Proactive Forensics of Web Application Attacks - PowerPoint PPT Presentation

proactive forensics of web application attacks n.
Download
Skip this Video
Loading SlideShow in 5 Seconds..
Proactive Forensics of Web Application Attacks PowerPoint Presentation
Download Presentation
Proactive Forensics of Web Application Attacks

play fullscreen
1 / 38
Proactive Forensics of Web Application Attacks
221 Views
Download Presentation
odin
Download Presentation

Proactive Forensics of Web Application Attacks

- - - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - - -
Presentation Transcript

  1. Proactive Forensics of Web Application Attacks Shlomi Ben-Hur and Shay Chen Hacktics ASC A Step By Step Guide • June 2013

  2. Introduction Shlomi Ben-Hur Shay Chen Hacktics ASC, E&Y Chief Technology Officer • Hacktics ASC, E&Y • Forensics Service Leader Shlomi.Ben-Hur@il.ey.com Shay.Chen@il.ey.com

  3. Proactive Web Forensics (PWF): What’s New? • The Business Case • An excellent tool for managing budgets and priorities • Proactive process benefits • Recent Technical Advancements • Methodology per vulnerability (as in Security Assessments) • New commercial tools and open source projects

  4. Live Demo: Using PWF to Detect Incidents

  5. A Missing Piece The Limitations of Traditional Security Controls

  6. Traditional Services – Penetration Tests • Locates “A possible way into the system” • Doesn’t provide solid proof the system was hacked Do we know if the system was Hacked?

  7. Traditional Services – Forensics • Indentify and trace-back security incidents • Trace-back limited to the attacks that caused the impact In the absence of a “Trigger”, We’re left unaware as to whether the system was actually compromised

  8. The Current Coverage of Security Controls Security Testing (Attack & Pen) SIEM/SOC Reactive Forensics • Undetected Incidents, Attacks & Vulnerabilities

  9. What is Proactive Web Forensics? Attacks leave traces and audit trails Familiarity with System Architecture Identify attacks and hacking incidents for each component

  10. The outcome of a PWF process Provides evidence of system hacks Identifies how attacks were performed Evaluates the severity of hacks

  11. Benefits of Proactive Web Forensics Identify your most attacked/hacked systems Identify the impact on sensitive systems

  12. Benefits of Proactive Web Forensics Request Budget Based on Facts Improve Risk Management Manage Resources Effectively Spot-on Security Controls

  13. We’re currently mitigating POSSIBILITIES, Wouldn't we do it better if we mitigated FACTS?

  14. Proactive Web Forensics Capabilities, Methodologies and Tools

  15. WHID Incidents

  16. Prolonged and Ongoing Incidents • Incident Components • Vulnerability Detection • Exploitation • Incubation Period • Impact • Incident Timeframes • Dormant, Ongoing, Prolonged and Immediate • Incident Response Timeframes

  17. Why PWF? • Exposures detected in pen-tests are rarely investigated • There usually isn’t any attempt to identify past exploits • Exploitation might have occurred prior to the implementation of countermeasures: • WAF / IDS / Security Mechanisms Integration • An active or dormant exploit could be hosted on a machine for years, and the evidence may still be there.

  18. Information Sources

  19. Information Sources • Triggers • Penetration Test Reports • File System • File Metadata • Crash Dump Files • Content • Data Repository Content (DB, Web, File, LDAP, etc) • Log Files • OS, Web Server, DB, Application, Network Devices • Security Products, Forensics Blackbox, SIEM/SOC • 3rd Party Analysis Tools • Google Analytics, External Captcha Repositories, Etc

  20. POC: Locating Persistent XSS in System DB • Persistent XSS rely on HTML/JS/VBS injection, in either clear on encoded format; these patterns can be detected by scanning the data stored in the database, and the content hosted on the website: • iScanner / ScanEx vs. Live Web Site • OWASP Scrubber vs. Database

  21. POC: Locating Malicious File Upload • Abusing vulnerabilities to upload malicious files eventually results in the malicious file being uploaded into the context of the web application.: • Check the system metadata of the application files and locate abnormal date/time, permissions or similar properties. • Use WinMerge to compare the application files in the production environment to those of the relevant build in the development / staging environment. • Recover deleted file names in the web application directories • Compare deleted file names to historical file names in the source code management systems

  22. POC: Locating SQL Injection Attempts • SQL Injection is often performed after executing multiple attempts with invalid syntax. These instances often cause exceptions that leave traces in multiple layers: • Apache Scalp & PHP IDS on System Logs

  23. Prominent Open Source Analysis Tools • Initial Log Analysis • AWStats • Log Analysis Tools • Apache Scalp & PHP IDS Engine • Web Forensik • PHP IDA • File Metadata Analysis Tools • Winmerge • Content/Data Analysis • iScanner / ScanEx • OWASP Scrubber

  24. Proactive Forensics Methodology

  25. Log Analysis Perquisites • Infrastructure Familiarity • CMS/Framework Logs • OS/Database Logs • Crash Dump Files • Application Familiarity • External Data Tracked by 3rd Party Components

  26. Wordpress / Apache / MySQL Sample • Wordpress • Optional* configuration in file: ‘wp-config.php’, Relevant values: • @ini_set('log_errors','On') • @ini_set('error_log','/SecuredPath/logs/wp-php_error.log') • Apache • Default Access and Error logs Path:Linux Installation: ‘/var/log/apache2/’ - access_log, error_logWindows Installation: ‘Apache root/logs/’ - access.log, error.log • MySQL • By default, the server writes files for all enabled logs in the data directory(i.e. . • By default, no logs are enabled(except the error log on Windows), Optional log types: Error log, General Query log, Binary log, Relay log, Slow query log

  27. Environment Comparison Perquisites • Version History • SCM Repositories • SVN, CVS, Mercurial, Git, SourceSafe, Etc • Developer Stations • Backup Solutions • NAS, Drives, Cloud, Etc • Technology Familiarity • Identify executables, legitimate and illegitimate files

  28. Proactive Web Forensics in the Security Lifecycle

  29. PWF Triggers in Security Assessments • Embedding PWF in the organization security policy • After detecting high risk vulnerabilities in penetration tests, follow up and check if they were exploited

  30. Proactive Web Forensics Frequency • Assessment Frequency • Sample Scenario: Incubation Period Effective Response Timeframe Exploit Impact Exposure Detection PONR 2 Months 3 Months Insurance Timeframe Trojan via SQL Injection Theft Start Theft End Infection PONR

  31. PWF Frequency Formula Glossary • Incubation Period • The incubation period of the Attack AND Exploitation • Affected by the type of system and the type of exploit • Effective Response Timeframe • The timeframe in which a proper incident response will still mitigate the damage somehow • PWF Analysis Timeframe • The assessment segment dedicated to analysis information sources Analysis Result: The gap between PWF instances

  32. Potential Issues • False Positives • Penetration Tests might create similar traces • Can be mitigated by focusing on events that occurred in dates prior to the penetration test, and/or on events generated from non trusted sources. • An ever growing collection of attack vectors • Focus on attack vectors with higher severity • Adapt the assessment for each technology-in-use • Enhance the assessment methodology and toolset over time

  33. Summary

  34. Recommendations • Embed PWF into the organization security lifecycle • Calculate the PWF frequency based on the threat map • Perform PWF periodically on sensitive • Use output to adjust budget allocations and priorities • Perform PWF follow-ups on severe exposures detected in attack and penetration services • Identify past exploitations of vulnerabilities • Evaluate the severity of the impact • Adapt PWF to system specific technology and enhance the PWF tool arsenal

  35. References • WASC Web Hacking Incident Database: http://goo.gl/zNwMU • Presentations • Web Application IR & Forensics: A whole New Ball Game! • Blackhat Aug 2006 & AppSec Seattle 2006 • Web Application Digital Forensics (ISACA) • Whitepapers • Web Application Forensics: Taxonomy and Trends • Krassen Deltchev, Sep 5th, 2011 • Web Application Forensics: The Uncharted Territory • Ory Segal, July 2002 • Fingerprinting port 80 Attacks, Part 1 & 2 • CGI Security, March 2002

  36. Thank You!