A Blueprint for Web Attack Survival

© 2013 Imperva, Inc. All rights reserved.
Blueprint for Web Attack Survival
Confidential1
Kasey Cross, Sr. Manager, Web Security, Imperva
Nick Silver, Sr. Solutions Architect, WhiteHat Security

Agenda
Confidential2
§  Application Threatscape
§  Solutions to Mitigate Web Attacks

Presenters
Confidential3
§  Kasey Cross
•  Senior Product Marketing Manager at Imperva
•  Frequent speaker at industry events
•  Managed SecureSphere WAF product line
for 8 years
§  Nick Silver
•  Sr. Solutions Architect at WhiteHat Security

Application Threatscape
Confidential4
Web Application Vulnerabilities and Threats

Industry Averages for 2012
Confidential5

© 2013 Imperva, Inc. All rights reserved. Confidential6
The average number of days in a year a website is exposed to at least
one serious* vulnerability

Industrialization of Hacking and Automation
Researching
Vulnerabilities
Developing Exploits
Growing Botnets
Exploiting Targets
Consuming
Direct Value: PII, CCN
Command & Control
Malware Distribution
Phishing & spam
DDoS
Growing Botnets and
Exploiting Vulnerabilities
Selecting Targets via
Search Engines
Templates & Kits
Centralized
Management
Roles Optimization Automation
Confidential7

Hacktivism Attack Targets and Methods
2010
Now
2011
2012
2013
Titanic
Takeover
Tuesday
Operation
Payback
HTTP Flood “Abibil Assassin” (Vertigo &
KamiNa variants) & attack to login page from
54 countries
Confidential8

Distributed Denial of Service Threats
Confidential9
§  74% of organizations received a
DDoS attack in past year1
§  Many DDoS attacks are launched by botnets, because of
scale
•  Toolkits automate DDoS attacks
•  Botnets for rent from $50 - $2K
§  DDoS attacks are moving up the stack
•  Less expensive; requires few attackers
•  Bypasses network security measures DDoS Attack Tool
1 ”The Trends and Changing Landscape of DDoS Threats and Protection,” Forrester Research

Commercialized DDoS
§  Customer satisfaction guarantee!
Confidential10

Commercialized DDoS
§  Customer satisfaction guarantee!
Confidential11

Step-by-Step Instructions to Survive
a Web Attack
Confidential12

1. Understand the Threat Actor
Confidential13
§  Identify the attack source:
•  Research their attack
techniques and tools
§  Hacktivism:
•  Monitor social media, Twitter,
Facebook, and YouTube
•  Identify DDoS attack tools and
“booster packs”
§  Cybercrime:
•  Talk to peers in your industry about attack sources and tools
•  Read hacker intelligence reports and security research
13

2. Develop a Security Response Plan
Confidential14
§  Organize an incident response team
•  IT security personnel, networking, and application development
teams
•  Assign 24x7 coverage
§  Create a Red Team
•  Security engineers that will look for vulnerabilities
•  Evaluate all potential risks including, application, network, end-
user, social engineering, and even physical threats
14

§  DNS and Internet Service Providers
§  DDoS Protection Services
§  Relevant security consultants
Little Black Book of Contacts
Confidential15
§  IT security managers
§  IT operations managers
§  Networking operators
§  Application developers
§  Database administrators
§  Legal
§  Executive management
Gather the names, phone numbers, and
email addresses of:
INTERNALEXTERNAL

Document Network and Server Information
Confidential16
§  Gather IP address and network info for:
•  Web servers
•  Databases
•  DNS servers
•  Network firewalls
•  Web application firewalls
•  Database firewalls
•  Routers and switches
•  Disaster recovery networks
§  Develop network architecture diagrams
16
Security Tip:
Keep network information
and contact lists secure

Notify Management & Set Up a War Room
Confidential17
§  Inform Executive Management of the threat
§  Consider warning employees
•  Notify users of potential
downtime (for DDoS)
•  Educate employees about phishing
•  Prepare IT for social
engineering threats
§  Establish a War Room
•  “Ground zero” for planning and
communications
17

3. Locate and Assess Servers and Apps
Confidential18
§  Scan your network to identify all assets (cloud and local)
•  Classify assets by information and brand sensitivity to identify high
risk landscapes
•  Prioritize efforts to based on risk levels
§  Secure database access
•  Scan DBs for vulnerabilities or configuration flaws
•  Remove any default or unnecessary user accounts
•  Disable unneeded services
18

Perform Vulnerability Assessments
Confidential19
§  Perform vulnerability assessments
•  Scan both Network and Application Layers
•  Scan all known Web Assets
•  Scan Concurrently and Continuously
•  Analyze application functionality for DDoS attack potential and
Business Logic based exploits
•  Implement assessment practice across the entire SDLC
19
Design" Development" QA" Production"

4. Application, Network & End-Point Controls
Confidential2020
Anti Virus
Network
Security
Database
Security
Install anti-virus and
anti-malware
software on servers.
Make sure definition
files are up to date.
Block all
unnecessary ports
with the firewall.
Configure the IPS to
block high and critical
violations.
Configure your
database firewall to
block unauthorized
SQL queries, limit
access, and virtually
patch vulnerabilities.

Ratchet Up Web App Firewall Protection
Confidential21
§  Review and tune the web application profile
•  Review acceptable characters & parameter value lengths
•  Compare the profile to vulnerability scan results
§  Tighten profile policies to block based on profile violations
21
Directories
URLs

Block Web Attacks and Attack Sources
Confidential22

WAF Policies to Stop App DDoS Attacks
Confidential23
§  Create policies that block:
•  High rates of requests in a short
period of time by IP address, by
user, and by session
•  Known malicious IP addresses,
anonymous proxies, and Tor networks
•  Users that request many files with extensions like “.pdf”, “.mp3” or
“.mp4” in a short period of time
•  Users that download large amounts of data
•  Users that initiate multiple requests that cause extremely slow
web server responses
23
DDoS Preparation Tip
Make sure you can
manage your security
products from an out-of-
band network

While app DDoS attacks target Web servers & databases
network DDoS attacks target your Internet connection
Stopping Network DDoS Threats
Confidential2424
Web Servers
and Databases

Confidential2525
Web Servers
and Databases

Confidential2626
Web Servers
and Databases
To prevent network DDoS attacks, look at DDoS mitigation
services that stop attacks before they reach your network

Confidential2727
Web Servers
and Databases
To prevent network DDoS attacks, look at DDoS mitigation
services that stop attacks before they reach your network

§  Continuously monitor alerts from security and network
devices and from performance monitoring tools
§  If attacks are coming from a specific geographic area,
create policies to block requests from that area
§  If you can detect which URLs
bots are targeting, create bot
mitigation rules that block bots
from accessing those URLs
§  Monitor social media, hacker forums, IRC chat rooms,
and sites that list website defacements
5. Security Procedures When Under Attack
Confidential2828

Stop DDoS Attacks that Target Databases
Confidential29
§  Attackers often target search, login & registration pages
§  Create custom policies to block the attacks
•  Block an excessive number of failed logins
•  Block multiple successful logins from the same user
29
Number of
Occurrences
Failed Login

6. Conduct a Post Mortem of the Attack
Confidential30
§  Review the impact of the attack
§  Analyze alert logs from your WAF,
SIEM, & network monitoring tools
§  Answer the following questions:
•  Did you suffer any downtime during the attack?
•  Was any sensitive data compromised?
•  What security technologies and processes were in place? Were
they effective?
•  What improvements can be made in the future?
30

Solutions to Prepare For and Stop
Web Attacks
Confidential31

Secure SDLC with WhiteHat Sentinel
Confidential3232
Design" Development" QA" Production"
Sentinel
Source
(SAST)"
Computer-
based training
(CBT)"
Sentinel PL
(DAST)"
Sentinel BE,
SE, and PE
(DAST)"
Sentinel
Mobile"

Complete Solution (DAST)
Confidential3333

Imperva Web Application Security Solutions
Confidential35
SecureSphere Web
Application Firewall
Accurate, automated protection against
online threats
Incapsula
•  Scalable, easy to use,
cloud-based DDoS and Web
application firewall service

Known Attackers
Bots
Web Attacks
Undesirable
Countries
Web Fraud
App DDoS
Scrapers
Phishing Sites
Comment
Spammers
Vulnerabilities
Web Apps
SecureSphere
Complete Protection Against Web Threats
Confidential36

Imperva and WhiteHat are offering a free 30-day trial.
Register at: http://reg.whitehatsec.com/imperva
Are Your Web Applications Secure?
Confidential3737

#ImpervaChat
Confidential38
§  What: Twitter Chat
§  When: Tues., Oct. 1st @ 10am-11am (PDT)
§  Where: #ImpervaChat
§  Co Moderators:
•  Barry Shteiman, Senior Security Strategist, Imperva
§  @bshteiman
•  Kasey Cross, Senior Manager of Web Security Solutions, Imperva
§  @kaseycross
Best Practices for Surviving a Web Attack

www.imperva.com
39 Confidential

A Blueprint for Web Attack Survival

Recommended

Recommended

More Related Content

What's hot

What's hot (20)

Similar to A Blueprint for Web Attack Survival

Similar to A Blueprint for Web Attack Survival (20)

More from Imperva

More from Imperva (20)

Recently uploaded

Recently uploaded (20)

A Blueprint for Web Attack Survival