This presentation was by Michael Coates, the AppSensor Project Lead.  Michael works as a Senior Application Security Engineer at Aspect Security.  AppSensor is a real time defense system with the goal being to protect an application by detecting who is bad and getting rid of them before they do bad things.  My notes from this session are below:

Agenda

  • AppSensor Project
  • Malicious Attackers
  • Application Worms

Detecting Attacks the Right Way

  • Integration
    • Detect INSIDE the application
    • Understand business logic
  • Effectiveness
    • Minimal false positives
    • Immediate response
  • Effort
    • Automatic detection
    • No manual work required

Detection Outside the Application (WAF)

  • Application context not available
  • No concept of access violations
  • Custom application + Generic Solution != success
  • Ex: Changing the account ID in /viewAccount?id=1002

Inside the Application is Best

  • Understand application & business context
  • Integration with authentication & user store

How Does AppSensor Protect the App?

  • Take many requests for an attacker to find a vulnerability
  • Takes fewer requests by AppSensor to determine that the user is malicious

AppSensor is Faster than Attacker

  • User identified as malicious and blocked before a vulnerability is found

Categories of Detection

  • Request
  • Authentication
  • Access Control
  • Session
  • Input
  • Encoding
  • Command Injection
  • File IO
  • User Trend
  • System Trend

Attack Detection: Real vs Cyber World

  • Why do bank robbers get caught?
  • Why don’t hackers get caught?

Let’s Change Things – Applications Should…

  • Detect attacks
  • Understand normal use vs suspicious use
  • Instantly identify attackers
  • Shutdown attackers in real time
  • Modify application accessibility for defense

Detecting Malicious Users

  • Many malicious attacks are obvious and not “user error”
    • POST when expecting GET
    • Tampering with headers
    • Submissions of XSS attack

Detecting Malicious Users

  • Bypassing client side input validation
  • Transaction using functionality not visible to user role
  • Multiple access control violations
  • Change of user agent midsession
  • Double encoded data

The Code

  • Leverages ESAPI!
  • 3 lines to setup AppSensor
  • 2 lines per AppSensor detection point

Setting up AppSensor

  1. Configure response action object (log logout, account lock)
  2. Create AppSensorIntrusionDetector with response action object
  3. Set ESAPI intrusion detector

Defining Response Policies

  • ESAPI.properties file
  • Define
    • Threshold count
    • Interval of events
    • Response action
    • Per exception type or aggregate

2 Lines to Use AppSensor

  1. Check for “maliciousness”
  2. Create new AppSensorException

Understanding the Intrusion Exception

new AppSensorIntrusion Exception(

  • request.getServletPath(),
  • “ACE1”,
  • “User Message”,
  • “Direct object tampering with …”

);

AppSensor vs Scanners

  • Tools attempt 10,000s of generic attacks
  • AppSensor stops automated scans nearly instantly

AppSensor vs Human Attackers

  • Very difficult for attacker
  • Requires advanced obfuscation for each attack
  • Multiple probes == detection

Application Worms on the Rise

  • Twitter Worm
  • MySpace Samy WOrm
  • Huge damages for site
    • Remediation
    • Cleanup
    • Bad PR
    • Infected Users
  • Leverage XSS and CSRF

Detecting/Preventing an Application Worm

  • Can you find/fix all XSS?
  • Pattern matching easily foiled
  • Block the common factor!
    • Worms use XSS and CSRF for propagation
    • 1000% usage increase -> problem
    • Our example: updateProfile, updateStatus, updateName

Case Study: Samy

  • MySpace Application Worm
  • XSS worm embedded in User Profile
  • Exponential Growth of Samy’s friends

Samy vs AppSensor

  • AppSensor detects uptick in addFriend usage
  • Compares against trended info
  • Automatic response initiated
    • Alert admin +200% add friend usage
    • Alerts admin 2nd time +500% add friend usage
    • Automatically shuts down add friend feature
  • Result
    • Worm contained
    • Add friend temporarily disabled
    • Site stays up

Benefits of Trend Monitoring

  • Detection of
    • Application worms
    • Scripted attacks/probing
    • CSRF attacks
  • Alerting of excessive activity
  • Selective feature shutdown for overall stability

AppSensor in Action

  • Demo social networking app
  • Defended with AppSensor trend monitoring

What’s Under the Hood?

  • REST communication between AppSensor & App
  • Support Response Actions (warn user, logout user, disable user, etc)

AppSensor Brain

  • Drools – Rule Based System
  • Support for complex rule sets – much more than just counting feature usage
  • Evaluates objects in Drools memory

The Exploit

  • XSS infects victim’s “Status” with worm
  • CSRF adds victim as friend of Charlie

Defend with AppSensor

  • AppSensor Policy
    • Notify admin if events > 5
    • Disable service if events > 10
  • AppSensor notices anomaly – alerts admin
  • After 10 events AppSensor disables just that feature of the site
  • Users protected, worm contained, site stays up

Trend Monitoring Benefits

  • Auto detection of attacks