{"id":1942,"date":"2019-12-04T10:55:58","date_gmt":"2019-12-04T09:55:58","guid":{"rendered":"https:\/\/www.codemotion.com\/magazine\/uncategorized\/life-cycle-of-a-security-incident-from-detection-to-response\/"},"modified":"2020-01-22T00:28:37","modified_gmt":"2020-01-21T23:28:37","slug":"life-cycle-of-a-security-incident-from-detection-to-response","status":"publish","type":"post","link":"https:\/\/www.codemotion.com\/magazine\/uncategorized\/life-cycle-of-a-security-incident-from-detection-to-response\/","title":{"rendered":"Life-cycle of a security incident: from detection to response"},"content":{"rendered":"

Giovanni Merlos Mellini is the Head of Information, Systems and Network Security<\/span> at Enav S.p.A., the Italian Air Navigation Service<\/span> Provider. He is also the founder of the not-for-profit association Cyber Saiyan and the organiser of RomHack<\/strong>, a free security<\/span> event that took place in Rome on last September.<\/p>\n

During Codemotion Rome 2019<\/strong>, Giovanni delivered a speech explaining how, as security<\/span> people, we must take care about security<\/span> from the beginning of any project<\/span>. This means implementing a security<\/span>-by-design approach<\/strong>. You\u2019ll experience security<\/span> issues sooner or later if you don\u2019t use this approach.<\/p>\n

Uploading a dangerous payload<\/strong><\/h2>\n

What happens if a system is not secured by design? If you are lucky enough to have an effective security<\/span> process somewhere in your company, there is a chance you intercept the project<\/span> before it goes live. However, during his speech Giovanni showed an example where a security<\/span> issue was there in a production environment. We knew about this web application<\/span> only after the IT department deployed it and it was actively used by the users<\/span>.<\/p>\n

Giovanni scheduled a penetration test<\/span><\/strong> to check for vulnerabilities<\/span> on the target system. The test exposed a vulnerability<\/span><\/strong>: an upload form was not checking in the right way the file being uploaded. In particular, an attacker could upload arbitrary files to the server<\/span>. To exploit this vulnerability<\/span>, Giovanni tried to upload a simple ASPX web shell<\/span> using the vulnerable web page.<\/p>\n

The web<\/span> shell<\/span> will execute the Windows<\/span> cmd.exe<\/em> to interact with the system. Moreover, Windows<\/span> anti-malware protection system removes the web shell<\/span> just after the uploading.<\/p>\n

In the first test, it was identified as malicious software. However, it was quite easy to bypass the protection: just rename cmd.exe<\/em> to Cmd.ExE<\/em>. This is funny and scary at the same time.<\/p>\n

Demo time: exploit the RCE<\/strong><\/h2>\n

This kind of attack is called RCE<\/span><\/strong>, R<\/strong>emote C<\/strong>ode E<\/strong>xecution, and is one of the worst vulnerabilities<\/span><\/strong>. It needs to be fixed as soon as possible.<\/p>\n

In real life, patching and validation tasks take time. Therefore, the aforementioned web application<\/span> is exposed to a high risk until the issue is fixed.<\/p>\n

There are two possible solutions:<\/p>\n

    \n
  • go offline<\/strong>: shutdown the system until developers fix the issue;<\/li>\n
  • stay online<\/strong>: mitigate the risk while keeping the system online.<\/li>\n<\/ul>\n

    Mitigate the risk of keeping the system online<\/strong><\/h2>\n

    Let’s imagine to go for keeping the system online, trying to mitigate the vulnerability<\/span> risk. The first thing to do is understanding the scenario<\/strong> and collecting relevant logs<\/strong>. In the case shown by Giovanni, the web application<\/span> run on an IIS<\/span> Web server<\/span> with ASPX<\/span> on Windows<\/span>.<\/p>\n

    As a defender, you need to know your systems<\/strong>. One way to achieve this goal is to collect relevant data<\/span> to analyse them. In this lab, Giovanni used Splunk<\/strong> to collect data<\/span>, but there are a lot of other options (eg. Elastic Search<\/strong>).<\/p>\n

    These are the actions to put in place:<\/p>\n

      \n
    • collect the logs;<\/li>\n
    • find the IIS<\/span> log directory;<\/li>\n
    • send the logs to a central log collector (configure a local agent to monitor in real-time the IIS<\/span> logs and send them to the central collector that keep also a secure copy of the log files<\/span> – it can also be useful in case of forensic activities);<\/li>\n
    • analyse logs while the problem is happening;<\/li>\n
    • find attack patterns.<\/li>\n<\/ul>\n

      Write your own detection rule<\/strong><\/h2>\n

      We are now ready to write our detection rule<\/strong>. To this end, we need to:<\/p>\n

        \n
      • identify pattern unique fields<\/strong>: starting from the log analysis, we look for unique fields into the logs while the attack happens;<\/li>\n
      • minimise the false positives<\/span><\/strong>: the goal is to be accurate to reduce the number of false positives<\/span>, so security analysts will only work on real events;<\/li>\n
      • schedule a search for the pattern<\/strong>: no one can identify the pattern by hand, we have to automate the detection phase;<\/li>\n
      • create an alert<\/strong>: when the event happens an action will be executed, a script is called that will open a ticket on our service desk platform.<\/li>\n<\/ul>\n

        At this point, we mitigated the vulnerability<\/span> risk; we could detect the event in real-time, generate an action and respond to the events.<\/p>\n

        Respond to the incident<\/strong><\/h2>\n

        We are now ready to react to the attack<\/span>. While the attack<\/span> happens we are notified on our service desk and we can easily see the attack<\/span> details. Having all process phases and procedures in place, we can react.<\/p>\n

        Final remarks<\/strong><\/h2>\n

        It is clear that, in my view, security is an enabler and not a blocker<\/strong>!<\/p>\n

        You must think secure from the beginning of the project<\/span><\/strong> and ask for security requirements.<\/p>\n

        Remember, there is not a magic potion: security problems<\/span> are often a chain of missing controls<\/span> and missing controls<\/span> and configurations.<\/p>\n