Part III: Tactical Response

If we do not wish to fight, we can prevent the enemy from engaging us even though the lines of our encampment be merely traced
out on the ground. All we need do is to throw something odd and
unaccountable in his way.

—Sun Tzu in The Art of War

As soon as you have identified an active attack against your web application, how should you respond to the threat? This is a seemingly straightforward question with often surprisingly complicated answers. Your responses should be as nuanced and varied as the attacks you’re facing. You should react differently depending on the threat you are facing. If you are under an application layer distributed denial-of-service attack from a botnet, you should respond differently than you would for a client that may be infected with banking trojan software and still differently than you would for a cross-site request forgery worm infection. In some situations, you may want to redirect the user to a friendly error page, and in others you may want to e-mail security personnel or passively proxy the connection to a separate honeypot web application. Response actions are not a one-size-fits-all model. Choose wisely.

Timely Response

How much time do you have to respond to active attacks before an attacker may be able to successfully bypass basic security filters? This is a critical question from an incident response perspective; unfortunately, metric data of this type is severely lacking. To obtain concrete data about the time-to-hack windows and evasions, the Trustwave SpiderLabs Research Team held a SQL Injection Challenge.1 Participants attempted to evade ModSecurity’s negative security filters while still using functionally equivalent code to extract the desired SQL data. The results of this challenge2 yielded some interesting time-based security data for hacking resistance.

Time-to-hack (evasion) metrics:

  • Average number of requests to find an evasion: 433
  • Smallest number of requests to find an evasion: 118
  • Average duration (time to find an evasion): 72 hours
  • Shortest duration (time to find an evasion): 10 hours

As these metrics indicate, it is only a matter of time before a determined, skilled attacker figures out how to bypass basic security controls. Although this conclusion at first seems depressing, look at it from a defensive perspective. With only the first level of security in place, attackers could not quickly bypass the detections. Hundreds of events were generated during the initial probe attempts before a successful bypass was identified. This duration of time, although somewhat brief, gives organizations that are actively monitoring security events a window of time in which to take evasive action and mitigate the vulnerability. Active monitoring and response are critical.

The recipes in Part III offer a wide variety of response actions grouped into the following categories:

  • Passive response actions
  • Active response actions
  • Intrusive response actions

The recipes in these chapters may be used in combination with the detection recipes in Parts I and II.

1 http://www.modsecurity.org/demo/challenge.html
2 http://blog.spiderlabs.com/2011/07/modsecurity-sql-injection-challenge-lessons-learned.html

..................Content has been hidden....................

You can't read the all page of ebook, please click here login for view all page.
Reset
18.225.35.81