Armorizing applications

Armorizing
Applications
Iftach Ian Amit
Director of Services
Friday, October 11, 13

I’m not an application guy :-|

I’m a security guy
Who actually used to do some application stuff

whoami?
$ id
uid=501(iamit) gid=20(ioactive) groups=12(hack),
33(research),61(dev),79(red_team),80(sexy_defense),
81(exil),98(idf),100(dc9723),204(/dev/null)

Attack?
Defense!

So, I’ve been dealing with defense a lot

As in - helping defenders get a head start

Guess what? We are still failing on the basics...

Logs...

Logs...
Firewall

Logs...
Firewall
IDS

Logs...
Firewall
IDS
IPS

Logs...
Firewall
IDS
IPS
Network

Logs...
Firewall
IDS
IPS
Network
HTTPD

Logs...
Firewall
IDS
IPS
Network
HTTPD
DBMS

Logs...
Firewall
IDS
IPS
Network
HTTPD
DBMS DNS

Logs...
Firewall
IDS
IPS
Network
HTTPD
DBMS DNS
Application?

We still have sucky application logs :-(

I mean, we came a long way since web-app coding in the
90’s
I know. I’ve lived through it :-(

Example:

Example:
Uses MVC.
Actually very nicely
architected...

Example:
Uses MVC.
architected...
Good start.At least
we can haz data.

Example:
Uses MVC.
architected...
Good start.At least
we can haz data.
This is pretty
much useless*

Example:
Uses MVC.
architected...
Good start.At least
we can haz data.
This is pretty
much useless*
* from a security perspective.
no doubt that when this breaks you’ll need it

Let’s get back to basics for a sec here

time=2013-03-02 23:59:57
action=drop
orig=192.168.1.103 i/
f_dir=inbound i/
f_name=eth1c0
has_accounting=0
product=VPN-1 & FireWall-1
policy_name=INTERNET
src=1.2.3.4 s_port=37586
dst=3.4.5.6 service=80
proto=tcp rule=16
xlatesrc=8.9.10.11
xlatesport=57517
xlatedport=0 NAT_rulenum=4
NAT_addtnl_rulenum=internal

but wait,
how about them HTTPD?

193.205.210.42 - - [09/Oct/2013:00:57:17 -0700] "GET /blog/2013/07/mail-encryption-for-android/ HTTP/1.1" 200 32064 "https://
www.google.it/" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_8_5) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/30.0.1599.69 Safari/
537.36"
193.205.210.42 - - [09/Oct/2013:00:57:19 -0700] "GET /blog/wp-includes/js/comment-reply.min.js?ver=3.6.1 HTTP/1.1" 200 1068 "http://
www.iamit.org/blog/2013/07/mail-encryption-for-android/" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_8_5) AppleWebKit/537.36
(KHTML, like Gecko) Chrome/30.0.1599.69 Safari/537.36"
193.205.210.42 - - [09/Oct/2013:00:57:19 -0700] "GET /blog/wp-content/plugins/podpress/js/podpress.js?ver=3.6.1 HTTP/1.1" 200 40786
"http://www.iamit.org/blog/2013/07/mail-encryption-for-android/" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_8_5) AppleWebKit/537.36
193.205.210.42 - - [09/Oct/2013:00:57:19 -0700] "GET /blog/wp-content/plugins/jetpack/modules/sharedaddy/sharing.css?ver=2.5 HTTP/
1.1" 200 11641 "http://www.iamit.org/blog/2013/07/mail-encryption-for-android/" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_8_5)
AppleWebKit/537.36 (KHTML, like Gecko) Chrome/30.0.1599.69 Safari/537.36"
193.205.210.42 - - [09/Oct/2013:00:57:19 -0700] "GET /blog/wp-content/plugins/lightbox-2/lightbox.js?ver=1.8 HTTP/1.1" 200 21623
193.205.210.42 - - [09/Oct/2013:00:57:19 -0700] "GET /blog/wp-includes/js/jquery/jquery-migrate.min.js?ver=1.2.1 HTTP/1.1" 200 7484
193.205.210.42 - - [09/Oct/2013:00:57:20 -0700] "GET /blog/wp-content/plugins/podpress/players/1pixelout/1pixelout_audio-player.js
HTTP/1.1" 200 12305 "http://www.iamit.org/blog/2013/07/mail-encryption-for-android/" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_8_5)
193.205.210.42 - - [09/Oct/2013:00:57:20 -0700] "GET /blog/wp-content/plugins/jetpack/modules/wpgroho.js?ver=3.6.1 HTTP/1.1" 200
1212 "http://www.iamit.org/blog/2013/07/mail-encryption-for-android/" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_8_5) AppleWebKit/
537.36 (KHTML, like Gecko) Chrome/30.0.1599.69 Safari/537.36"
193.205.210.42 - - [09/Oct/2013:00:57:20 -0700] "GET /blog/wp-content/plugins/jetpack/modules/sharedaddy/sharing.js?ver=20121205
HTTP/1.1" 200 39040 "http://www.iamit.org/blog/2013/07/mail-encryption-for-android/" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_8_5)
193.205.210.42 - - [09/Oct/2013:00:57:21 -0700] "GET /blog/wp-content/plugins/contact-form-7/includes/js/scripts.js?ver=3.5.2 HTTP/1.1"
200 8610 "http://www.iamit.org/blog/2013/07/mail-encryption-for-android/" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_8_5) AppleWebKit/
537.36 (KHTML, like Gecko) Chrome/30.0.1599.69 Safari/537.36"
193.205.210.42 - - [09/Oct/2013:00:57:21 -0700] "GET /blog/wp-content/plugins/contact-form-7/includes/js/jquery.form.min.js?
ver=3.40.0-2013.08.13 HTTP/1.1" 200 14910 "http://www.iamit.org/blog/2013/07/mail-encryption-for-android/" "Mozilla/5.0 (Macintosh;
Intel Mac OS X 10_8_5) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/30.0.1599.69 Safari/537.36"
193.205.210.42 - - [09/Oct/2013:00:57:23 -0700] "GET /favicon.ico HTTP/1.1" 200 1351 "-" "Mozilla/5.0 (Macintosh; Intel Mac OS X
10_8_5) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/30.0.1599.69 Safari/537.36"
193.205.210.42 - - [09/Oct/2013:00:57:23 -0700] "GET /blog/wp-includes/js/jquery/jquery.js?ver=1.10.2 HTTP/1.1" 200 93371 "http://
www.iamit.org/blog/2013/07/mail-encryption-for-android/" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_8_5) AppleWebKit/537.36Friday, October 11, 13

Don’t get me started...

And that’s AFTER taking into account “log analyzers”

“But you security guys have all these fancy SIEM stuff,
right?”

Yes, we have fancy dashboards
and graphs
and sometimes synchronized logs from multiple sources
But it’s still a pain in the tuches

The application has ALL THE CONTEXT

Yet you keep it to yourself

This made me cry in joy:

Firewall Web Server
Client X
Client X
ClientY
Client X
ClientY
ClientY
Client X
Client X
Client X
ClientY
ClientY
index
items
index
items+a
items
items+c
checkout
login
conﬁrm
checkout
conﬁrm

Firewall Web ServerApplication
Client X
Client X
ClientY
Client X
ClientY
ClientY
Client X
Client X
Client X
ClientY
ClientY
index
items
index
items+a
items
items+c
checkout
login
conﬁrm
checkout
conﬁrm
- John, from X, just
bought A and shipped
it paying with CC
- Client fromY tried to
bypass app logic and avoid
payment/auth

Rinse,
Lather,
Repeat

Everywhere!
DB Access
Session Management
State Management
User Management
...

Be a dot connector!

Counter Intelligence
use-case
Problem
dormant accounts used
for fraud (and/or
money laundering)

use-case
Problem
for fraud (and/or
money laundering)
Account

use-case
Problem
for fraud (and/or
money laundering)
Account
>1yr dormant

use-case
Problem
for fraud (and/or
money laundering)
Account
>1yr dormant
laundering

use-case
Problem
for fraud (and/or
money laundering)
Account
>1yr dormant
laundering
Intl. transfers

use-case
Problem
for fraud (and/or
money laundering)
Account
>1yr dormant
laundering
Intl. transfersInternal/
External???

Account

AccountAccountAccountAccountAccount

List

Marketing
Accounting
Branch mgmt.
List

Marketing
Accounting
Branch mgmt.
List
List

Marketing
Accounting
Branch mgmt.
List
List
List

Marketing
Accounting
Branch mgmt.
List
List
List
Internal
user

Internal
user

Internal
user
PC

Internal
user
PC Trojan

Internal
user
PC Trojan
C&C

Internal
user
PC Trojan
C&C
Bad Guys(tm)

Log on context
Weird state changes
Repeatable expectable actions
Who, what, why
Help me get the story right!

Questions? Comments!
Ian Amit
@iiamit
ian.amit@ioactive.com

Armorizing applications

More Related Content

Viewers also liked (9)

Similar to Armorizing applications (20)

More from Iftach Ian Amit (20)

Recently uploaded (20)

Armorizing applications