Trapping Hacks With Ensnare presented at Shakacon 2014

by Scott Behrens, Andy Hoernecke,

Summary : Modern web applications are facing attacks of increasing frequency, complexity and sophistication. Typical defenses revolve around several techniques that have varying levels of success.
One approach, web application firewalls (WAFs), are often used to apply signature-based rules to requests and responses to attempt to identify attacks such as Cross Site Scripting or SQL Injection. However these devices generally function as web server modules or stand-alone devices and require extensive setup and tuning before providing significant value. Additionally, WAFs have long been plagued with huge numbers of false positives/negatives and require significant technical knowledge and time to setup and operate effectively.
Security features such as CAPTCHA and throttling can contribute to a defensive strategy by slowing down scanners and scripts. However, these features quickly become an annoyance to legitimate users if not implemented carefully, and they can be difficult to utilize in an intelligent and effective manner.
Another more unique but less used approach, Honey Traps, attempts to entice malicious users into attacking applications in benign ways, triggering preset traps that have been integrated into or built on top of the existing application functionality. However past projects have contained limited functionality, been difficult to implement or still required the addition of added devices or layers.
Ensnare takes the best of these defenses and moves them from the web server, middleware, and external devices into the application itself. This helps eliminate unnecessary hops and network latency while also increasing the intelligence that can be applied to the rulesets and responses. By residing in the application layer, Ensnare can take advantage of full knowledge of a user’s actions and history in order to detect malicious behavior, and produce a much wider range of potential responses in order to block, confuse, or redirect the attacker.
Ensnare is packaged as a gem plugin for Ruby on Rails and was developed with goal to allow configuring and deploying a basic malicious behavior detection and response scheme in less than five minutes. Of course, Ensnare is extensively customizable and allows the creation of traps and responses that are relevant to the specific application being protected. Ensnare can be configured to provide traps that are specifically designed to protect against automated scanners or sophisticated manual attackers.
In this talk we will walkthrough the concept and design of the Ensnare framework. We will also show a demonstration that show exactly how Ensnare can be used and customized to provide a unique protection against web application security threats.