This event has ended. View the official site or create your own event → Check it out
This event has ended. Create your own
View analytic
Friday, September 19 • 10:30am - 11:15am
Reversing Engineering a Web Application - For Fun, Behavior & WAF Detection

Sign up or log in to save this to your schedule and see who's attending!

Screening HTTP traffic can be something really tricky and attacks to applications are becoming increasingly complex day by day. By analyzing thousands upon thousands of infections, we noticed that regular blacklisting is increasingly failing and we started research on a new approach to mitigate the problem. Initially reverse engineering the most popular CMS applications such as Joomla, vBulletin and WordPress, which led to us creating a way to detect attackers based on whitelist protection in combination with behavior analysis. Integrating traffic analysis with log correlation, resulting in more than 2500 websites now being protected, generating 2 to 3 million alerts daily with a low false positive rate. In this presentation we will share some of our research, their results and how we have maintained WAF (Web Application Firewall), using very low CPU processes and high detection rates.

Detailed Outline:

- Current method of detection (We'll show how WAF operates today, allowing us to emphasize our unique approach)
- Reverse engineering a CMS application (In this step we'll show how we reverse engineered a CMS Application to understand its fragility and common attack vectors)
- Setting up honeypots (We'll share our work with honeypots which gathered data in real time during massive attacks on popular CMS applications)
- Identifying behavior (analyzing data to understand points to be considered when creating counter measures and evaluating the best approach to each type of attack type)
- Creating countermeasures (using behaviour information, CMS vulnerabilities and attack methods spreading in the wild, we'll show how we created better signatures specific to each CMS based on the knowledge acquired during research on each one of them)
- Live analysis (merging everything together and seeing the tool operate live, well-tuned, blocking specific attacks, with improving low false-positive rate in an effective and efficient manner)


Rodrigo Montoro

Senior Security Administrator, Sucuri Security
Rodrigo “Sp0oKeR” Montoro has 15 years experience deploying open source security software (firewall, IDS, IPS, HIDS, log management) and hardening systems. Currently he is Senior Security Administrator at Sucuri Security. Before Sucuri he worked at Spiderlabs as a researcher where he focused on IDS/IPS Signatures, ModSecurity rules, and new detection research. Author of 2 Patents pending in technology involving discovery of malicious... Read More →

Friday September 19, 2014 10:30am - 11:15am
Colorado Ballroom E [Defenders] Denver Marriott City Center