Attack Prophecy® is the most convenient solution for protecting web services from cyberattacks.
Attack Prophecy® is an advanced protection system for the detection and protection of web services against cyber intrusions, featuring the results of cutting-edge, italian scientific research.
Attack Prophecy® implements a detection mechanism that is essentially composed of three phases:
The system is constantly trained by observing the web traffic that is exchanged by web services to extract their legitimate (or normal) profile.
Through a number of specialized models, it is not only able to detect anomalous traffic, but also to categorize it to detect different types of cyberattacks. In this way, it possible to also point out sophisticated attacks, e.g., the ones that are specifically crafted to web services, and which cannot be detected by traditional detection systems or Web Application Firewalls (WAF).
The operator can check the alerts of the systems (by confirming them or labelling them as legitimate), thus establishing in a few steps protection rules against web services.
In order to use the interface of Attack Prophecy, it is enough to own a last-generation desktop/laptop computer in which a web-browser has been installed. It will be therefore possible to access the system through a browser, by using the address that is established during configuration by the Pluribus One experts. The access is guaranteed through authentication that is based on username and password, which are either established at install time, or in a second time through the administration section.
Attack Prophecy can provide support for defending against the following attack macro-categories:
- Input Violation.
- Linked Sites.
- Information Leakage.
- Brute Force.
- Client Authentication.
Attack Prophecy is also able to estimate the “reputation” of each client that interacts with the client services that are exposed in the observed systems. This “reputation” is based on the presence or absence of malicious botnets that may be installed in the specific autonomous system.
In the next sub-paragraphs, we provide a brief description of each macro-category.
This macro-category includes all the cyber intrusions that resorts to malicious inputs (anomalous) against servers or web applications. For example, this category includes popular injection attacks such as SQL/XPath/OS/LDAP injection, Path Traversal, Remote File Inclusion, Cross Site Scripting.
In general, the modules that belong to this category are able to detect any attack that is based on “unexpected” input (methods, protocols, domain names, URI, URI attributes) towards servers and web application, in order to exploit their vulnerabilities.
This macro-category includes all the cyber-attacks that resort to contents (related to the monitored services) that are stored on linked websites/domain names.
Such sites are typically crafted by violating legitimate, vulnerable websites, in order to host a phishing page that uses contents of the target. This is done in order to maximize the similarity between the original page and the phishing page.
This macro-category includes all the automatic attacks that are characterized by a high and repetitive number of requests against web services. For example, this category includes attacks to obtain access credentials for a login page, to automatically dump contents, or to automatically query services.
This macro-category includes all the automatic attacks that are characterized by a high number of failed requests against web services. For example, information gathering attacks to enumerate vulnerable resources and configuration errors on the monitored services.
A typical case study for these attacks is represented by scans against web applications (e.g., Open-Source Content Management System) whose vulnerability is known, or scans to detect methods and protocols supported by the server, thus attempting to use it improperly (e.g., as proxy).
This macro-category is related to attacks that steal credentials from web-services users. Such attacks can be pointed out through connections coming from countries, autonomous systems, and client ids that are usually different to the ones used by the users. Alternatively, such attacks can come from autonomous systems that are often involved in illegal activities or that are strongly populated by botnets.
This manual is divided into the following sub-sections:
- General Information – a brief introduction to Attack Prophecy and to how this manual is organized.
- Getting Started – a brief guide to the first usage of the interface.
- System Guide – a guide to Attack Prophecy, which spans from general functionalities to a more specific description of each screen.
The minimum hardware and software requirements that are needed to access the Attack Prophecy interface are rather small:
- Last generation desktop/laptop computer.
- High-speed connection.
The Attack Prophecy interface has been developed and optimized for the Mozilla Firefox and Google Chrome web-browsers; the usage of the framework through other web-browsers or through mobile devices is not forbidden, but can cause unexpected behaviour, and it is therefore not recommended.
Regardless of the chosen web-browser, it is necessary to ensure that the following requirements are fulfilled:
- The browser must be updated to the latest version.
In case of doubts or problems, it is recommended to consult the systems administrator or the IT responsible of the company.
The Attack Prophecy interface can be used by a wide variety of users that, depending on the type of installation performed, can reach it through multiple connection types: from internal network, VPN, public IP, etc.
Consider that the available connection types can change with time, or from user to user. In the remaining of this manual, the expression “access” will be used to indicate the fact that the user is accessing the interface, regardless to which method is actually used. Likewise, in the remaining of this manual, the term “basic access credentials” will refer to the all the “steps” and technical requirements that are necessary to obtain access depending on the type of connection.
In order to access the Attack Prophecy interface, the following access credentials are required:
- Basic Access Credentials (e.g., VPN, local address, etc…).
In order to access the system, it is first of all required to visit the Login page in the web-browser. In this page, it is required to insert Username and Password.
If the access is successful, the main Attack Prophecy screen will be shown, that provides an overview of the detected suspicious events and of their relative categories, as well as the general status of the protected system.
In case of error, the login form will be shown again along with a notification. It will be therefore possible to insert the access credentials again.
The procedure to access the system does not change after the first access, and it is therefore sufficient to perform the same steps every time.
The graphical interface of AP allows the user to access the various functionalities of the program in a coherent and ordered way. The results are presented in various modes (e.g., graphs, tables, statistics, etc…), and it is possible to actively interact with the system through the various input interfaces.
The main functionalities that can be accessed through the interface are the following:
- Interface to manage the access to the system.
- Summary of the system status, with statistics and aggregate information.
- A list of the latest alerts with the possibility of filtering, searching and classifying.
- Protection rules management: creation, deletion and blocking.
- System administration, logging, and access management.
- Management of suspicious webpages “snapshots”.
- Accessing system documents such as licences and user manuals.
The system guarantees the access to the various functionalities through a web-application that is optimized for desktop/laptop computers that feature a latest generation browser.
The navigation of the interface is supported by a main menu that is located on the left of the screen, by a top bar for managing user profiles and accesses, and by a navigation “bread crumb” bar, which constantly shows the user which page is currently visualized. The main screen shows different elements, depending on which option of the left menu has been selected; the various screens are known as “views”, as they allow to see one of the many “characteristics” of the software.
The interface is composed of the following views, for which a brief description of each is reported, as well as their Italian and English names.
- Login – this view contains simple fields to insert text, with which the user can insert its access credentials.
- Home o Dashboard – this view shows a number of graphs and data that are aggregated to allow a fast overview of the system status.
- Explorer – this view allows to inspect traffic starting from alerts, and moving to the requests that generated them. It is possible to filter alerts and to generate rules “on the fly”.
- Protection (Protezione) – this view contains the rule management.
- Snapshots (Instantanee) – this view contains an overview of the snapshots generated by the system.
- Administration (Amministrazione) – this view, and its relative sub-views, allows to manage the administrative side of the software.
- Documents (Documenti) – this view allows to consult documents related to the software, e.g., the user manual and the license guide.
All the main views are reachable through the navigation menu that is present in the left part of the screen. Each main view corresponds to various sub-views; this can be different screens, mode windows or parts of the screen that are reachable through screen controls.
The next paragraphs will describe in detail the functionalities that are part of the various screens of the Attack Prophecy interface, as well as the recurring elements that are present in multiple views (e.g., top bar, left menu).
Some elements of the interface are “recurring”, which means that they are present in every screen (or view), or they are often adopted with the same functionality.
The top bar of the interface shows a welcome message, the name of the user that is currently logged to the system, and a button that, when pressed, shows a menu that allows to quit system. Such button also allows to switch to a screen that allows to change the password that is associated to the current user.
The screen for changing password features fields to insert text, which allows to choose a new password and, for security reasons, to confirm the it with a double insert, as well as putting the old one.
The left menu shows a number of buttons through which it is possible to switch to each main view. For some of these views, the system shows a list of sub-views that are directly reachable through a pull-down menu.
At the moment of the writing of this manual, the views that are directly reachable are the following: Home, Explorer, Protection, Snapshots, Administration, Documents.
“Breadcrumb” is a horizontal bar that is located on many screens of Attack Prophecy, and that is composed of the various elements that, in a hierarchical scale, show the user which “part” of the system is currently visible.
Breadcrumb allows to keep track of the path followed by the user in exploring data, allowing him to navigate through screens and sub-screens, as well as coming back to the previous ones with a click.
The system largely resorts to tables to show data and to allow their exploration beyond the execution of various operations. Depending on which table is shown to the screen, some characteristics will change (e.g., headers, row and column number, content, etc.), whilst other will always be available.
The interface of Attack Prophecy often allows to order the table by ascending or descending order, depending on the content of specific columns; when this is possible, a symbol with arrows follows the header of the corresponding column.
Another common element is the possibility of selecting some rows through a checkbox that is put on the first left column; this functionality is associated to the further possibility of selecting all the rows that are shown in the screen through the checkbox that is present on the upper left side of the table.
The system resorts to a unified system for pagination, so as to allow the user to scroll long lists of elements. The pagination bar is mostly used on views that contain tables. The pagination bar reports the total list of elements, the currently visualized page number, a number of buttons to scroll the page. Through the pagination bar it is both possible to singularly scroll pages, and to type the number of the required page. Finally, it is possible in some views to choose the number of elements to be shown in page.
In the pages whose content asks the user to scroll towards down, it is possible to see a popup button that features an arrow oriented towards up. When such button is pressed, the interface scrolls towards up automatically, until the beginning of the page is shown.
The main goal of this view is to allow the user to have a fast, global overview of the system status. In particular, the various alert sources are shown (Top Alert Sources), as well as the status of the daily alerts. In the follow, we describe the elements of the page.
The top bar replaces the more common breadcrumb shown in the rest of the interface. This bar shows information that is related to the latest system update, the last alert and the last activity from logged users.
The two Top Alert Sources and Daily Alerts respectively show the main sources that are generating alerts, and the daily trend of the alerts themselves.
In the graph Top Alert Sources, for each alert source, various pieces of information are reported: IP address, alert date, nation, Autonomous System, as well as the suspicious events that are associated to the source. When a row corresponding to a source is pressed, the system will switch to the Explorer screen with a default filtering that shows the alerts corresponding to the selected source.
The Daily Alerts graph reports the number of daily alerts for each attack macro-category, related to a temporal window whose size is corresponding to the number of available detection dates. The colours that are used in this graph for macro categories are the same that are used in the low bar. When the pressing the corresponding points that are related to the detection in a particular day, the system will switch to the Explorer screen with a default filtering that shows the alerts that correspond to the selected date.
The low bar shows a box for each macro-category of alerts that are used by the system. Each box has the same background colour that is used by the system to indicate the macro-category date (for example: in the Daily Alerts graph, in the icons of the Explorer screen, etc.). Each box reports the number of alerts detected by the system in the latest temporal window, relatively to a specific macro-category; this value constitutes the sum of the daily alerts that are shown in the Daily Alerts graph.
When pressing one of the boxes, the system will switch to the Explorer screen with a default filtering that shows the alerts that correspond to the selected macro-category on all available dates.
The main goal of this view is to allow the user to explore which alerts have been generated by the system after various suspicious events, as they can be related to an attack attempt.
Through the table that is contained in this screen, and with some filtering inputs, it is possible to explore the alerts and, once one of interest has been found, to check more detailed information (for example, the requests that have been received by the system and that generated the alert).
This view is one of the most complex in Attack Prophecy and is composed of various elements, which will be listed in the following.
It contains two tabs through which it is possible to switch from a “Events” mode (in which the information about one or more alerts is shown) to a “Rule” mode (in which it is possible to visualize and modify the protection rules that are related to the shown alerts).
This bar shows information that is related to the latest update, to the latest alert and to the latest feedback from the user.
This bar contains various inputs with which it is possible to filter the alerts shown depending on the date, domain or type of alert (e.g., macro-categories). The bar shows both the currently applied filtering and the various available options.
This table reports general information regarding alerts corresponding to the current filtering settings. The various columns report: alert type (type), description (description), number of sources (sources), number of requests (requests), currently applied label and the name of the user that assigned it.
Furthermore, there are some input fields:
- Checkbox to select one or more alerts.
- Inspect Button to switch to the Sub View Inspection Alert (for more information, check the sub paragraph).
- Label selector to change the label related to the alert.
This bar contains all the inputs to change the labelling of multiple alerts that have been previously selected.
This sub view is reached when the button “inspect” is pressed in a row that is related to the alert in the “Explorer” view. Once the button is pressed, the screen slightly changes.
Note how the table now shows, as first top row, the one related to the alert that the user decided to inspect; the rows underneath show in detail each of the sources that contributed to generate the alert. The button “exit”, shown in the first row instead of the “inspect” button, allows to go back to the previous screen. All the rows, with the exception of the first one that shows that inspected alert, show a new button in the Requests column. The button shows the number of Requests that have been generated by the source associated to the row. By pressing this button, it is possible to switch to the Sub View Report on Requests (for more information, check the relative paragraph).
A further note on this sub view is related to the top filtering bar:
As it can be noticed, two new elements are added to the classical filtering inputs:
- “Pattern” filtering buttons – through these buttons, it is possible to explore the tree of the elements that are related to the alert that is associated to the inspection, by changing in this way the resulting context of the applied filters.
- “Switch to All Patterns” button – through this button, it is possible to show all the elements that are similar to the one under inspection, including the ones that are related to requests that did not generate alerts, switching in this way to the Sub View Pattern Inspection.
- Informative Box on rules – shows information and suggestions on the creation of rules that are related to the alert that is currently being inspected, as well as a button for a fast creation of the rule.
This sub view shows an alternative point of view for the analysis of the traffic, showing all the patterns that correspond to the currently selected level in the inspection tree of the elements of the requests, including the ones that have not generated alerts.
Note how the functionality of this sub view is almost identical (for example, filtering, pagination, table, information box, etc…). At the same time, note how the breadcrumb shows that we are on a different screen. Besides, the filtering by “event type” is changed to filtering by “assigned label”.
The “Switch to Alerts” button allows to go back to the Sub View Alert Inspection, whilst the button “exit” that is present in the table allows to go back to the original Explorer view.
This sub view is reachable through the button “request”, both from the Sub View Alert Inspection and from the Sub View Pattern Inspection. In this sub view, all the requests received by the system are shown that contributed to the inspected alert. Requests are gathered by “organization” and they are shown with pagination, so as to allow to navigate a large number of requests. Through a little button that is located on the upper right part of the box related to an organization, it is possible to expand the box itself and visualize the related responses in a “synthetic” format.
For each organization, it is reported the name, the nation, an IP address and a “botnet” score, i.e., a comprehensive measurement that indicates how much the related organization has been observed as a source of malicious activities in the network (100% means that, according to the latest analyses performed by Pluribus One, the network infrastructures belonging to that organization are regularly used to manage botnets and to perform cyberattacks).
For each request, the following data are always reported: method, URL, host, user-agent, timestamp. In case of a Linked Site alert, a button “Take Snapshot”, which is located near the Referrer field, allows the user to request the system to save a snapshot, which can be further examined through the specific section of the interface.
For each response, the following fields are reported: status code, content type, bytes, timestamp.
The main goal of this view is to allow the user to manage protection rules: to visualize, change, enable and disable them. The view is divided in four sub-views, which correspond to four items in the left menu of Attack Prophecy: Main Page, Transport Level, “Basic” Application Level, “Advanced” Application Level.
This view is among the most complex ones in Attack Prophecy, and it is composed of the following elements and sub views:
This sub view is reachable by directly pressing the button Protection, and it shows general information on the other sub views. Each box shows a link to the related sub view and the number of new and currently loaded rules. The end of the page shows a button to load rules to the Web Application Firewall.
This element is present in all the three sub views of Protection (Transport Level, Basic Application Level and Advanced Application Level). Through a button “filters” that is located on the upper right, it is possible to close and open the filtering bar, in order to have more space in the screen when necessary. This bar contains all the inputs to filter the rules that are shown in the underneath data table. The filtering bar includes various filters and a search bar.
This element is present in all the three sub views of Protection. It consists of a table that reports all the rules that are related to the current sub view. The columns report the following elements: rule type, name of the rule, synthetic description of the rule, reference domain, the action that is set up and possibly active on the Web Application Firewall, the user who inserted the rule, date and time of rule insertion, status of rule loading on the Web Application Firewall, editing button.
Wherever necessary, the system provides a bar for pagination and scrolling the table directly under the table itself. This table is visible when the selected tab is “list”.
This screen is present in the views Transport Level, “Basic” Application Level and “Advanced” Application Level, and it is accessed by pressing the “edit” button in correspondence to one of the table rows; this action switches from the tab “list” to the tab “details”. Later on, it is possible to go back to the rules list by pressing on the tab “list.
The screen shows a number of text fields that allow the user to create or modify rules. The single fields are intuitive (e.g., description, creation date, etc.) and they are enabled depending on the rule type (e.g., transport, application, etc.).
This sub view is focused on the transport rules. Like every other view, it allows to both visualize and edit rules.
Sub view that is dedicated to the rules of the “basic” application level. The functionality is identical to the one of the sub view for the transport level, with the exception of the presence of a “Load Rules file” button on the upper right of the screen, which allows the loading of the rules.
Sub view dedicated to the rules of “advanced” application level. The functionality is identical to the one of the sub view for the rules of “basic” application level.
The main goal of this view is to allow the user to visualize the various snapshots that are generated during the inspection of the requests. The first screen, which is visible as soon as the view is accessed, shows a small preview of some of the snapshots that are present in the system; through the navigation bar at the end of the page, it is possible to scroll all the snapshots.
Once the user found a snapshot of interest, two options are available: to see the snapshots with a better resolution or to switch to a screen with more detailed information; both options can be selected by moving the mouse pointer on the snapshot, thus pressing the “zoom” or “details” button.
This screen shows further information on the single snapshot generated by Attack Prophecy.
Three boxes report information on Client, Initial Server and Final Server; for each of them the following information are reported: IP, nation (Country), Autonomous System (AS) and Botnet Level.
The following information are also reported: Linked Site, Referer Rank, Referer Domain, Final URL, URL Domain, Final URL Domain, Created by.
The page also contains a button that enables/disables the visualization of the html code related to the snapshot source page.
The main goal of this view is to allow the user to keep track of some “administrative” aspects of the software: access management, user and groups management, access logs.
The main screen that is initially visible shows a number of buttons. Each of them redirects to a subsection that is related to the functionalities that have been previously listed.
- Access attempts – this sub section shows the list of the attempts made to access the system. For each attempt, the following data are shown: date and time, IP address, User Agent, Username used for the access attempt, Path, number of failed access attempts.
- Logged Accesses – this sub section shows the list of the accesses that were successfully performed on the system. For each access, the following data are shown: date and time of the access, date and time of logout, IP address, Username, User Agent, Path.
- Groups – this sub section shows the list of user groups that are actually present in the system; it also allows the creation of new groups and the change of existing ones.
- Users – this sub section shows the list of the users that are actually present in the system; it also allows the creation of new users, as well as changing existing ones.
The goal of this view is to give a list of links to the official documentation, to licenses and other downloadable files. This screen simply provides links to the various downloadable documents.