men in the server meet the man in the browser
DESCRIPTION
SOURCE Barcelona 2011 - Amichai ShulmanTRANSCRIPT
Men in the Server Meet the Man in the Browser
Amichai Shulman, CTO
2
Agenda
Quick Introduction Motivation Problem Definition Shape Based Tests Content Based Tests Overall Solution Strategy Summary
Introduction
Imperva Overview
Our mission.Protect the data that drives business
Our market segment.Enterprise Data Security
Our global business.• Public Company, Founded in 2002; • Global operations; HQ in Redwood Shores, CA• 350+ employees• Customers in 50+ countries
Our customers.1,300+ direct; Thousands cloud-based
• 4 of the top 5 global financial data service firms• 4 of the top 5 global telecommunications firms• 4 of the top 5 global computer hardware companies• 3 of the top 5 US commercial banks• 150+ government agencies and departments
4
Today’s PresenterAmichai Shulman – CTO Imperva
Speaker at Industry Events + RSA, Sybase Techwave, Info Security UK, Black Hat
Lecturer on Info Security + Technion - Israel Institute of Technology
Former security consultant to banks & financial services firms Leads the Application Defense Center (ADC)
+ Discovered over 20 commercial application vulnerabilities – Credited by Oracle, MS-SQL, IBM and others
Amichai Shulman one of InfoWorld’s “Top 25 CTOs”
Motivation
Client Side Attacks - Scope of Problem (1)Major Attack Vectors
Browser code+ On decline over past
3 years+ Expected to rise
over next 2 years Browser plug-ins
(Java, Flash, PDF, Media Player etc.)
OS libraries (graphics rendering)
Client Side Attacks - Scope of Problem (2)2010 Vulnerability Figures
Client side+ 77 IE vulnerabilites,
106 Firefox vulnerabilities, 188 Chrome vulnerabilities
+ 73 Adobe Flash, 9 Adobe Reader related vulnerabilities
+ 72 Various ActiveX related vulnerabilities
Server side+ Only 36
vulnerabilities across IIS, Apache and Tomcat
8
Client Side Attacks - Scope of Problem (3)Malware Distribution Methods
Drive-By-Download / Malvertizing Phishing, “Spear Phishing” Torrent and P2P Physical
Client Side Attacks - Scope of Problem (4)2009 / 2010 Attack Figures
A 2010 report by Kaspersky+ ~600M attempts reported to KSN, more than 5 times
increase over 2009 Number of Zeus infected computers estimated at
10M Rustock spanned 1M computers 40K new infections a day (with some being
cleaned up)Consumers cannot be expected to cope with the technical problem on their own
From Consumer Attack to a Business Problem
The threat to consumers is constantly growing+ Number of vulnerabilities+ Number of attacks+ Types of attacks+ Sophistication
Usage is expanding beyond banking and popular retail applications
We are passed the point of no return+ Cannot expect average consumers to avoid infection and
mitigate attacks alone+ We cannot deny service to infected consumers+ We cannot let the consumer bear the consequences of a
compromise
From Consumer Attack to a Business Problem
Potential consequences (of failing to do so):+ Reduced on boarding rate+ Reduced activity+ Increased refunds+ Increased insurance rates
Consumer facing malware threatens online commerce*Forrester Feb 2011: Malware And Trojans And Bots, Oh My!
From Consumer Attack to a Business Problem
Car User Safety Online User Safety
Problem Definition
Client Side Trouble – Types of Interaction
Key loggers+ No interaction between malware and application+ Offline interaction between attacker and application using
stolen credentials Phishing
+ Some interaction between browser and actual application during attack
– Could be used for detection of some Phishing campaigns
+ Offline interaction between attacker and application using stolen credentials
Man in the Browser+ Extensive interaction between malware and application during
attack+ Offline interaction between attacker and application using
stolen credentials
Man in the Browser Attacks
Attacker code running in context of victim’s browser AKA Proxy Trojan Original motivation
+ No need to attack infrastructure (DNS, tap intorouter, etc.)
+ Defeat SSL Additional benefits
+ Access to local resources+ Access to application session data
Prominent Actors+ ZeuS, Gozi, URLZone, Sinowal, Limbo and SpyEye+ Silentbanker
16
MitB Attacks - The Evolution of Proxy Trojans
17
Key logger
Record HTML data
Inject HTML
elements
Manipulate and inject
transactions
MitB Attacks - Proxy Trojans in Action
18
Before After
MitB Attacks - Proxy Trojans in Action
19
Before After
MitB Attacks - Proxy Trojans in Action
20
Before After
MitB Attacks - Proxy Trojans in Action
21
Before After
MitB Attacks - Proxy Trojans in Action
22
Before After
Proxy Trojan Architecture
23
Client MachineWeb Application
Proxy Trojan Architecture
24
Client MachineWeb Application
Tamper Request
Tamper Page
Extract Data
Inject Fake Transaction
Drop Server
Shape Based Tests
An Observation
Clean Infected
Trojan Likes to Tamper Plain Traffic
27
Typical Changes by Trojan
Encoding related headers+ Enforce use of traffic that is easily tampered by the
Trojan+ Avoid HTTP/1.1 connections, compressed data
Client type identification+ Ensure identification by drop server and other attacker
controlled components Additional parameters
+ Extra data provided by an unfortunate victim+ Could represent client identification for attacker
controlled components Parameter order
+ Expected from fake transactions
Shape Based Tests
The application (or a device protecting the application) inspects the shape of incoming messages for changes typical to Trojans
If a Trojan pattern is detect mark the client (IP address / session / request) as “infected”
28
Shape Based Tests in Action
29
Client MachineWeb Application
Tamper Request
Tamper Page
Extract Data
Inject Fake Transaction
Drop Server
Apply Shape Tests
Apply Shape Tests
30
Challenges – Tracking Trojan Discrepancies
Each Trojan may display a different change
Changes may be reflected in specific request types
Need to keep track of Trojans
Create a framework for shape based rules
Create a framework for constructing shape tests
Challenges – Avoiding False Positives
Some real client devices do not support (or choose not to support) HTTP/1.1 or compressed data
Engage the browser in a challenge response protocol
HTTP/1.1 200 OK...Content-Encoding: gzipRefresh: 2;url=infection_test.html?
infected=no
<html><head><script>window.navigate('infection_test.h
tml?infected=yes')</script></head><body></body></html>
31
...........V*//W...Qzi...I...z...J:`.......T$......d.y.%@.^f.R,...(..y.:.J....9.V......%%[email protected]...%6....
Content Based Tests
Content Based Tests
Current malware tampers HTML at the network layer (before it is interpreted by browser)
+ This is due to simplicity and robustness considerations Use client side code to verify integrity of HTML
page content in coordination with the server Some solutions try to “provoke” the MitB into
making changes. Then compare the HTML content to known Trojan behaviors
+ This can be avoided by careful configuration of the MitB+ Requires constant chase after MitB configuration files
– Construct an up-to-date database of “known behaviors”
Client / Server Content Verification
Server computes a digest of the delivered HTML page
+ Random (invisible) elements are injected into the page before computation
Server appends a page digest computation function to the HTML page
+ Computation function code includes a random salt When page is loaded into the browser, the
computation function is invoked, computes the digest and sends it to the server for verification
If the browser does not send back a digest then infection is assumed
34
Content Based Tests in Action
35
Client MachineWeb Application
Tamper Request
Tamper Page
Extract Data
Inject Fake Transaction
Drop Server
Compare Digests
Compute Digest and Inject Digest Computation Function
Compute Digest
Model Strengths (1)
Digest cannot be pre-computed by malware due to the random HTML elements
Digest cannot be computed by malware without executing the digest computation function
+ Requires malware to implement / invoke Javascript engine
Computation function can be extended to explicitly reference the randomly injected HTML elements through DOM functions
+ Requires the malware to implement / fake DOM Malware cannot dismiss test
36
Model Strengths (2)
Does not depend on specific MitB configuration and the expected changes
+ Only depends on protected application page+ Some configuration options should be available to
restrict the parts of the page that are digested– Avoid elements produced by client side code
Breaking the tie with attackers+ Complexity of the computation process can be
increased with small effort+ Resulting changes to malware code are complex and
painful, increasing its footprint
37
Overall Solution Strategy
Look at the Complete Picture
Apply shape based tests and content based tests to identify infected client devices
Interact with Infected Clients+ Provide clear visual warnings+ Contact customer offline+ Apply business access policies
– Example 1: Allow data extraction but deny transaction– Example 2: Limit transaction size
+ Automatically employ extra validation through side channels
– Adaptive authentication
+ Keep a more comprehensive audit trail for the user / session
MitB is Only Part of the Landscape
Identifying account takeover+ Server side fraud detection+ Device profiling and reputation+ Advanced authentication
Defeat Phishing Campaigns+ Detect and takedown campaigns+ Detect victims in real time
40
Flexible Deployment Framework
Cannot change application code whenever capabilities change or threats morph
Be able to protect legacy applications Create consistency across all applications and
flexibility in choosing vendors
41
Summary
Summary
Threat to consumer is constantly growing and is past the point where we can expect most of our consumers to avoid infection
Consumer infection has become a business problem
While providers should urge consumers to be prudent they MUST learn how to interact with infected consumers and create a safe business environment for them regardless of the general threat
Some car safety mechanisms are already regulated. We can expect the same from business IT security
Summary (cont.)
Enterprise IT is failing to properly tackle client based attacks within enterprise
The growing number of so called “APT” attacks on organizations demonstrate the effect of “compromised insider”
Failures stem from the same reason: try to avoid infection rather than learn to interact with infected clients
44
Questions
- CONFIDENTIAL -
Thank You
- CONFIDENTIAL -