{"id":8970,"date":"2020-09-16T09:23:36","date_gmt":"2020-09-16T07:23:36","guid":{"rendered":"https:\/\/www.codemotion.com\/magazine\/?p=8970"},"modified":"2020-12-03T10:29:21","modified_gmt":"2020-12-03T09:29:21","slug":"lifecycle-remote-code-execution","status":"publish","type":"post","link":"https:\/\/www.codemotion.com\/magazine\/cybersecurity\/lifecycle-remote-code-execution\/","title":{"rendered":"The Lifecycle of a Remote Code Execution Security Incident"},"content":{"rendered":"\t\t\t\t
\n\t\t\t\t
\n\t\t\t\t\t\t
\n\t\t\t\t\t\t\tTable Of Contents\t\t\t\t\t\t<\/div>\n\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t
\n\t\t\t\t\t\t
  1. The problem with Remote Code Execution attacks<\/a>
  2. From penetration testing to bug detection<\/a>
  3. How to recover from Remote Code Execution<\/a>
  4. How we can mitigate this risk of the remote code execution attack and keep the system online?<\/a><\/ol>\t\t\t\t\t<\/div>\n\t\t\t\t\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\n\n\n

    It’s not always easy to understand the trust value of a penetration testing<\/span> until a critical security <\/a>incident happens to you. Last year at Codemotion Rome,  Giovanni Mellini is Head of Information, systems<\/span>, and network security<\/span> at ENAV S.pA., the Italian air navigation service provider<\/span>, shared a demonstration based on a remote code execution critical incident he had faced in his work.  <\/p>\n\n\n\n

    Giovanni is also the founder and president of Cyber Saiyan<\/a> – a not for profit<\/span> organization<\/span> founded to promote social initiatives to spread cybersecurity<\/span> and ethical hacking culture<\/span>. Cyber Saiyan organizes RomHack,<\/a> a free<\/span> cybersecurity<\/span> conference held yearly in Rome<\/span>. <\/p>\n\n\n\n

    Giovanni demonstrated how we can detect<\/span> remote code execution attacks<\/span> and how can we mitigate the risk. This included how you can respond and what kind of countermeasures<\/span> can be used to respond and react. <\/p>\n\n\n\n

    We’re sharing some of the central points of his presentation here, but you’ll want to view the video of his talk below to gain an appreciation of the live coding<\/span> in detail.<\/p>\n\n\n\n

    [jwp-video n=”1″]<\/p>\n\n\n\n

    The problem with Remote Code Execution attacks<\/h2>\n\n\n\n

    In Remote Code Execution (RCE<\/span>),  an attacker is able to run code of their choosing with system-level privileges<\/span> on a server<\/span> that possesses the appropriate weakness<\/span>. Once sufficiently compromised<\/span> the attacker may be able to access any and all information on a server<\/span> such as databases<\/span> containing information that unsuspecting clients<\/span> provided.<\/p>\n\n\n\n

    Giovanni shared “You can execute everything on the system<\/span> just by uploading something.  You can download software, do pivoting<\/span>, moving to another server<\/span>, shut down the system<\/span>, by rebooting the serve. You have to fix this now.”<\/p>\n\n\n\n

    From penetration testing to bug detection<\/h2>\n\n\n\n
    \"\"<\/figure><\/div>\n\n\n\n

    Giovanni began by sharing that a problem was unearthed during penetration testing<\/span>: “We had a security<\/span> check on a production system which revealed a critical security<\/span> problem.” <\/p>\n\n\n\n

    He notes the importance of security<\/a> by design<\/span>, “When you do a project<\/span>, a lot of people that have to work together and interact<\/span>. In the ideal world, everyone is happy. However, it’s a huge effort for everyone to react to do something. After we deploy<\/span> something it can be quite hard to fix, and go back and fix again. This is why we talk about the value of security<\/span> by design<\/span>. From my experience<\/span>, if you don’t have security<\/span> since the beginning of the project<\/span>, probably, you will have security<\/span> issues at the end.”<\/p>\n\n\n\n

    If you are fortunate enough to have an effective security<\/span> process somewhere in your company<\/span>, there is a chance you will intercept a security problem<\/a> before it goes live. However, according to Giovanni “For us, this was not the case. We found out about the problem in the web application<\/span> only after the IT department deployed it and it was being actively used.”<\/p>\n\n\n\n

    How to recover from Remote Code Execution<\/h2>\n\n\n\n

    There are two options:
    1. Shutdown<\/span> your system<\/span> until fixed
    2. Mitigate the risk and keep the system<\/span> online<\/span><\/p>\n\n\n\n

    Giovanni notes that that shutting down is the easiest solution, however, it takes time, which may not be appropriate for mission-critical applications<\/span>: “You have to shut down, do a new fix, do a test again and come back when you’re done. It typically takes at least a month and during this month, this system<\/span> is not available to uses.”<\/p>\n\n\n\n

    Or you can mitigate the risk and system while remaining online<\/span>:<\/p>\n\n\n\n

    “Like a defender, you have to think about how can you detect this kind of vulnerability<\/span> in the live system<\/span>, so you can intercept this kind of behaviour. And after you intercept this, you can have an alert and with your security team, you can react and say okay, we found that the vulnerability<\/span> is exploited<\/span>, used by someone, and now we investigate.”<\/p>\n\n\n\n

    How we can mitigate this risk of the remote code execution attack and keep the system online?<\/h2>\n\n\n\n

    Giovanni suggests you need to understand your scenario<\/span> and collect relevant logs<\/span>: to mitigate the risk first as a defender, you have to know this system<\/span> and you have to know of the system<\/span> works and you have to collect the data that can help you to find the vulnerability<\/span>.<\/p>\n\n\n\n

    Specifically, the Context<\/span> is IIS<\/span> Web series +ASPX<\/span> on Windows<\/span>:<\/p>\n\n\n\n