web application incident response forensics a whole new
play

Web Application Incident Response & Forensics: A Whole New Ball - PowerPoint PPT Presentation

Aug 24, 2022 •670 likes •1.38k views

Web Application Incident Response & Forensics: A Whole New Ball Game! Chuck Willis chuck.willis@mandiant.com Rohyt Belani rohyt.belani@intrepidusgroup.com Black Hat Briefings DC 2007 February 28, 2007 Company Overviews MANDIANT

  1. Web Application Incident Response & Forensics: A Whole New Ball Game! Chuck Willis chuck.willis@mandiant.com Rohyt Belani rohyt.belani@intrepidusgroup.com Black Hat Briefings DC 2007 February 28, 2007

  2. Company Overviews  MANDIANT • Full spectrum information security company: Professional Services, Government Services, Education, and Software • Services include Application Security, Network Security, Incident Response, Computer Forensics • Offices in Alexandria, VA and NYC  Intrepidus Group, Inc. • Network and Application Security Specialists • Offices in Chantilly, VA and NYC 1

  3. Why Are We Here?  “They” say that attacks against web applications are on the rise  “We” see it – 70% of the attacks we have responded to in the last year have been against web applications  Responding to such attacks is different • Need to understand application security • Need to look elsewhere for evidence 2

  4. Agenda  Background  How web application incident response and forensics is different  Case Studies  Log discovery, review, and analysis • Web Server • Application Server • Database  Remediation 3

  5. Background

  6. Three Tier Web Application HTTP Request / HTTP SQL RPC Call Request Query HTTP Result Set HTTP Response Response / Client Internet RPC Return Web / Intranet Web Server App Server Database Browser (presentation) (business logic) (resource) These servers may be independent or may run on the same machine 5

  7. Standard Incident Response & Forensics  Capture volatile data • Processes • Ports and network connections • Memory dumps • Logged in users  Perhaps capture some non-volatile data • Event logs • File listing and timestamps  Shutdown system  Make forensic image 6

  8. Standard Incident Response & Forensics  Analyze image with forensic tools • Examine file timestamps • Check for known malicious software • Examine deleted files • Conduct string searches • Carve files based on headers 7

  9. How Does Web App Forensics Differ?` Let’s find out… 8

  10. Why Standard Process Doesn’t Work  Web applications are often distributed across multiple servers  Web applications are often business critical and downtime for imaging may not be allowed  Database servers usually have large disk arrays  Web application attacks usually do not leave evidence in the same places as other attacks  Web application forensics and incident response requires a solid understanding of web application security issues – not a conventional “forensicator” skill 9

  11. Web Application Forensics Overview  Understand the “normal” flow of the application  Review log files: • Web Server • Application Server • Database Server • Application  Capture application and server configuration files  Identify potential anomalies: • Malicious input from client • Breaks in normal web access trends • Unusual referrers • Mid-session changes to cookie values  Determine a remediation plan 10

  12. A Report from the Trenches - Case #1

  13. Symptoms  “I see a trade executed from my account …10000 shares of a company I haven’t even heard about, were purchased on January 17 (2006) @ 2 pm from my account!” – a client of a well-established brokerage firm in NYC.  7 other clients of the same brokerage firm report the same issue – in January 2006. 12

  14. Investigation  Computer security breaches were the prime suspect.  Was the brokerage firm hacked? Was it the end user who was hacked?  We had dates and times of the trade executions as a clue. 13

  15. Investigation  Our team began reviewing the brokerage firm’s online trading application for clues • Network logs • Web server logs • Security mechanisms of the application  We asked to duplicate the victim’s hard drive and review it for indicators of compromise. 14

  16. Web Server Logs  Requested IIS logs for January 17, 2006 from all the (load balanced) servers.  Combined the log files into one common repository = 1 GB  Microsoft’s Log Parser to the rescue 15

  17. Microsoft LogParser  LogParser is an excellent and free tool for analyzing log files  Available from www.microsoft.com  More information on unofficial LogParser support site: http://www.logparser.com/  Supports a variety of log formats  Uses SQL syntax to process log files 16

  18. Microsoft LogParser  Parsed out all requests to execute.asp using Microsoft Log Parser: LogParser -o:csv "select * INTO execute.csv from *.log where cs-uri-stem like '/execute.asp%'" 17

  19. Can You Find The Smoking Gun? #Software: Microsoft Internet Information Services 5.0 #Version: 1.0 #Date: 2006-01-017 01:03:15 cs- #Fields:time c-ip cs-uri-stem cs-uri-query Status version method sessionid=90198e1525e4b03797f833ff4320af3 1:03:15 172.16.22.33 POST /execute.asp 9 200 HTTP/1.0 sessionid=3840943093874b3484c3839de9340 1:04:35 172.16.54.33 POST /execute.asp 494 200 HTTP/1.0 sessionid=90198e1525e4b03797f833ff4320af3 1:08:15 172.16.22.33 POST /execute.asp 9 200 HTTP/1.0 sessionid=298230e0393bc09849d8392098839 1:10:19 172.16.87.231 POST /execute.asp 93 200 HTTP/1.0 sessionid=90198e1525e4b03797f833ff4320af3 1:13:15 172.16.22.33 POST /execute.asp 9 200 HTTP/1.0 sessionid=90198e1525e4b03797f833ff4320af3 1:18:15 172.16.22.33 POST /execute.asp 9 200 HTTP/1.0 sessionid=676db87873ab0393898de0398348c 1:19:20 172.16.121.3 POST /execute.asp 89 200 HTTP/1.0 sessionid=3840943093874b3484c3839de9340 1:21:43 172.16.41.53 POST /execute.asp 494 200 HTTP/1.0 sessionid=90198e1525e4b03797f833ff4320af3 1:23:16 172.16.22.33 POST /execute.asp 9 200 HTTP/1.0 sessionid=90198e1525e4b03797f833ff4320af3 1:28:15 172.16.22.33 POST /execute.asp 9 200 HTTP/1.0 . . . . . . . . . . . . . . 18

  20. Next Step  Noticed repeated use of same sessionid at regular intervals from the same IP  Parsed out all requests with the suspicious sessionid LogParser -o:csv "select * INTO sessionid.csv from *.log where cs-uri-query like '%90198e1525e4b03797f833ff4320af39'" 19

  21. Can You Find The Smoking Gun? #Software: Microsoft Internet Information Services 5.0 #Version: 1.0 #Date: 2006-01-017 01:03:15 cs- #Fields:time c-ip cs-uri-stem cs-uri-query Status version method sessionid=90198e1525e4b03797f833ff4320af 1:03:15 172.16.22.33 POST /execute.asp 39 200 HTTP/1.0 sessionid=90198e1525e4b03797f833ff4320af 1:08:15 172.16.22.33 POST /execute.asp 39 200 HTTP/1.0 sessionid=90198e1525e4b03797f833ff4320af 1:13:15 172.16.22.33 POST /execute.asp 39 200 HTTP/1.0 sessionid=90198e1525e4b03797f833ff4320af 1:18:15 172.16.22.33 POST /execute.asp 39 200 HTTP/1.0 sessionid=90198e1525e4b03797f833ff4320af 1:23:16 172.16.22.33 POST /execute.asp 39 200 HTTP/1.0 sessionid=90198e1525e4b03797f833ff4320af 1:28:15 172.16.22.33 POST /execute.asp 39 200 HTTP/1.0 . . . . . . . . . . . . . . sessionid=90198e1525e4b03797f833ff4320af 13:53:15 172.16.22.33 POST /execute.asp 39 200 HTTP/1.0 sessionid=90198e1525e4b03797f833ff4320af 13:58:15 172.16.22.33 POST /execute.asp 39 200 HTTP/1.0 sessionid=90198e1525e4b03797f833ff4320af 14:03:15 172.16.22.33 POST /execute.asp 39 200 HTTP/1.0 sessionid=90198e1525e4b03797f833ff4320af 14:07:23 172.16.14.166 POST /login.asp 39 200 HTTP/1.0 sessionid=90198e1525e4b03797f833ff4320af 14:07:54 172.16.14.166 POST /account.asp 39 200 HTTP/1.0 sessionid=90198e1525e4b03797f833ff4320af 14:08:15 172.16.22.33 POST /execute.asp 39 200 HTTP/1.0 sessionid=90198e1525e4b03797f833ff4320af 14:10:09 172.16.22.33 POST /confirm.asp 39 200 HTTP/1.0 20

  22. Phishing?  No indications of key logging trojans, malware, viruses, etc. were found on the victim’s computer.  Look what we found in the archived .pst file: URL: https://www.xyzbrokerage.com/login.asp?sessionid=90198e1525e4b03797f833ff4320af39 21

  23. Session Fixation  The application was confirmed to be vulnerable to session fixation: • A session id was issued before login • The same session id was used by the application after login for the purposes of user authorization • This allowed an attacker to hijack legitimate user sessions using a bit of social engineering 22

  24. Web Server Logs

  25. Caveat Responder  Log file names and locations in this presentation are the default for the most common version and configuration of the software discussed  Default file names and locations will vary depending on the specific version and configuration of the software  Most applications allow the log file name and location to be changed  Whenever possible, ask the system administrator for log locations 24

  26. IIS 6.0  Default logs are plain text in W3C Extended log file format  Logs stored in LogFiles\W3SVCx  Easily parsed with text parsing tools or with LogParser  Log files can capture cookies and referrer headers  Still missing key HTTP POST data 25

  27. IIS 6.0 – Logged by Default  Date / Time  Client IP  Server Info  HTTP Method  URL and Parameters  HTTP Status Code  User Agent 26

  28. IIS 6.0 – Not Logged by Default Can be enabled:  Transfer Sizes  Host Header  Cookies  Referrer Not even an option…  POST Data 27

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

GE Incident Response Insight Awareness Advantage Sean Mason Director, Incident Response

GE Incident Response Insight Awareness Advantage Sean Mason Director, Incident Response

GE Incident Response Insight Awareness Advantage Sean Mason Director, Incident Response Investing in new talent & capabilities Incident response Cyber intelligence Digital forensics Security architecture Identity management

609 views • 42 slides
Incident Response and Forensics in your Pyjamas When security incidents happen, you often have to

Incident Response and Forensics in your Pyjamas When security incidents happen, you often have to

Incident Response and Forensics in your Pyjamas When security incidents happen, you often have to respond in a hurry to gather forensic data from the resources that were involved. You might need to grab a bunch of hard drives and physically visit

558 views • 28 slides
Cyber Up! Digital Forensics & Incident Response Tobi West Principal Investigator Coastline

Cyber Up! Digital Forensics & Incident Response Tobi West Principal Investigator Coastline

Cyber Up! Digital Forensics & Incident Response Tobi West Principal Investigator Coastline College NSF Grant Award #1800999 Agenda Background on Coastline College Need for Incident Response Professionals Overview Advisory

571 views • 14 slides
TBD Challenges for Digital Forensics and Incident Response on Virtualization and Cloud Computing

TBD Challenges for Digital Forensics and Incident Response on Virtualization and Cloud Computing

TBD Challenges for Digital Forensics and Incident Response on Virtualization and Cloud Computing Platforms Introduction Christopher Day, Chief Security Architect, Terremark Responsible for Terremarks global information security services

332 views • 30 slides
For Forensics Sake What to do when IR Strikes By : Joe Gumke Joe Gumke Twitter : @joegumke

For Forensics Sake What to do when IR Strikes By : Joe Gumke Joe Gumke Twitter : @joegumke

For Forensics Sake What to do when IR Strikes By : Joe Gumke Joe Gumke Twitter : @joegumke Presentation Overview 1. Incident Response Lifecycle 2. Forensic Artifacts 1. DISK & RAM 3. Demo Incident Response Lifecycle 1.Preparation

575 views • 34 slides
Towards Large-Scale Incident Response and Interactive Network Forensics Matthias Vallentin UC

Towards Large-Scale Incident Response and Interactive Network Forensics Matthias Vallentin UC

Towards Large-Scale Incident Response and Interactive Network Forensics Matthias Vallentin UC Berkeley / ICSI vallentin@icir.org Dissertation Proposal UC Berkeley December 14, 2011 April 21, 2009: Bad News for UC Berkeley 2 / 63 Blind SQL

790 views • 63 slides
Incident Response & Evidence Incident Response & Evidence Incident Response &

Incident Response & Evidence Incident Response & Evidence Incident Response &

Incident Response & Evidence Incident Response & Evidence Incident Response & Evidence Incident Response & Evidence Management Management Management Management CIPS Brandon Chapter November 28 2002 Dr. Marc Rogers PhD,

629 views • 27 slides
Designing and Developing an Application for Incident Response Teams Kees Leune and Sebastiaan

Designing and Developing an Application for Incident Response Teams Kees Leune and Sebastiaan

Designing and Developing an Application for Incident Response Teams Kees Leune and Sebastiaan Tesink Tilburg University, The Netherlands FIRST 2006, Baltimore, MD, USA High-quality Internet for higher education and research Overview The

263 views • 22 slides
Incident Response: Goals of Incident Management Steps to Preparation Risk Assessment

Incident Response: Goals of Incident Management Steps to Preparation Risk Assessment

6/19/2015 Incidents Are Not Necessarily Emergencies Incident Laboratory Incidences and An event thats likely to have adverse consequences Emergency Response Programs Emergency Unanticipated circumstances resulting in

564 views • 5 slides
Introduction to Security Forensics and Incident Handling Ming Chow (mchow@cs.tufts.edu) Twitter:

Introduction to Security Forensics and Incident Handling Ming Chow (mchow@cs.tufts.edu) Twitter:

Introduction to Security Forensics and Incident Handling Ming Chow (mchow@cs.tufts.edu) Twitter: @0xmchow Topic Outcomes Acquire data (from a disk) using `dd` Analyze image of disk from `dd` using forensics tools including

492 views • 19 slides
Introduction to Incident Response Renana Friedlich, National Incident Response Leader March 2016

Introduction to Incident Response Renana Friedlich, National Incident Response Leader March 2016

Introduction to Incident Response Renana Friedlich, National Incident Response Leader March 2016 Agenda Evaluation of Cybersecurity risks The attackers playbook Case study What can you do today Page 2 Evaluation of

622 views • 12 slides
BIRT BIRT Liaisons Incident Response Incident Follow-Up Q&A 1 2 PURPOSE OF

BIRT BIRT Liaisons Incident Response Incident Follow-Up Q&A 1 2 PURPOSE OF

5/20/2014 COURSE OUTLINE Purpose Building Incident Response Team Expectations BIRT BIRT Liaisons Incident Response Incident Follow-Up Q&A 1 2 PURPOSE OF BIRT PURPOSE OF BIRT Prepare units to respond to a

342 views • 4 slides
Incident Response and Information Sharing A Practical Approach Rapha el Vinot - TLP:GREEN May

Incident Response and Information Sharing A Practical Approach Rapha el Vinot - TLP:GREEN May

Incident Response and Information Sharing A Practical Approach Rapha el Vinot - TLP:GREEN May 22, 2015 The Computer Incident Response Center Luxembourg (CIRCL) is a government-driven initiative designed to provide a systematic response

407 views • 13 slides
Stealth Secrets of the Malware Ninjas By Nick Harbour Overview Intro Background Info

Stealth Secrets of the Malware Ninjas By Nick Harbour Overview Intro Background Info

Stealth Secrets of the Malware Ninjas By Nick Harbour Overview Intro Background Info Malware Forensics and Incident Response Anti-Forensics Executables Stealth Techniques Live System Anti-Forensics Process

907 views • 76 slides
Agile Incident Response: Operating through Ongoing Confrontation Kevin Mandia Who Am I?

Agile Incident Response: Operating through Ongoing Confrontation Kevin Mandia Who Am I?

Agile Incident Response: Operating through Ongoing Confrontation Kevin Mandia Who Am I? Professorial Lecturer Carnegie Mellon University 95-856 Incident Response Master of Information System Management The George Washington

1.29k views • 60 slides
SCADA Testbed for Vulnerability Assessments, Penetration Testing and Incident Forensics Sundar

SCADA Testbed for Vulnerability Assessments, Penetration Testing and Incident Forensics Sundar

SCADA Testbed for Vulnerability Assessments, Penetration Testing and Incident Forensics Sundar Krishnan & Dr. Mingkui Wei Department of Computer Science Sam Houston State University, Huntsville, Texas ISDFS 2019 SC SCADA Ov Overv

635 views • 22 slides
INSIGHT TO GET IT RIGHT: PREPARING FOR 2017 AUDIT & TAX FILINGS June 13, 2017 Nick Wallace,

INSIGHT TO GET IT RIGHT: PREPARING FOR 2017 AUDIT & TAX FILINGS June 13, 2017 Nick Wallace,

6/12/2017 INSIGHT TO GET IT RIGHT: PREPARING FOR 2017 AUDIT & TAX FILINGS June 13, 2017 Nick Wallace, CPA Nicole Fishback, CPA Director Director nwallace@bkd.com nfishback@bkd.com 1 6/12/2017 TO RECEIVE CPE CREDIT Participate in

454 views • 32 slides
to Green Mountain Care Board October 17, 2018 Mike Smith, President & Chief Executive Officer

to Green Mountain Care Board October 17, 2018 Mike Smith, President & Chief Executive Officer

VITL Presentation to Green Mountain Care Board October 17, 2018 Mike Smith, President & Chief Executive Officer Robert Turnau, Chief Financial Officer Frank Harris, Strategic Technology Advisor Kristina Choquette, Chief Operating Officer

192 views • 18 slides
48 th Annual Meeting Best Practices in Handling Audits and Appeals Mark Holcomb Curtis Osterloh

48 th Annual Meeting Best Practices in Handling Audits and Appeals Mark Holcomb Curtis Osterloh

48 th Annual Meeting Best Practices in Handling Audits and Appeals Mark Holcomb Curtis Osterloh John Trippier Dean Mead Scott Douglass Zaino Hall Tallahassee, FL Austin, TX Columbus, OH Council On State Taxation LEARNING OUTCOMES

807 views • 48 slides
Secure Audit Logging Systems Secure Audit Logging Systems Richard Kramer, Member IEEE Oregon

Secure Audit Logging Systems Secure Audit Logging Systems Richard Kramer, Member IEEE Oregon

Secure Audit Logging Systems Secure Audit Logging Systems Richard Kramer, Member IEEE Oregon State University 1 How does someone know they have been HACKED!? and WHO did it!? HACKED!? and WHO did it!? 2 Audit Logs in the News!

701 views • 51 slides
OpenVMS and Security getting even more grip on your security with Pointsecure or NDC Gerrit

OpenVMS and Security getting even more grip on your security with Pointsecure or NDC Gerrit

OpenVMS and Security getting even more grip on your security with Pointsecure or NDC Gerrit Woertman VSI Professional Services Alliance member VSI OpenVMS trainer EMEA & VSI OpenVMS Ambassador gerrit.woertman@vmsconsultancy.com

1.61k views • 65 slides
Sharing SAS programs between PC, Server and SAS Drug Development Magnus Mengelbier Director

Sharing SAS programs between PC, Server and SAS Drug Development Magnus Mengelbier Director

Sharing SAS programs between PC, Server and SAS Drug Development Magnus Mengelbier Director PhUSE 2011 1 Topics Introduction ! SAS on PC and server ! SAS Drug Development ! Common attributes ! Sharing conventions ! Process interfaces !

298 views • 25 slides
Audit Manager Project Chef: Neil Gower Overview Audit Manager is designed to monitor and log

Audit Manager Project Chef: Neil Gower Overview Audit Manager is designed to monitor and log

Audit Manager Project Chef: Neil Gower Overview Audit Manager is designed to monitor and log changes to specific documents in Lotus Notes and Domino applications. Configuration documents etc Sensitive documents etc Not

537 views • 17 slides
IDS for SAP Application Based IDS Reporting in the ERP system SAP R/3 1 Research Question How

IDS for SAP Application Based IDS Reporting in the ERP system SAP R/3 1 Research Question How

IDS for SAP Application Based IDS Reporting in the ERP system SAP R/3 1 Research Question How is the performance of this SAP IDS when running with reduction of false positives and anonymization? Hypothesis It is possible to make an

722 views • 24 slides

More recommend