web application incident response forensics a whole new
play

Web Application Incident Response & Forensics: A Whole New Ball - PowerPoint PPT Presentation

Aug 24, 2022 •670 likes •1.38k views

Web Application Incident Response & Forensics: A Whole New Ball Game! Chuck Willis chuck.willis@mandiant.com Rohyt Belani rohyt.belani@intrepidusgroup.com Black Hat Briefings DC 2007 February 28, 2007 Company Overviews MANDIANT

  1. Web Application Incident Response & Forensics: A Whole New Ball Game! Chuck Willis chuck.willis@mandiant.com Rohyt Belani rohyt.belani@intrepidusgroup.com Black Hat Briefings DC 2007 February 28, 2007

  2. Company Overviews  MANDIANT • Full spectrum information security company: Professional Services, Government Services, Education, and Software • Services include Application Security, Network Security, Incident Response, Computer Forensics • Offices in Alexandria, VA and NYC  Intrepidus Group, Inc. • Network and Application Security Specialists • Offices in Chantilly, VA and NYC 1

  3. Why Are We Here?  “They” say that attacks against web applications are on the rise  “We” see it – 70% of the attacks we have responded to in the last year have been against web applications  Responding to such attacks is different • Need to understand application security • Need to look elsewhere for evidence 2

  4. Agenda  Background  How web application incident response and forensics is different  Case Studies  Log discovery, review, and analysis • Web Server • Application Server • Database  Remediation 3

  5. Background

  6. Three Tier Web Application HTTP Request / HTTP SQL RPC Call Request Query HTTP Result Set HTTP Response Response / Client Internet RPC Return Web / Intranet Web Server App Server Database Browser (presentation) (business logic) (resource) These servers may be independent or may run on the same machine 5

  7. Standard Incident Response & Forensics  Capture volatile data • Processes • Ports and network connections • Memory dumps • Logged in users  Perhaps capture some non-volatile data • Event logs • File listing and timestamps  Shutdown system  Make forensic image 6

  8. Standard Incident Response & Forensics  Analyze image with forensic tools • Examine file timestamps • Check for known malicious software • Examine deleted files • Conduct string searches • Carve files based on headers 7

  9. How Does Web App Forensics Differ?` Let’s find out… 8

  10. Why Standard Process Doesn’t Work  Web applications are often distributed across multiple servers  Web applications are often business critical and downtime for imaging may not be allowed  Database servers usually have large disk arrays  Web application attacks usually do not leave evidence in the same places as other attacks  Web application forensics and incident response requires a solid understanding of web application security issues – not a conventional “forensicator” skill 9

  11. Web Application Forensics Overview  Understand the “normal” flow of the application  Review log files: • Web Server • Application Server • Database Server • Application  Capture application and server configuration files  Identify potential anomalies: • Malicious input from client • Breaks in normal web access trends • Unusual referrers • Mid-session changes to cookie values  Determine a remediation plan 10

  12. A Report from the Trenches - Case #1

  13. Symptoms  “I see a trade executed from my account …10000 shares of a company I haven’t even heard about, were purchased on January 17 (2006) @ 2 pm from my account!” – a client of a well-established brokerage firm in NYC.  7 other clients of the same brokerage firm report the same issue – in January 2006. 12

  14. Investigation  Computer security breaches were the prime suspect.  Was the brokerage firm hacked? Was it the end user who was hacked?  We had dates and times of the trade executions as a clue. 13

  15. Investigation  Our team began reviewing the brokerage firm’s online trading application for clues • Network logs • Web server logs • Security mechanisms of the application  We asked to duplicate the victim’s hard drive and review it for indicators of compromise. 14

  16. Web Server Logs  Requested IIS logs for January 17, 2006 from all the (load balanced) servers.  Combined the log files into one common repository = 1 GB  Microsoft’s Log Parser to the rescue 15

  17. Microsoft LogParser  LogParser is an excellent and free tool for analyzing log files  Available from www.microsoft.com  More information on unofficial LogParser support site: http://www.logparser.com/  Supports a variety of log formats  Uses SQL syntax to process log files 16

  18. Microsoft LogParser  Parsed out all requests to execute.asp using Microsoft Log Parser: LogParser -o:csv "select * INTO execute.csv from *.log where cs-uri-stem like '/execute.asp%'" 17

  19. Can You Find The Smoking Gun? #Software: Microsoft Internet Information Services 5.0 #Version: 1.0 #Date: 2006-01-017 01:03:15 cs- #Fields:time c-ip cs-uri-stem cs-uri-query Status version method sessionid=90198e1525e4b03797f833ff4320af3 1:03:15 172.16.22.33 POST /execute.asp 9 200 HTTP/1.0 sessionid=3840943093874b3484c3839de9340 1:04:35 172.16.54.33 POST /execute.asp 494 200 HTTP/1.0 sessionid=90198e1525e4b03797f833ff4320af3 1:08:15 172.16.22.33 POST /execute.asp 9 200 HTTP/1.0 sessionid=298230e0393bc09849d8392098839 1:10:19 172.16.87.231 POST /execute.asp 93 200 HTTP/1.0 sessionid=90198e1525e4b03797f833ff4320af3 1:13:15 172.16.22.33 POST /execute.asp 9 200 HTTP/1.0 sessionid=90198e1525e4b03797f833ff4320af3 1:18:15 172.16.22.33 POST /execute.asp 9 200 HTTP/1.0 sessionid=676db87873ab0393898de0398348c 1:19:20 172.16.121.3 POST /execute.asp 89 200 HTTP/1.0 sessionid=3840943093874b3484c3839de9340 1:21:43 172.16.41.53 POST /execute.asp 494 200 HTTP/1.0 sessionid=90198e1525e4b03797f833ff4320af3 1:23:16 172.16.22.33 POST /execute.asp 9 200 HTTP/1.0 sessionid=90198e1525e4b03797f833ff4320af3 1:28:15 172.16.22.33 POST /execute.asp 9 200 HTTP/1.0 . . . . . . . . . . . . . . 18

  20. Next Step  Noticed repeated use of same sessionid at regular intervals from the same IP  Parsed out all requests with the suspicious sessionid LogParser -o:csv "select * INTO sessionid.csv from *.log where cs-uri-query like '%90198e1525e4b03797f833ff4320af39'" 19

  21. Can You Find The Smoking Gun? #Software: Microsoft Internet Information Services 5.0 #Version: 1.0 #Date: 2006-01-017 01:03:15 cs- #Fields:time c-ip cs-uri-stem cs-uri-query Status version method sessionid=90198e1525e4b03797f833ff4320af 1:03:15 172.16.22.33 POST /execute.asp 39 200 HTTP/1.0 sessionid=90198e1525e4b03797f833ff4320af 1:08:15 172.16.22.33 POST /execute.asp 39 200 HTTP/1.0 sessionid=90198e1525e4b03797f833ff4320af 1:13:15 172.16.22.33 POST /execute.asp 39 200 HTTP/1.0 sessionid=90198e1525e4b03797f833ff4320af 1:18:15 172.16.22.33 POST /execute.asp 39 200 HTTP/1.0 sessionid=90198e1525e4b03797f833ff4320af 1:23:16 172.16.22.33 POST /execute.asp 39 200 HTTP/1.0 sessionid=90198e1525e4b03797f833ff4320af 1:28:15 172.16.22.33 POST /execute.asp 39 200 HTTP/1.0 . . . . . . . . . . . . . . sessionid=90198e1525e4b03797f833ff4320af 13:53:15 172.16.22.33 POST /execute.asp 39 200 HTTP/1.0 sessionid=90198e1525e4b03797f833ff4320af 13:58:15 172.16.22.33 POST /execute.asp 39 200 HTTP/1.0 sessionid=90198e1525e4b03797f833ff4320af 14:03:15 172.16.22.33 POST /execute.asp 39 200 HTTP/1.0 sessionid=90198e1525e4b03797f833ff4320af 14:07:23 172.16.14.166 POST /login.asp 39 200 HTTP/1.0 sessionid=90198e1525e4b03797f833ff4320af 14:07:54 172.16.14.166 POST /account.asp 39 200 HTTP/1.0 sessionid=90198e1525e4b03797f833ff4320af 14:08:15 172.16.22.33 POST /execute.asp 39 200 HTTP/1.0 sessionid=90198e1525e4b03797f833ff4320af 14:10:09 172.16.22.33 POST /confirm.asp 39 200 HTTP/1.0 20

  22. Phishing?  No indications of key logging trojans, malware, viruses, etc. were found on the victim’s computer.  Look what we found in the archived .pst file: URL: https://www.xyzbrokerage.com/login.asp?sessionid=90198e1525e4b03797f833ff4320af39 21

  23. Session Fixation  The application was confirmed to be vulnerable to session fixation: • A session id was issued before login • The same session id was used by the application after login for the purposes of user authorization • This allowed an attacker to hijack legitimate user sessions using a bit of social engineering 22

  24. Web Server Logs

  25. Caveat Responder  Log file names and locations in this presentation are the default for the most common version and configuration of the software discussed  Default file names and locations will vary depending on the specific version and configuration of the software  Most applications allow the log file name and location to be changed  Whenever possible, ask the system administrator for log locations 24

  26. IIS 6.0  Default logs are plain text in W3C Extended log file format  Logs stored in LogFiles\W3SVCx  Easily parsed with text parsing tools or with LogParser  Log files can capture cookies and referrer headers  Still missing key HTTP POST data 25

  27. IIS 6.0 – Logged by Default  Date / Time  Client IP  Server Info  HTTP Method  URL and Parameters  HTTP Status Code  User Agent 26

  28. IIS 6.0 – Not Logged by Default Can be enabled:  Transfer Sizes  Host Header  Cookies  Referrer Not even an option…  POST Data 27

Recommend

GE Incident Response Insight Awareness Advantage Sean Mason Director, Incident Response

GE Incident Response Insight Awareness Advantage Sean Mason Director, Incident Response

GE Incident Response Insight Awareness Advantage Sean Mason Director, Incident Response Investing in new talent & capabilities Incident response Cyber intelligence Digital forensics Security architecture Identity management

609 views • 42 slides
Incident Response and Forensics in your Pyjamas When security incidents happen, you often have to

Incident Response and Forensics in your Pyjamas When security incidents happen, you often have to

Incident Response and Forensics in your Pyjamas When security incidents happen, you often have to respond in a hurry to gather forensic data from the resources that were involved. You might need to grab a bunch of hard drives and physically visit

558 views • 28 slides
Cyber Up! Digital Forensics & Incident Response Tobi West Principal Investigator Coastline

Cyber Up! Digital Forensics & Incident Response Tobi West Principal Investigator Coastline

Cyber Up! Digital Forensics & Incident Response Tobi West Principal Investigator Coastline College NSF Grant Award #1800999 Agenda Background on Coastline College Need for Incident Response Professionals Overview Advisory

571 views • 14 slides
TBD Challenges for Digital Forensics and Incident Response on Virtualization and Cloud Computing

TBD Challenges for Digital Forensics and Incident Response on Virtualization and Cloud Computing

TBD Challenges for Digital Forensics and Incident Response on Virtualization and Cloud Computing Platforms Introduction Christopher Day, Chief Security Architect, Terremark Responsible for Terremarks global information security services

332 views • 30 slides
For Forensics Sake What to do when IR Strikes By : Joe Gumke Joe Gumke Twitter : @joegumke

For Forensics Sake What to do when IR Strikes By : Joe Gumke Joe Gumke Twitter : @joegumke

For Forensics Sake What to do when IR Strikes By : Joe Gumke Joe Gumke Twitter : @joegumke Presentation Overview 1. Incident Response Lifecycle 2. Forensic Artifacts 1. DISK & RAM 3. Demo Incident Response Lifecycle 1.Preparation

576 views • 34 slides
Towards Large-Scale Incident Response and Interactive Network Forensics Matthias Vallentin UC

Towards Large-Scale Incident Response and Interactive Network Forensics Matthias Vallentin UC

Towards Large-Scale Incident Response and Interactive Network Forensics Matthias Vallentin UC Berkeley / ICSI vallentin@icir.org Dissertation Proposal UC Berkeley December 14, 2011 April 21, 2009: Bad News for UC Berkeley 2 / 63 Blind SQL

790 views • 63 slides
Incident Response & Evidence Incident Response & Evidence Incident Response &

Incident Response & Evidence Incident Response & Evidence Incident Response &

Incident Response & Evidence Incident Response & Evidence Incident Response & Evidence Incident Response & Evidence Management Management Management Management CIPS Brandon Chapter November 28 2002 Dr. Marc Rogers PhD,

629 views • 27 slides
Designing and Developing an Application for Incident Response Teams Kees Leune and Sebastiaan

Designing and Developing an Application for Incident Response Teams Kees Leune and Sebastiaan

Designing and Developing an Application for Incident Response Teams Kees Leune and Sebastiaan Tesink Tilburg University, The Netherlands FIRST 2006, Baltimore, MD, USA High-quality Internet for higher education and research Overview The

263 views • 22 slides
Incident Response: Goals of Incident Management Steps to Preparation Risk Assessment

Incident Response: Goals of Incident Management Steps to Preparation Risk Assessment

6/19/2015 Incidents Are Not Necessarily Emergencies Incident Laboratory Incidences and An event thats likely to have adverse consequences Emergency Response Programs Emergency Unanticipated circumstances resulting in

564 views • 5 slides
Introduction to Security Forensics and Incident Handling Ming Chow (mchow@cs.tufts.edu) Twitter:

Introduction to Security Forensics and Incident Handling Ming Chow (mchow@cs.tufts.edu) Twitter:

Introduction to Security Forensics and Incident Handling Ming Chow (mchow@cs.tufts.edu) Twitter: @0xmchow Topic Outcomes Acquire data (from a disk) using `dd` Analyze image of disk from `dd` using forensics tools including

492 views • 19 slides
Introduction to Incident Response Renana Friedlich, National Incident Response Leader March 2016

Introduction to Incident Response Renana Friedlich, National Incident Response Leader March 2016

Introduction to Incident Response Renana Friedlich, National Incident Response Leader March 2016 Agenda Evaluation of Cybersecurity risks The attackers playbook Case study What can you do today Page 2 Evaluation of

623 views • 12 slides
BIRT BIRT Liaisons Incident Response Incident Follow-Up Q&A 1 2 PURPOSE OF

BIRT BIRT Liaisons Incident Response Incident Follow-Up Q&A 1 2 PURPOSE OF

5/20/2014 COURSE OUTLINE Purpose Building Incident Response Team Expectations BIRT BIRT Liaisons Incident Response Incident Follow-Up Q&A 1 2 PURPOSE OF BIRT PURPOSE OF BIRT Prepare units to respond to a

343 views • 4 slides
Incident Response and Information Sharing A Practical Approach Rapha el Vinot - TLP:GREEN May

Incident Response and Information Sharing A Practical Approach Rapha el Vinot - TLP:GREEN May

Incident Response and Information Sharing A Practical Approach Rapha el Vinot - TLP:GREEN May 22, 2015 The Computer Incident Response Center Luxembourg (CIRCL) is a government-driven initiative designed to provide a systematic response

407 views • 13 slides
Stealth Secrets of the Malware Ninjas By Nick Harbour Overview Intro Background Info

Stealth Secrets of the Malware Ninjas By Nick Harbour Overview Intro Background Info

Stealth Secrets of the Malware Ninjas By Nick Harbour Overview Intro Background Info Malware Forensics and Incident Response Anti-Forensics Executables Stealth Techniques Live System Anti-Forensics Process

907 views • 76 slides
Agile Incident Response: Operating through Ongoing Confrontation Kevin Mandia Who Am I?

Agile Incident Response: Operating through Ongoing Confrontation Kevin Mandia Who Am I?

Agile Incident Response: Operating through Ongoing Confrontation Kevin Mandia Who Am I? Professorial Lecturer Carnegie Mellon University 95-856 Incident Response Master of Information System Management The George Washington

1.29k views • 60 slides
SCADA Testbed for Vulnerability Assessments, Penetration Testing and Incident Forensics Sundar

SCADA Testbed for Vulnerability Assessments, Penetration Testing and Incident Forensics Sundar

SCADA Testbed for Vulnerability Assessments, Penetration Testing and Incident Forensics Sundar Krishnan & Dr. Mingkui Wei Department of Computer Science Sam Houston State University, Huntsville, Texas ISDFS 2019 SC SCADA Ov Overv

635 views • 22 slides
Above My Pay Grade: Incident Response at the National Level Jason Healey Atlantic Council

Above My Pay Grade: Incident Response at the National Level Jason Healey Atlantic Council

Above My Pay Grade: Incident Response at the National Level Jason Healey Atlantic Council Traditional Incident Response But at the national level, incident response is a different game Implications for Misunderstandings between geeks and

541 views • 27 slides
BALTIC SEA MARITIME INCIDENT RESPONSE GROUP PROJECT BALTIC SEA MARITIME INCIDENT RESPONSE GROUP

BALTIC SEA MARITIME INCIDENT RESPONSE GROUP PROJECT BALTIC SEA MARITIME INCIDENT RESPONSE GROUP

BALTIC SEA MARITIME INCIDENT RESPONSE GROUP PROJECT BALTIC SEA MARITIME INCIDENT RESPONSE GROUP PROJECT MIRG OOERATIONAL GUIDELINES The project developed the following operational guidelines: 1. Assessing the Safety Status of a Vessel

598 views • 16 slides
Planning for the Worst: The Role of Incident Response, Before Youve Had an Incident Sponsored

Planning for the Worst: The Role of Incident Response, Before Youve Had an Incident Sponsored

Planning for the Worst: The Role of Incident Response, Before Youve Had an Incident Sponsored By: Planning for the Worst: The Role of Incident Response, Before Youve Had an Incident Visit www.advisenltd.com at the end of this webinar to

498 views • 18 slides
Detection and Incident Response With osquery Javier Marcos @javutin $ whoami Security

Detection and Incident Response With osquery Javier Marcos @javutin $ whoami Security

Detection and Incident Response With osquery Javier Marcos @javutin $ whoami Security Engineer/Incident Responder Open source contributor (github.com/javuto) Former IBM, Facebook, Uber and Airbnb Current BitMEX Agenda Part 1:

981 views • 59 slides
PhiGARo: Automatic Phishing Detection and Incident Response Framework Martin Husk, Jakub

PhiGARo: Automatic Phishing Detection and Incident Response Framework Martin Husk, Jakub

PhiGARo: Automatic Phishing Detection and Incident Response Framework Martin Husk, Jakub egan {husakm|cegan}@ics.muni.cz ECTCM 2014 Fribourg, Switzerland Outline Introduction, Phishing incident response, PhiGARo (phishing

270 views • 23 slides
SW District Incident Response 1 Incident Management Coordinator 4 Motorist Assistance

SW District Incident Response 1 Incident Management Coordinator 4 Motorist Assistance

SW District Incident Response 1 Incident Management Coordinator 4 Motorist Assistance Operators 3 FillIn Motorist Assistance Operators from Maintenance 1 Work Zone Coordinator 2 MoDOT TMC Operators 1 City of Springfield

404 views • 24 slides
The Incident Responders Toolkit the stuff they dont teach you in school Judith van Stegeren

The Incident Responders Toolkit the stuff they dont teach you in school Judith van Stegeren

The Incident Responders Toolkit the stuff they dont teach you in school Judith van Stegeren After my graduation After my graduation Where I work Skill set What I do What I do Case study: incident response Incident Response for fictional

709 views • 39 slides
EVERY MINUTE COUNTS COORDINATING HEROKU'S INCIDENT RESPONSE / Blake Gentry @blakegentry

EVERY MINUTE COUNTS COORDINATING HEROKU'S INCIDENT RESPONSE / Blake Gentry @blakegentry

EVERY MINUTE COUNTS COORDINATING HEROKU'S INCIDENT RESPONSE / Blake Gentry @blakegentry PERSONAL BACKGROUND Lead Engineer at Heroku since 2011 Worked on nearly all parts of the platform In 2012, I led a project to overhaul Herokus Incident

1.03k views • 72 slides

More recommend