Men in the Server Meet the Man in the Browser

Amichai Shulman, CTO

2

Agenda

Quick Introduction Motivation Problem Definition Shape Based Tests Content Based Tests Overall Solution Strategy Summary

Introduction

Imperva Overview

Our mission.Protect the data that drives business

Our market segment.Enterprise Data Security

Our global business.• Public Company, Founded in 2002; • Global operations; HQ in Redwood Shores, CA• 350+ employees• Customers in 50+ countries

Our customers.1,300+ direct; Thousands cloud-based

• 4 of the top 5 global financial data service firms• 4 of the top 5 global telecommunications firms• 4 of the top 5 global computer hardware companies• 3 of the top 5 US commercial banks• 150+ government agencies and departments

4

Today’s PresenterAmichai Shulman – CTO Imperva

Speaker at Industry Events + RSA, Sybase Techwave, Info Security UK, Black Hat

Lecturer on Info Security + Technion - Israel Institute of Technology

Former security consultant to banks & financial services firms Leads the Application Defense Center (ADC)

+ Discovered over 20 commercial application vulnerabilities – Credited by Oracle, MS-SQL, IBM and others

Amichai Shulman one of InfoWorld’s “Top 25 CTOs”

Motivation

Client Side Attacks - Scope of Problem (1)Major Attack Vectors

Browser code+ On decline over past

3 years+ Expected to rise

over next 2 years Browser plug-ins

(Java, Flash, PDF, Media Player etc.)

OS libraries (graphics rendering)

Client Side Attacks - Scope of Problem (2)2010 Vulnerability Figures

Client side+ 77 IE vulnerabilites,

106 Firefox vulnerabilities, 188 Chrome vulnerabilities

+ 73 Adobe Flash, 9 Adobe Reader related vulnerabilities

+ 72 Various ActiveX related vulnerabilities

Server side+ Only 36

vulnerabilities across IIS, Apache and Tomcat

8

Client Side Attacks - Scope of Problem (3)Malware Distribution Methods

Drive-By-Download / Malvertizing Phishing, “Spear Phishing” Torrent and P2P Physical

Client Side Attacks - Scope of Problem (4)2009 / 2010 Attack Figures

A 2010 report by Kaspersky+ ~600M attempts reported to KSN, more than 5 times

increase over 2009 Number of Zeus infected computers estimated at

10M Rustock spanned 1M computers 40K new infections a day (with some being

cleaned up)Consumers cannot be expected to cope with the technical problem on their own

From Consumer Attack to a Business Problem

The threat to consumers is constantly growing+ Number of vulnerabilities+ Number of attacks+ Types of attacks+ Sophistication

Usage is expanding beyond banking and popular retail applications

We are passed the point of no return+ Cannot expect average consumers to avoid infection and

mitigate attacks alone+ We cannot deny service to infected consumers+ We cannot let the consumer bear the consequences of a

compromise

From Consumer Attack to a Business Problem

Potential consequences (of failing to do so):+ Reduced on boarding rate+ Reduced activity+ Increased refunds+ Increased insurance rates

Consumer facing malware threatens online commerce*Forrester Feb 2011: Malware And Trojans And Bots, Oh My!

From Consumer Attack to a Business Problem

Car User Safety Online User Safety

Problem Definition

Client Side Trouble – Types of Interaction

Key loggers+ No interaction between malware and application+ Offline interaction between attacker and application using

stolen credentials Phishing

+ Some interaction between browser and actual application during attack

– Could be used for detection of some Phishing campaigns

+ Offline interaction between attacker and application using stolen credentials

Man in the Browser+ Extensive interaction between malware and application during

attack+ Offline interaction between attacker and application using

stolen credentials

Man in the Browser Attacks

Attacker code running in context of victim’s browser AKA Proxy Trojan Original motivation

+ No need to attack infrastructure (DNS, tap intorouter, etc.)

+ Defeat SSL Additional benefits

+ Access to local resources+ Access to application session data

Prominent Actors+ ZeuS, Gozi, URLZone, Sinowal, Limbo and SpyEye+ Silentbanker

16

MitB Attacks - The Evolution of Proxy Trojans

17

Key logger

Record HTML data

Inject HTML

elements

Manipulate and inject

transactions

MitB Attacks - Proxy Trojans in Action

18

Before After

MitB Attacks - Proxy Trojans in Action

19

Before After

MitB Attacks - Proxy Trojans in Action

20

Before After

MitB Attacks - Proxy Trojans in Action

21

Before After

MitB Attacks - Proxy Trojans in Action

22

Before After

Proxy Trojan Architecture

23

Client MachineWeb Application

Proxy Trojan Architecture

24

Client MachineWeb Application

Tamper Request

Tamper Page

Extract Data

Inject Fake Transaction

Drop Server

Shape Based Tests

An Observation

Clean Infected

Trojan Likes to Tamper Plain Traffic

27

Typical Changes by Trojan

Encoding related headers+ Enforce use of traffic that is easily tampered by the

Trojan+ Avoid HTTP/1.1 connections, compressed data

Client type identification+ Ensure identification by drop server and other attacker

controlled components Additional parameters

+ Extra data provided by an unfortunate victim+ Could represent client identification for attacker

controlled components Parameter order

+ Expected from fake transactions

Shape Based Tests

The application (or a device protecting the application) inspects the shape of incoming messages for changes typical to Trojans

If a Trojan pattern is detect mark the client (IP address / session / request) as “infected”

28

Shape Based Tests in Action

29

Client MachineWeb Application

Tamper Request

Tamper Page

Extract Data

Inject Fake Transaction

Drop Server

Apply Shape Tests

Apply Shape Tests

30

Challenges – Tracking Trojan Discrepancies

Each Trojan may display a different change

Changes may be reflected in specific request types

Need to keep track of Trojans

Create a framework for shape based rules

Create a framework for constructing shape tests

Challenges – Avoiding False Positives

Some real client devices do not support (or choose not to support) HTTP/1.1 or compressed data

Engage the browser in a challenge response protocol

HTTP/1.1 200 OK...Content-Encoding: gzipRefresh: 2;url=infection_test.html?

infected=no

<html><head><script>window.navigate('infection_test.h

tml?infected=yes')</script></head><body></body></html>

31

...........V*//W...Qzi...I...z...J:`.......T$......d.y.%@.^f.R,...(..y.:.J....9.V......%%...JV.J~.a...!..~@.Dqbkc...%6....

Content Based Tests

Content Based Tests

Current malware tampers HTML at the network layer (before it is interpreted by browser)

+ This is due to simplicity and robustness considerations Use client side code to verify integrity of HTML

page content in coordination with the server Some solutions try to “provoke” the MitB into

making changes. Then compare the HTML content to known Trojan behaviors

+ This can be avoided by careful configuration of the MitB+ Requires constant chase after MitB configuration files

– Construct an up-to-date database of “known behaviors”

Client / Server Content Verification

Server computes a digest of the delivered HTML page

+ Random (invisible) elements are injected into the page before computation

Server appends a page digest computation function to the HTML page

+ Computation function code includes a random salt When page is loaded into the browser, the

computation function is invoked, computes the digest and sends it to the server for verification

If the browser does not send back a digest then infection is assumed

34

Content Based Tests in Action

35

Client MachineWeb Application

Tamper Request

Tamper Page

Extract Data

Inject Fake Transaction

Drop Server

Compare Digests

Compute Digest and Inject Digest Computation Function

Compute Digest

Model Strengths (1)

Digest cannot be pre-computed by malware due to the random HTML elements

Digest cannot be computed by malware without executing the digest computation function

+ Requires malware to implement / invoke Javascript engine

Computation function can be extended to explicitly reference the randomly injected HTML elements through DOM functions

+ Requires the malware to implement / fake DOM Malware cannot dismiss test

36

Model Strengths (2)

Does not depend on specific MitB configuration and the expected changes

+ Only depends on protected application page+ Some configuration options should be available to

restrict the parts of the page that are digested– Avoid elements produced by client side code

Breaking the tie with attackers+ Complexity of the computation process can be

increased with small effort+ Resulting changes to malware code are complex and

painful, increasing its footprint

37

Overall Solution Strategy

Look at the Complete Picture

Apply shape based tests and content based tests to identify infected client devices

Interact with Infected Clients+ Provide clear visual warnings+ Contact customer offline+ Apply business access policies

– Example 1: Allow data extraction but deny transaction– Example 2: Limit transaction size

+ Automatically employ extra validation through side channels

– Adaptive authentication

+ Keep a more comprehensive audit trail for the user / session

MitB is Only Part of the Landscape

Identifying account takeover+ Server side fraud detection+ Device profiling and reputation+ Advanced authentication

Defeat Phishing Campaigns+ Detect and takedown campaigns+ Detect victims in real time

40

Flexible Deployment Framework

Cannot change application code whenever capabilities change or threats morph

Be able to protect legacy applications Create consistency across all applications and

flexibility in choosing vendors

41

Summary

Summary

Threat to consumer is constantly growing and is past the point where we can expect most of our consumers to avoid infection

Consumer infection has become a business problem

While providers should urge consumers to be prudent they MUST learn how to interact with infected consumers and create a safe business environment for them regardless of the general threat

Some car safety mechanisms are already regulated. We can expect the same from business IT security

Summary (cont.)

Enterprise IT is failing to properly tackle client based attacks within enterprise

The growing number of so called “APT” attacks on organizations demonstrate the effect of “compromised insider”

Failures stem from the same reason: try to avoid infection rather than learn to interact with infected clients

44

Questions

- CONFIDENTIAL -

Thank You

- CONFIDENTIAL -