Attack Detection and Prevention with OWASP AppSensor Colin Watson Watson Hall Ltd watsonhall.com

OWASP AppSensor

AppSensor Established Summer 2008 Presented at multiple conferences in US & Europe Recent video presentations by Michael Coates Real Time Application Defenses - The Reality of AppSensor & ESAPI Automated Application Defenses to Thwart Advanced Attackers automated.html automated.html Application Based Intrusion Detection highlighted in OWASP Top Ten 2010 “What’s Coming”

AppSensor Team Core team: Michael Coates John Melton Colin Watson Contributors: Ryan Barnett Simon Bennetts August Detlefsen Randy Janida Jim Manico Giri Nambari Eric Sheridan John Stevens Kevin Wall

AppSensor concepts

Add AppSensor to your own applications Build it into requirements Develop your own ESAPI AppSensor integration into Java ESAPI imminent Security Information/Event Management Add detection points into application Integrate logging into real time monitor

AppSensor detection points A detection point is a highly-tuned “instrumentation” sensor (within the application’s code) and used to identify a particular type of suspicious or malicious activity Over 50 detection points 12 exception types 9 signature based (request, authentication, session, etc) 3 behavior based (user, system, reputation) Latest list of detection points with descriptions, considerations and examples is maintained at:

Detection point exception types “locking a user account after multiple failed authentication attempts” “blocking requests using the TRACE HTTP method”“limiting each session to a particular IP address”

AppSensor response actions Response actions describe a change to the application’s behavior 14 response actions Many ways to categorize them, including: Effect on user / application Target of response Duration of response Latest list of response actions with descriptions, considerations and examples is maintained at:

Response actions from the user’s viewpoint

Implementation planning methodology 1. Preliminary requirements 2. Detection point selection 3. Response action selection Then Procure/develop Deploy Verify Monitor and tune

1. Preliminary requirements

1a) Application risk assessment Many alternative methods and processes: information-system-risk-management_ information-system-risk-management_ Application risk ranking

1b) Secure coding (and deployment) Build the application securely Governance Construction Verification Deployment Software Assurance Maturity Model Application Security Verification Standard OWASP Development, Code Review and Testing Guides OWASP Secure Coding Practices Quick Reference Guide

1c) Application logging How to Do Application Logging Right Anton Chuvakin and Gunnar Peterson, IEEE Security & Privacy Journal Securosis Blog - Monitoring Up the Stack series OWASP AppSensorDemo2 Intrusion Store (HSQLDB) OWASP ESAPI Java Edition documentation Preventing Log Forging in Java NIST SP Guide to Computer Security Log Management

2. Detection point selection

2a) Categorization Exception types Signature or behavior based Suspicious events or attacks Outcome/result of the request, or request properties Classes: Discrete Generic pre-processing Business layer Aggregating Modifying

2a) Categorization (continued)

2b) Requirements Approaches: Classes Discrete Generic pre-processing Business layer Aggregating Modifying Application risk classification Threat assessment

2b) Requirements (continued)

2c) Model development Specification for each detection point: purpose general statement of its functionality details of any prerequisites related detection points. Duplicate codes Aggregating detection points

2c) Model development (continued)

2d) Optimization Three aims Ensure we maintain a low false positive rate through adjusting the sensitivity Consider relationships with other systems and the effects these may have on detection points Identify if any detection points can be removed to eliminate overlaps and duplicates Test cases

2e) Code location Instrumentation not new functionality Process Procurement Development Frameworks Libraries Common code / business layer

2f) Attack analysis Attack vectors Threat modelling WASC Threat Classification v OWASP Top Ten Common Attack Pattern Enumeration and Classification Check the model Detection points are activation Human error

3. Response action selection

3a) Strategic requirements Organizational risk tolerance User experience Application’s purpose “Do not prevent users doing anything, but log, monitor and alert fervently.” “Authenticated administrators who have access to the most functionality and the greatest data access permissions should have the strictest thresholds before a response action is undertaken.” “Application functionality will not be changed unless the user's source location is in a higher-risk country.”

3b) Thresholds Approaches Role dependent Per detection point / per application Weightings of suspicious and attack events User events and user trends Individual detection points Overall number of security events System trend detection points Modifying detection points

3b) Thresholds (continued)

3c) Model tuning Attacks Typical user activities Speed of use Static content Missing content Actions that disable features or the application Other systems Business metrics

3c) Model tuning (continued) Only log Source location override Export Vulnerability management programmes Security integration manager (SIM) systems Secure development practices

Plan execution

Implementation Secure development practices: Risk analysis Design and code review Testing Operational enablement Change management Monitoring and tuning Ongoing testing

Quick start

Piloting AppSensor / fast-track approach Focus on input, signature based detection points that detect attacks rather than suspicious events in the discrete class: Request exceptions (RE1, 2, 3 and 4 ) Access control exception (ACE1 and 2) Input exceptions (IE1, 2 and 3) Authentication exceptions (AE1, 2 and 3) and Session Management exceptions (SE5 and 6) when authentication & session management is use And limit response actions to additional logging (ASR-A), administrator notification (ASR-B), account logout (ASR-J) & account lockout (ASR-K). Do it with ESAPI

Concluding thoughts

Supporting materials AppSensor Project: Home page Detection points Response actions Mailing lists Planning guide and workbook

Related presentations at AppSec DC 2010 Application Portfolio Risk Ranking: Banishing FUD With Structure and Numbers Dan Cornell D_With_Structure_and_Numbers D_With_Structure_and_Numbers Solving Real World Problems with ESAPI Chris Schmidt Next: OWASP ModSecurity Core Rule Set Ryan Barnett

Questions and feedback Now During the last two breaks today Subsequently watsonhall.com Photographs: Machinery and instrumentation at the Discovery Museum, Tyne & Wear Archives and Museums, Newcastle-upon-Tyne, England