASP
Introduction To OWASP
Marco Morana
 
Web application security
Web application securityWeb application security
Web application security
Akhil Raj
 
Web Application Penetration Testing
Web Application Penetration Testing Web Application Penetration Testing
Web Application Penetration Testing
Priyanka Aash
 
MITRE ATT&CK Framework
MITRE ATT&CK FrameworkMITRE ATT&CK Framework
MITRE ATT&CK Framework
n|u - The Open Security Community
 
Forti web
Forti webForti web
Forti web
Lan & Wan Solutions
 
OWASP Top 10 Web Application Vulnerabilities
OWASP Top 10 Web Application VulnerabilitiesOWASP Top 10 Web Application Vulnerabilities
OWASP Top 10 Web Application Vulnerabilities
Software Guru
 
McAfee SIEM solution
McAfee SIEM solution McAfee SIEM solution
McAfee SIEM solution
hashnees
 
The WAF book (Web App Firewall )
The WAF book (Web App Firewall )The WAF book (Web App Firewall )
The WAF book (Web App Firewall )
Lior Rotkovitch
 
Web App Security Presentation by Ryan Holland - 05-31-2017
Web App Security Presentation by Ryan Holland - 05-31-2017Web App Security Presentation by Ryan Holland - 05-31-2017
Web App Security Presentation by Ryan Holland - 05-31-2017
TriNimbus
 
Web application security
Web application securityWeb application security
Web application security
Kapil Sharma
 
FortiWeb
FortiWebFortiWeb
FortiWeb
Alireza Akrami
 
F5 BIG-IP Misconfigurations
F5 BIG-IP MisconfigurationsF5 BIG-IP Misconfigurations
F5 BIG-IP Misconfigurations
Denis Kolegov
 
OWASP API Security Top 10 - API World
OWASP API Security Top 10 - API WorldOWASP API Security Top 10 - API World
OWASP API Security Top 10 - API World
42Crunch
 
Waf bypassing Techniques
Waf bypassing TechniquesWaf bypassing Techniques
Waf bypassing Techniques
Avinash Thapa
 
Cisco Web and Email Security Overview
Cisco Web and Email Security OverviewCisco Web and Email Security Overview
Cisco Web and Email Security Overview
Cisco Security
 
F5 TLS & SSL Practices
F5 TLS & SSL PracticesF5 TLS & SSL Practices
F5 TLS & SSL Practices
Brian A. McHenry
 
Web application security & Testing
Web application security & TestingWeb application security & Testing
Web application security & Testing
Deepu S Nath
 
MITRE ATT&CK framework
MITRE ATT&CK frameworkMITRE ATT&CK framework
MITRE ATT&CK framework
Bhushan Gurav
 
Secure code practices
Secure code practicesSecure code practices
Secure code practices
Hina Rawal
 
Protecting web aplications with machine learning and security fabric
Protecting web aplications with machine learning and security fabricProtecting web aplications with machine learning and security fabric
Protecting web aplications with machine learning and security fabric
DATA SECURITY SOLUTIONS
 
Threat Hunting for Command and Control Activity
Threat Hunting for Command and Control ActivityThreat Hunting for Command and Control Activity
Threat Hunting for Command and Control Activity
Sqrrl
 
Novinky F5
Novinky F5Novinky F5
Novinky F5
MarketingArrowECS_CZ
 
[Webinar] DDoS Pentester Reveals: How Hackers Find Your Website’s Weak Points...
[Webinar] DDoS Pentester Reveals: How Hackers Find Your Website’s Weak Points...[Webinar] DDoS Pentester Reveals: How Hackers Find Your Website’s Weak Points...
[Webinar] DDoS Pentester Reveals: How Hackers Find Your Website’s Weak Points...
Imperva Incapsula
 

Weitere ähnliche Inhalte

Was ist angesagt?

OWASP Top 10 Web Application Vulnerabilities
OWASP Top 10 Web Application VulnerabilitiesOWASP Top 10 Web Application Vulnerabilities
OWASP Top 10 Web Application Vulnerabilities
Software Guru
 
OWASP API Security Top 10 - API World
OWASP API Security Top 10 - API WorldOWASP API Security Top 10 - API World
OWASP API Security Top 10 - API World
42Crunch
 
Web application security & Testing
Web application security & TestingWeb application security & Testing
Web application security & Testing
Deepu S Nath
 

Was ist angesagt? (20)

Web application security
Web application securityWeb application security
Web application security
 
Web Application Penetration Testing
Web Application Penetration Testing Web Application Penetration Testing
Web Application Penetration Testing
 
MITRE ATT&CK Framework
MITRE ATT&CK FrameworkMITRE ATT&CK Framework
MITRE ATT&CK Framework
 
Forti web
Forti webForti web
Forti web
 
OWASP Top 10 Web Application Vulnerabilities
OWASP Top 10 Web Application VulnerabilitiesOWASP Top 10 Web Application Vulnerabilities
OWASP Top 10 Web Application Vulnerabilities
 
McAfee SIEM solution
McAfee SIEM solution McAfee SIEM solution
McAfee SIEM solution
 
The WAF book (Web App Firewall )
The WAF book (Web App Firewall )The WAF book (Web App Firewall )
The WAF book (Web App Firewall )
 
Web App Security Presentation by Ryan Holland - 05-31-2017
Web App Security Presentation by Ryan Holland - 05-31-2017Web App Security Presentation by Ryan Holland - 05-31-2017
Web App Security Presentation by Ryan Holland - 05-31-2017
 
Web application security
Web application securityWeb application security
Web application security
 
FortiWeb
FortiWebFortiWeb
FortiWeb
 
F5 BIG-IP Misconfigurations
F5 BIG-IP MisconfigurationsF5 BIG-IP Misconfigurations
F5 BIG-IP Misconfigurations
 
OWASP API Security Top 10 - API World
OWASP API Security Top 10 - API WorldOWASP API Security Top 10 - API World
OWASP API Security Top 10 - API World
 
Waf bypassing Techniques
Waf bypassing TechniquesWaf bypassing Techniques
Waf bypassing Techniques
 
Cisco Web and Email Security Overview
Cisco Web and Email Security OverviewCisco Web and Email Security Overview
Cisco Web and Email Security Overview
 
F5 TLS & SSL Practices
F5 TLS & SSL PracticesF5 TLS & SSL Practices
F5 TLS & SSL Practices
 
Web application security & Testing
Web application security & TestingWeb application security & Testing
Web application security & Testing
 
MITRE ATT&CK framework
MITRE ATT&CK frameworkMITRE ATT&CK framework
MITRE ATT&CK framework
 
Secure code practices
Secure code practicesSecure code practices
Secure code practices
 
Protecting web aplications with machine learning and security fabric
Protecting web aplications with machine learning and security fabricProtecting web aplications with machine learning and security fabric
Protecting web aplications with machine learning and security fabric
 
Threat Hunting for Command and Control Activity
Threat Hunting for Command and Control ActivityThreat Hunting for Command and Control Activity
Threat Hunting for Command and Control Activity
 

Ähnlich wie Web Application Security

Renaud Bido & Mohammad Shams - Hijacking web servers & clients
Renaud Bido & Mohammad Shams - Hijacking web servers & clientsRenaud Bido & Mohammad Shams - Hijacking web servers & clients
Renaud Bido & Mohammad Shams - Hijacking web servers & clients
nooralmousa
 
Bsides-Philly-2016-Finding-A-Companys-BreakPoint
Bsides-Philly-2016-Finding-A-Companys-BreakPointBsides-Philly-2016-Finding-A-Companys-BreakPoint
Bsides-Philly-2016-Finding-A-Companys-BreakPoint
Zack Meyers
 
Making application threat intelligence practical - DEM06 - AWS reInforce 2019
Making application threat intelligence practical - DEM06 - AWS reInforce 2019 Making application threat intelligence practical - DEM06 - AWS reInforce 2019
Making application threat intelligence practical - DEM06 - AWS reInforce 2019
Amazon Web Services
 
Top Ten Web Hacking Techniques (2010)
Top Ten Web Hacking Techniques (2010)Top Ten Web Hacking Techniques (2010)
Top Ten Web Hacking Techniques (2010)
Jeremiah Grossman
 
Fortinet_FortiDDoS_Introduction
Fortinet_FortiDDoS_IntroductionFortinet_FortiDDoS_Introduction
Fortinet_FortiDDoS_Introduction
swang2010
 
Rich Web App Security - Keeping your application safe
Rich Web App Security - Keeping your application safeRich Web App Security - Keeping your application safe
Rich Web App Security - Keeping your application safe
Jeremiah Grossman
 

Ähnlich wie Web Application Security (20)

Novinky F5
Novinky F5Novinky F5
Novinky F5
 
[Webinar] DDoS Pentester Reveals: How Hackers Find Your Website’s Weak Points...
[Webinar] DDoS Pentester Reveals: How Hackers Find Your Website’s Weak Points...[Webinar] DDoS Pentester Reveals: How Hackers Find Your Website’s Weak Points...
[Webinar] DDoS Pentester Reveals: How Hackers Find Your Website’s Weak Points...
 
DNS Security, is it enough?
DNS Security, is it enough? DNS Security, is it enough?
DNS Security, is it enough?
 
Renaud Bido & Mohammad Shams - Hijacking web servers & clients
Renaud Bido & Mohammad Shams - Hijacking web servers & clientsRenaud Bido & Mohammad Shams - Hijacking web servers & clients
Renaud Bido & Mohammad Shams - Hijacking web servers & clients
 
Website hacking and prevention (All Tools,Topics & Technique )
Website hacking and prevention (All Tools,Topics & Technique )Website hacking and prevention (All Tools,Topics & Technique )
Website hacking and prevention (All Tools,Topics & Technique )
 
What's new in​ CEHv11?
What's new in​ CEHv11?What's new in​ CEHv11?
What's new in​ CEHv11?
 
Application Security Architecture and Threat Modelling
Application Security Architecture and Threat ModellingApplication Security Architecture and Threat Modelling
Application Security Architecture and Threat Modelling
 
Drive By Downloads: How To Avoid Getting a Cap Popped in Your App
Drive By Downloads: How To Avoid Getting a Cap Popped in Your App Drive By Downloads: How To Avoid Getting a Cap Popped in Your App
Drive By Downloads: How To Avoid Getting a Cap Popped in Your App
 
Understanding Application Threat Modelling & Architecture
Understanding Application Threat Modelling & Architecture Understanding Application Threat Modelling & Architecture
Understanding Application Threat Modelling & Architecture
 
Bsides-Philly-2016-Finding-A-Companys-BreakPoint
Bsides-Philly-2016-Finding-A-Companys-BreakPointBsides-Philly-2016-Finding-A-Companys-BreakPoint
Bsides-Philly-2016-Finding-A-Companys-BreakPoint
 
Making application threat intelligence practical - DEM06 - AWS reInforce 2019
Making application threat intelligence practical - DEM06 - AWS reInforce 2019 Making application threat intelligence practical - DEM06 - AWS reInforce 2019
Making application threat intelligence practical - DEM06 - AWS reInforce 2019
 
Ransomware 0 admins 1
Ransomware 0 admins 1Ransomware 0 admins 1
Ransomware 0 admins 1
 
Event - Internet Thailand - Total Security Perimeters
Event - Internet Thailand - Total Security PerimetersEvent - Internet Thailand - Total Security Perimeters
Event - Internet Thailand - Total Security Perimeters
 
bh-usa-07-grossman-WP.pdf
bh-usa-07-grossman-WP.pdfbh-usa-07-grossman-WP.pdf
bh-usa-07-grossman-WP.pdf
 
Open Source Security
Open Source SecurityOpen Source Security
Open Source Security
 
Top Ten Web Hacking Techniques (2010)
Top Ten Web Hacking Techniques (2010)Top Ten Web Hacking Techniques (2010)
Top Ten Web Hacking Techniques (2010)
 
Taking the Fear out of WAF
Taking the Fear out of WAFTaking the Fear out of WAF
Taking the Fear out of WAF
 
Fortinet_FortiDDoS_Introduction
Fortinet_FortiDDoS_IntroductionFortinet_FortiDDoS_Introduction
Fortinet_FortiDDoS_Introduction
 
Atelier Technique CISCO ACSS 2018
Atelier Technique CISCO ACSS 2018Atelier Technique CISCO ACSS 2018
Atelier Technique CISCO ACSS 2018
 
Rich Web App Security - Keeping your application safe
Rich Web App Security - Keeping your application safeRich Web App Security - Keeping your application safe
Rich Web App Security - Keeping your application safe
 

Mehr von MarketingArrowECS_CZ

Mehr von MarketingArrowECS_CZ (20)

INFINIDAT InfiniGuard - 20220330.pdf
INFINIDAT InfiniGuard - 20220330.pdfINFINIDAT InfiniGuard - 20220330.pdf
INFINIDAT InfiniGuard - 20220330.pdf
 
Využijte svou Oracle databázi na maximum!
Využijte svou Oracle databázi na maximum!Využijte svou Oracle databázi na maximum!
Využijte svou Oracle databázi na maximum!
 
Jak konsolidovat Vaše databáze s využitím Cloud služeb?
Jak konsolidovat Vaše databáze s využitím Cloud služeb?Jak konsolidovat Vaše databáze s využitím Cloud služeb?
Jak konsolidovat Vaše databáze s využitím Cloud služeb?
 
Chráníte správně svoje data?
Chráníte správně svoje data?Chráníte správně svoje data?
Chráníte správně svoje data?
 
Oracle databáze – Konsolidovaná Data Management Platforma
Oracle databáze – Konsolidovaná Data Management PlatformaOracle databáze – Konsolidovaná Data Management Platforma
Oracle databáze – Konsolidovaná Data Management Platforma
 
Nové vlastnosti Oracle Database Appliance
Nové vlastnosti Oracle Database ApplianceNové vlastnosti Oracle Database Appliance
Nové vlastnosti Oracle Database Appliance
 
Infinidat InfiniGuard
Infinidat InfiniGuardInfinidat InfiniGuard
Infinidat InfiniGuard
 
Infinidat InfiniBox
Infinidat InfiniBoxInfinidat InfiniBox
Infinidat InfiniBox
 
Novinky ve světě Oracle DB a koncept konvergované databáze
Novinky ve světě Oracle DB a koncept konvergované databázeNovinky ve světě Oracle DB a koncept konvergované databáze
Novinky ve světě Oracle DB a koncept konvergované databáze
 
Základy licencování Oracle software
Základy licencování Oracle softwareZáklady licencování Oracle software
Základy licencování Oracle software
 
Garance 100% dostupnosti dat! Kdo z vás to má?
Garance 100% dostupnosti dat! Kdo z vás to má?Garance 100% dostupnosti dat! Kdo z vás to má?
Garance 100% dostupnosti dat! Kdo z vás to má?
 
Využijte svou Oracle databázi naplno
Využijte svou Oracle databázi naplnoVyužijte svou Oracle databázi naplno
Využijte svou Oracle databázi naplno
 
Oracle Data Protection - 2. část
Oracle Data Protection - 2. částOracle Data Protection - 2. část
Oracle Data Protection - 2. část
 
Oracle Data Protection - 1. část
Oracle Data Protection - 1. částOracle Data Protection - 1. část
Oracle Data Protection - 1. část
 
Benefity Oracle Cloudu (4/4): Storage
Benefity Oracle Cloudu (4/4): StorageBenefity Oracle Cloudu (4/4): Storage
Benefity Oracle Cloudu (4/4): Storage
 
Benefity Oracle Cloudu (3/4): Compute
Benefity Oracle Cloudu (3/4): ComputeBenefity Oracle Cloudu (3/4): Compute
Benefity Oracle Cloudu (3/4): Compute
 
InfiniBox z pohledu zákazníka
InfiniBox z pohledu zákazníkaInfiniBox z pohledu zákazníka
InfiniBox z pohledu zákazníka
 
Exadata z pohledu zákazníka a novinky generace X8M - 2. část
Exadata z pohledu zákazníka a novinky generace X8M - 2. částExadata z pohledu zákazníka a novinky generace X8M - 2. část
Exadata z pohledu zákazníka a novinky generace X8M - 2. část
 
Exadata z pohledu zákazníka a novinky generace X8M - 1. část
Exadata z pohledu zákazníka a novinky generace X8M - 1. částExadata z pohledu zákazníka a novinky generace X8M - 1. část
Exadata z pohledu zákazníka a novinky generace X8M - 1. část
 
Úvod do Oracle Cloud infrastruktury
Úvod do Oracle Cloud infrastrukturyÚvod do Oracle Cloud infrastruktury
Úvod do Oracle Cloud infrastruktury
 

Kürzlich hochgeladen

Why Teams call analytics are critical to your entire business
Why Teams call analytics are critical to your entire businessWhy Teams call analytics are critical to your entire business
Why Teams call analytics are critical to your entire business
panagenda
 
Navigating the Deluge_ Dubai Floods and the Resilience of Dubai International...
Navigating the Deluge_ Dubai Floods and the Resilience of Dubai International...Navigating the Deluge_ Dubai Floods and the Resilience of Dubai International...
Navigating the Deluge_ Dubai Floods and the Resilience of Dubai International...
Orbitshub
 
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FMECloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Safe Software
 
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
?#DUbAI#??##{{(☎️+971_581248768%)**%*]'#abortion pills for sale in dubai@
 
TrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data DiscoveryTrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc
 
Rising Above_ Dubai Floods and the Fortitude of Dubai International Airport.pdf
Rising Above_ Dubai Floods and the Fortitude of Dubai International Airport.pdfRising Above_ Dubai Floods and the Fortitude of Dubai International Airport.pdf
Rising Above_ Dubai Floods and the Fortitude of Dubai International Airport.pdf
Orbitshub
 

Kürzlich hochgeladen (20)

Why Teams call analytics are critical to your entire business
Why Teams call analytics are critical to your entire businessWhy Teams call analytics are critical to your entire business
Why Teams call analytics are critical to your entire business
 
Navigating the Deluge_ Dubai Floods and the Resilience of Dubai International...
Navigating the Deluge_ Dubai Floods and the Resilience of Dubai International...Navigating the Deluge_ Dubai Floods and the Resilience of Dubai International...
Navigating the Deluge_ Dubai Floods and the Resilience of Dubai International...
 
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FMECloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
 
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
 
Understanding the FAA Part 107 License ..
Understanding the FAA Part 107 License ..Understanding the FAA Part 107 License ..
Understanding the FAA Part 107 License ..
 
Artificial Intelligence Chap.5 : Uncertainty
Artificial Intelligence Chap.5 : UncertaintyArtificial Intelligence Chap.5 : Uncertainty
Artificial Intelligence Chap.5 : Uncertainty
 
EMPOWERMENT TECHNOLOGY GRADE 11 QUARTER 2 REVIEWER
EMPOWERMENT TECHNOLOGY GRADE 11 QUARTER 2 REVIEWEREMPOWERMENT TECHNOLOGY GRADE 11 QUARTER 2 REVIEWER
EMPOWERMENT TECHNOLOGY GRADE 11 QUARTER 2 REVIEWER
 
Exploring Multimodal Embeddings with Milvus
Exploring Multimodal Embeddings with MilvusExploring Multimodal Embeddings with Milvus
Exploring Multimodal Embeddings with Milvus
 
ICT role in 21st century education and its challenges
ICT role in 21st century education and its challengesICT role in 21st century education and its challenges
ICT role in 21st century education and its challenges
 
FWD Group - Insurer Innovation Award 2024
FWD Group - Insurer Innovation Award 2024FWD Group - Insurer Innovation Award 2024
FWD Group - Insurer Innovation Award 2024
 
DBX First Quarter 2024 Investor Presentation
DBX First Quarter 2024 Investor PresentationDBX First Quarter 2024 Investor Presentation
DBX First Quarter 2024 Investor Presentation
 
TrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data DiscoveryTrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
 
Rising Above_ Dubai Floods and the Fortitude of Dubai International Airport.pdf
Rising Above_ Dubai Floods and the Fortitude of Dubai International Airport.pdfRising Above_ Dubai Floods and the Fortitude of Dubai International Airport.pdf
Rising Above_ Dubai Floods and the Fortitude of Dubai International Airport.pdf
 
Spring Boot vs Quarkus the ultimate battle - DevoxxUK
Spring Boot vs Quarkus the ultimate battle - DevoxxUKSpring Boot vs Quarkus the ultimate battle - DevoxxUK
Spring Boot vs Quarkus the ultimate battle - DevoxxUK
 
[BuildWithAI] Introduction to Gemini.pdf
[BuildWithAI] Introduction to Gemini.pdf[BuildWithAI] Introduction to Gemini.pdf
[BuildWithAI] Introduction to Gemini.pdf
 
Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...
Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...
Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...
 
How to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerHow to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected Worker
 
Strategies for Landing an Oracle DBA Job as a Fresher
Strategies for Landing an Oracle DBA Job as a FresherStrategies for Landing an Oracle DBA Job as a Fresher
Strategies for Landing an Oracle DBA Job as a Fresher
 
Platformless Horizons for Digital Adaptability
Platformless Horizons for Digital AdaptabilityPlatformless Horizons for Digital Adaptability
Platformless Horizons for Digital Adaptability
 
"I see eyes in my soup": How Delivery Hero implemented the safety system for ...
"I see eyes in my soup": How Delivery Hero implemented the safety system for ..."I see eyes in my soup": How Delivery Hero implemented the safety system for ...
"I see eyes in my soup": How Delivery Hero implemented the safety system for ...
 

Web Application Security

  • 1. Web Application Security Radovan Gibala Senior Systems Engineer F5 Networks gigi@f5.com
  • 2. © F5 Networks, Inc 2 Common attacks on web applications BIG-IP ASM delivers comprehensive protection against critical web attacks CSRF Cookie manipulation OWASP top 10 Brute force attacks Forceful browsing Buffer overflows Web scraping Parameter tampering SQL injections Information leakage Field manipulation Session high jacking Cross-site scripting Zero-day attacks Command injection ClickJacking Bots Business logic flaws
  • 3.
  • 4. © F5 Networks, Inc 4 Traditional Security Devices vs. WAF Known Web Worms Unknown Web Worms Known Web Vulnerabilities Unknown Web Vulnerabilities Illegal Access to Web-server files Forceful Browsing File/Directory Enumerations Buffer Overflow Cross-Site Scripting SQL/OS Injection Cookie Poisoning Hidden-Field Manipulation Parameter Tampering Layer 7 DoS Attacks Brute Force Login Attacks App. Security and Acceleration Credential Stuffing Password Field obfuscation BotNet protection ✓ ✓ ✓ ✓ ✓ ✓ ✓ ✓ ✓ ✓ ✓ ✓ ✓ ✓ ✓ ✓ ✓ ✓ ✓ WAF X X X X X X X Network/Next Gen Firewall Limited Limited Limited Limited Limited IPS Limited Partial Limited Limited Limited Limited Limited X X X ✓ X X X X X Limited Limited Limited Limited X X X X XLimited
  • 6. © F5 Networks, Inc 6 Negative vs. Positive Security Model • Negative Security Model • Lock Known Attacks • Everything else is Allowed • Patches implementation is quick and easy (Protection against Day Zero Attacks) • Positive Security Model • (Automatic) Analysis of Web Application • Allow wanted Transactions • Everything else is Denied • Implicit Security against New, yet Unknown Attacks (Day Zero Attacks)
  • 8. © F5 Networks, Inc 8 Full-proxy architecture iRule iRule iRule TCP SSL HTTP TCP SSL HTTP iRule iRule iRule ICMP flood SYN flood SSL renegotiation Data leakageSlowloris attackXSS Network Firewall WAF WAF
  • 9. © F5 Networks, Inc 9 Application Access Network Access Network Firewall Network DDoS Protection SSL DDoS Protection DNS DDoS Protection Application DDoS Protection Web Application Firewall Fraud Protection F5 provides comprehensive application security Virtual Patching
  • 10.
  • 11. Volumetric take-downs Consume bandwidth of target Network layer attack Consume connection state tables Application layer Consume application resources 2005 8 Gbps 2013 300 Gbps 2016 1.2 Tbps Source: How DDoS attacks evolved in the past 20 years, BetaNews
  • 12. © F5 Networks, Inc 12 Different attack/issue types Application SSL DNS Network
  • 13. © F5 Networks, Inc 13 DoS is Not a Rocket Science!
  • 14. DDoS attacks are easy to launch hping3 nmap Low Orbit ION High Orbit IONkillapache.pl slowloris metasploitslowhttptest RussKill Pandora Dirt Jumper PhantomJS …, Jmeter, Scapy, Httpflooder, PhantomJS, SSLyze, THC-SSL-DOS, and many, many more…
  • 15. Source: Securelist, Kaspersky Lab, March 2017 Low sophistication, high accessibility • Accessible Booters/stressers easy to find • Lucrative Profit margins of up to 95% • Effective Many DDoS victims pay up
  • 16. 1.2 Tbps1 Tbps620 Gbps Mirai DDoS attacks Source: The Hunt for IoT: The Rise of Thingbots, F5 Labs, August 2017
  • 17. Critical info on threat source and attack type trends Application Threat Intelligence
  • 18. SOLUTION Customer Cloud Network and App Protection DDoS attacker DMZ Cloud-Based DDoS Mitigation Platform DDoS Hybrid Defender PROBLEM
  • 19. © F5 Networks, Inc 19 Rate Limit to Protect the Server Detect and Block Bots and Bad Actors Create and Enforce Dynamic Signatures Analyze Application Stress and Continually Tune Mitigations. Start of Attack Identify Attackers Advanced Attacks Persistent Attacks Multiple Layers of Protection Even basic attacks can take an unprotected server down quickly. Persistent attackers will adjust tools, targets, sources and attack volume to defeat static DOS defenses. The f5 approach protects the server from the first moment of the attack and then analyzes the attack tools, sources and patterns to refine mitigations. These sophisticated protections maximize application availability while minimizing false positives.
  • 20. • Detect L7 DDoS Attacks by monitoring TPS, Latency (Automatic), Heavy URLs, URLs, IPs, Heavy URLs and Behavioral DDoS detection • Mitigate L7 DDoS by various methods: Block, Rate limit, Client challenges (bot detection) and Behavioral DDoS mitigation • Leverage Bot Signatures & Geolocation • Proactive Bot Defense for desktop and mobile applications
  • 21. © F5 Networks, Inc 21 Browser Types TTL 1 2 2 5 5 SRC-IP lower 1 2 2 5 5 DstPort 1 5 6 4 k Server Health 6 4 8 0 Other L3/L4 Predicates Val min Val max URI H 1 Referrer H 1 H N # Headers 1 N Other L7 Predicates Val min Val max H N Max (Chrome) Load (EPS) Chrome Firefox IE / Cortana Safari Opera Threshold Min (Chrome) Max (Chrome) Load (EPS) Threshold Min (Chrome) VR-N VR-A VR-B VR-C VR-D Max (Chrome) Load (EPS) Threshold Min (Chrome) VR-N VR-A VR-B VR-C VR-D ….
  • 22. © F5 Networks, Inc 22 Browser Types tN>t Load (PPS) Chrome Firefox IE / Cortana Safari Opera Max (Chrome) Threshold Fixed during attack Min (Chrome) Current Value URI H 1 Referrer H 1 H N # Headers 1 N Other L7 Predicates Val min Val max H N Max (Chrome) Load (EPS) Threshold Min (Chrome) VR-N VR-A VR-B VR-C VR-D Max (Chrome) Load (EPS) Threshold Min (Chrome) VR-N VR-A VR-B VR-C VR-D Max (Chrome) Load (EPS) Threshold Min (Chrome) VR-N VR-A VR-B VR-C VR-D Server Health
  • 23. Use Case - DDoS Attacks DDOS Managed Service Hacker Bots Silverline Cloud Services Users Layer 3 DDOS Protection On-Premises Layer 7 DDOS Protection Core DDoS Hybrid Defender Advanced WAF Users Option: consolidate into a single layer 3-7 solution Silverline Always On under attack Communication (signaling) Problem: • DDOS attacks are growing, but your resources are not • DDoS mitigation time is slow due to manual initiation and difficult policy tuning Benefits: • On-premise hardware acts immediately and automatically to mitigate attacks. • Silverline cloud services minimizes the risk of larger attacks crippling your site or applications Solution: • Always-on protection with on-premises hardware • Mitigate with layered defense strategy and cloud services • F5 SOC monitoring with portal • Protect against all attacks with granular control • Eliminate time-consuming manual tuning with machine learning
  • 24.
  • 25. of Internet traffic is automated of 2016 web application breaches involved the use of bots 98.6M bots observed Source: Internet Security Threat Report, Symantec, April 2017
  • 26. Client-Side Attacks Malware Ransomware Man-in-the-browser Session hijacking Cross-site request forgery Cross-site scripting DDoS Attacks SYN, UDP, and HTTP floods SSL renegotiation DNS amplification Heavy URL App Infrastructure Attacks Man-in-the-middle Key disclosure Eavesdropping DNS cache poisoning DNS spoofing DNS hijacking Protocol abuse Dictionary attacks Web Application Attacks API attacks Cross-site scripting Injection Cross-site request forgery Malware Abuse of functionality Man-in-the-middle Credential theft Credential stuffing Phishing Certificate spoofing Protocol abuse Acommon source of many threat vectors Malware Ransomware Man-in-the-browser Cross-site scripting Dictionary attacks SYN, UDP, and HTTP floods SSL renegotiation DNS amplication Heavy URL API attacks Cross-site scripting Injection Malware Abuse of functionality Credential stuffing Phishing
  • 27. Application Threat Intelligence Reaper panic The latest thingbot making press waves was predicted in "The Hunt for IoT" volume 3
  • 28. Thingbots: Multi-purpose Attack Bots 2008 2009 2010 2011 2012 2013 2014 2015 2016 2017 2018 7 Bots SORA OWARI UPnPProxy OMNI RoamingMantis Wicked VPNFilter 1 Bot Brickerbot 2 Bots WireX Reaper 3 Bots Mirai BigBrother Rediation 1 Bot Remaiten 1 Bot Moon 1 Bot Aidra 1 Bot Hydra 3 Bots Satori Fam Amnesia Persirai 6 Bots Masuta PureMasuta Hide ‘N Seek JenX OMG DoubleDoor 1 Bot Crash override 1 Bot Gafgyt Family 2 Bots Darlloz Marcher 1 Bot Psyb0t 4 Bots Hajime Trickbot IRC Telnet Annie Shifting from primarily DDoS to multi-purpose DNS Hijack DDoS PDoS Proxy Servers Unknown… Rent-a-bot Install-a-bot Multi-purpose Bot Fraud trojan ICS protocol monitoring Tor Node Sniffer Credential Collector Crypto-miner Thingbot Attack Type
  • 29. Shortcomings of Today’s Approach Code-level security Difficultly differentiating between humans and modern bots Lags behind rapid pace of bot evolution IP blocking Sheer volume of IPs difficult to track and block Ineffective at blocking TOR-based bots Traditional WAF Designed to protect against OWASP Top 10 Rely solely on captcha for bot protection
  • 30. What is Required for Accurate Bot Detection? Bot Signatures + DNS Checks JS Challenge + Browser Fingerprinting Browser Capabilities Human Detection Optional CAPTCHA Anomalies Server should not receive traffic
  • 31. Web Scraping Protection Pro-Active Bot Prevention L7 DoS WAF SOLUTION PROBLEM Behavioural analysis to identify malicious bots
  • 32. © F5 Networks, Inc 32 Bots that simulate browsers Web Server I’m a Bot that simulate browser ASM: ok, what are your capability ? If you will not answer right you will have to answer a CAPTCHA No you are not, bye bye -> block this guy. DNS Server Bummer Capability ? CATPCHA ?
  • 33. Bot that simulates browser Headless Chrome Sentry MBA
  • 34. © F5 Networks, Inc 34 How bots that simulate browsers are evaluated and scored Evaluating request High Score Pass Low Score Send CAPTCHA and If valid CAPTCHA – Pass Otherwise - Block 0 – 59 – browser 60 – 99 – Unknown 100 – Bot
  • 35. Detect GET flood attacks against Heavy URIs Identify non-human surfing patterns Fingerprint to identify beyond IP address Operating system Geolocation Browser • Screen size and colour depth • Plugin details • Time zone • HTTP_ACCEPT headers • Language • System fonts • Touch support • Extensions Behavioural Analysis and Fingerprinting
  • 36. How unique are you? Browsers attributes
  • 39.
  • 40.
  • 41. • No prior breach • Dozens of account takeovers left users picking up food bills they never ordered • Unsuspecting victims received receipts via email, after it was too late Fraudsters eat for free as Deliveroo accounts hit by mystery breach
  • 42. 70 MILLION 427 MILLION 150 MILLION 3 BILLION In the last 8 years more than 7.1 billion identities have been exposed in data breaches1 1) Symantec Internet Security Threat Report, April 2017 2) Password Statistics: The Bad, the Worse and the Ugly, Entrepreneur Media 117 MILLION “Nearly 3 out of 4 consumers use duplicate passwords, many of which have not been changed in five years or more”2 3 out of 4
  • 43. USERNAME Credit Card Data USERNAME Intellectual Property USERNAME Healthcare Data USERNAME Passport Data USERNAME Financial Data USERNAME USERNAME USERNAME USERNAME USERNAME USERNAME USERNAME USERNAME USERNAME USERNAME USERNAME USERNAME USERNAME USERNAME
  • 44. Info on emerging threats What is it? Who does it affect? Protection strategy recommendations Application Threat Intelligence
  • 46.
  • 47. In the first quarter of 2017, a new specimen of malware emerged every 4.2 seconds 1 in every 131 emails included malware in 2016 of all breaches in 2016 involved some form of malware Sources: 1) Malware trends 2017, G DATA Software 2) Symantec Internet Security Threat Report, April 2017 3) WannaCry Update, Rapid7 Blog, May 2017 4.2 seconds 1 in every 131 Over half (51%)
  • 48. Use our research to learn about new types of malware Application Threat Intelligence
  • 49. Injects into running processes Hooks functions inside Windows DLLs MitM – sends credentials to command and control center
  • 51.
  • 53.
  • 55. F5 Advanced WAF Protect against bots, credential attacks, and app-layer DoS Key Benefits: • Protects Web and mobile apps from exploits, bots, theft, app-layer DoS • Prevent malware from stealing data and credentials • Prevent Brute Force attacks that use stolen credentials • Eliminate time-consuming manual tuning for App-layer DoS protection Defend against bots • Proactive bot defense • Anti-bot mobile SDK • Client and server monitoring Protect apps from DoS • Auto-tuning • Behavioral analytics • Dynamic signatures Prevent Account Takeover • App-level encryption • Mobile app tampering • Brute Force protection Mobile Bot Mitigation Credential Protection App-Layer DoS Hacker Anti-bot Mobile SDK Bots F5 Advanced WAF Users credentials
  • 56. F5 ASM L7 DDoS (BaDos Limited) Base ADC Anti Bot ASM
  • 57. F5 Advanced WAF L7 DDoS (BaDos Limited) Base ADC Anti Bot ASM DataSafe BaDoS Unlimited Credential Stuffing (S) (A) Anti. Bot Mobile (S)ubscription License (A)dd On License(I)ncluded in the AWAF Threat Campaigns (S) (A) API Security Upstream Signaling C. Device ID (S)
  • 58. What are LTM features available on ASM? Starting with BIG-IP ASM version 13.1.0.1 The following LB capabilities have been added to ASM (with no need for LTM license) • Up to 3 Pool Members • LB Methods Supported • Round Robin • Ratio (member) • Ratio (Node)
  • 59. What are LTM features available on AWAF? Starting with BIG-IP version 13.1.0.2 the following LTM features are part of AWAF (Advanced WAF) license: Load Balancing • No limit on IP Pool Members number • LB Methods Supported • Round Robin • Ratio (member) • Least Connections (member) • Ratio (node) • Least Connections (node) • Weighted Least Connection (member) • Weighted Least Connection (node) • Ratio Least Connection (member) • Ratio Least Connection (node) Persistency • Cookie Persistency • Source Address • Host • Destination Address
  • 62. ANTI- DDoS APP INFRASTRUCTURE ANTI-DDoS DNSTLS/SSL ADVANCED WEB APPLICATION FIREWALL Web Application Attacks App Infrastructure Attacks DDoS Attacks Client-Side Attacks ANTI-DDoS BOT DEFENSE CREDENTIAL PROTECTION WEB ACCESS MANAGEMENT WAF IDENTITY ACCESS MGMT IAM DDoS Hybrid Defender Advanced WAF Access Management SSL Orchestrator