Reversing Engineering a Web Application - For Fun, Behavior & WAF Detection
Rodrigo Montoro at AppSec USA 2014
Screening HTTP traffic can be something really tricky and attacks to applications are becoming increasingly complex day by day. By analyzing thousands upon thousands of infections, we noticed that regular blacklisting is increasingly failing and we started research on a new approach to mitigate the problem. Initially reverse engineering the most popular CMS applications such as Joomla, vBulletin and WordPress, which led to us creating a way to detect attackers based on whitelist protection in combination with behavior analysis. Integrating traffic analysis with log correlation, resulting in more than 2500 websites now being protected, generating 2 to 3 million alerts daily with a low false positive rate. In this presentation we will share some of our research, their results and how we have maintained WAF (Web Application Firewall), using very low CPU processes and high detection rates.
Detailed Outline:
- Current method of detection (We'll show how WAF operates today, allowing us to emphasize our unique approach)
- Reverse engineering a CMS application (In this step we'll show how we reverse engineered a CMS Application to understand its fragility and common attack vectors)
- Setting up honeypots (We'll share our work with honeypots which gathered data in real time during massive attacks on popular CMS applications)
- Identifying behavior (analyzing data to understand points to be considered when creating counter measures and evaluating the best approach to each type of attack type)
- Creating countermeasures (using behaviour information, CMS vulnerabilities and attack methods spreading in the wild, we'll show how we created better signatures specific to each CMS based on the knowledge acquired during research on each one of them)
- Live analysis (merging everything together and seeing the tool operate live, well-tuned, blocking specific attacks, with improving low false-positive rate in an effective and efficient manner)
Speaker
Rodrigo Montoro
Senior Security Administrator, Sucuri Security
Rodrigo “Sp0oKeR” Montoro has 15 years experience deploying open source security software (firewall, IDS, IPS, HIDS, log management) and hardening systems. Currently he is Senior Security Administrator at Sucuri Security. Before Sucuri he worked at Spiderlabs as a researcher where he focused on IDS/IPS Signatures, ModSecurity rules, and new detection research.
Detailed Outline:
- Current method of detection (We'll show how WAF operates today, allowing us to emphasize our unique approach)
- Reverse engineering a CMS application (In this step we'll show how we reverse engineered a CMS Application to understand its fragility and common attack vectors)
- Setting up honeypots (We'll share our work with honeypots which gathered data in real time during massive attacks on popular CMS applications)
- Identifying behavior (analyzing data to understand points to be considered when creating counter measures and evaluating the best approach to each type of attack type)
- Creating countermeasures (using behaviour information, CMS vulnerabilities and attack methods spreading in the wild, we'll show how we created better signatures specific to each CMS based on the knowledge acquired during research on each one of them)
- Live analysis (merging everything together and seeing the tool operate live, well-tuned, blocking specific attacks, with improving low false-positive rate in an effective and efficient manner)
Speaker
Rodrigo Montoro
Senior Security Administrator, Sucuri Security
Rodrigo “Sp0oKeR” Montoro has 15 years experience deploying open source security software (firewall, IDS, IPS, HIDS, log management) and hardening systems. Currently he is Senior Security Administrator at Sucuri Security. Before Sucuri he worked at Spiderlabs as a researcher where he focused on IDS/IPS Signatures, ModSecurity rules, and new detection research.