One Article Review
| Source |  AlienVault Blog |
|---|---|
| Identifiant | 1677672 |
| Date de publication | 2020-04-27 12:00:00 (vue: 2020-04-27 12:08:37) |
| Titre | Stories from the SOC - Web Server Attack |
| Texte |
Executive Summary
Stories from the SOC is a blog series that describes recent real-world security incident investigations conducted and reported by the AT&T SOC analyst team for AT&T Managed Threat Detection and Response customers.
During the Investigation of a Web Server Attack alarm for a large multinational enterprise Customer, we conducted an Investigation that inevitably led to the customer isolating the system entirely. The sophistication of the Correlation Rules developed by the AT&T Alien Labs™ team recognized patterns that indicated an attack on the web server. Armed with the information presented by the alarm itself, we then expounded on those details which lead to the customer being informed that a public-facing server was actively vulnerable. While personally interfacing with the Customer, they conveyed they were unaware of this system being open and hastily took corrective measures; thus, resulting in the isolation of the vulnerable system.
Investigation
Initial Alarm Review
Web Server Attack – Multiple Web Attacks Alarm
The initial alarm surfaced as the correlated result of multiple Apache Struts Dynamic Method Invocation Remote Code Execution events. As detailed within the image below, this attack intent is associated with the Delivery & Attack phase of the Cyber Kill Chain®.
Figure 1 - Initial Alarm
Alarm Detail
Also included in the alarm details is the associated MITRE ATT&CK® rule attack ID, which afforded the ability to efficiently and expeditiously gather relevant information about this particular attempt on the customer’s system. The synopsis for this attack technique is defined as the “… use of software, data, or commands to take advantage of a weakness in an Internet-facing computer system or program in order to cause unintended or unanticipated behavior. The weakness in the system can be a bug, a glitch, or a design vulnerability.”. To better understand the vulnerability profile of the asset in question, I executed an authenticated vulnerability scan within USM Anywhere. The results indicated several Apache HTTP server vulnerabilities. Following the completion of my reconnaissance efforts, I presented the actionable information to the customer.
Response
Figure 2 – Analyst Comments
Customer Response(s)
Two members of our Customer’s staff reviewed the analysis that I provided, confirmed my trepidations pertaining to the active vulnerabilities, and shared the subsequent steps to be taken to remediate this activity. The NAT was removed, and the Public IP was discontinued.
The customer’s staff provided supplementary detail about the exposed and vulnerable system and the means by which he resolved continuing activity. The analyst indicated the targeted device was a digital video recorder (DVR) system that physically resided within one of the Customer’s warehouses and then outlined the actions taken to mitigate the risk:
The publication rule of the Watchguard in the warehouse was eliminated
The secondary public IP from the Watchguard configuration was removed
The public IP of origin of the attack on the Watchguard was blocked
Geolocation blocking from the foreign country to our entire network in the region was enabled
The DVR was isolated unti |
| Envoyé | Oui |
| Condensat | to ability about actionable actions active actively activity advantage afforded alarm alien all also although analysis analyst anywhere apache armed asset associated at&t att&ck® attack attacker attacks attempt authenticated behavior being below better blocked blocking blog bug can cause chain® code commands comments completion compromise computer conducted configuration confirmed continuing conveyed corrective correlated correlation could country created customer customer’s customers cyber data defined deliberate delivery describes design detail detailed details detection developed device digital discontinued during dvr dvrs dynamic efficiently efforts eliminated enabled enterprise entire entirely exclusive executed execution events executive expeditiously exposed expounded facing figure following foreign from gather geolocation glitch hastily http image impossible incident included indicated inevitably information informed initial intent intentions interfacing internet intrusion investigation investigations invocation isolated isolating isolation itself kill know labs™ large lead led managed means measures; members method mitigate mitigated mitre multinational multiple nat network one open order origin outlined particular patterns perform personally pertaining phase physical physically presented presume profile program provided public publication question real recent recognized reconnaissance recorder region relevant remediate remote removed reported resided resolved response result resulting results review reviewed risk: rule rules scan secondary security series server several shared soc software sophistication staff steps stories struts subsequent summary supplementary surfaced surveillance synopsis system take taken target targeted team technique then those threat thus took trepidations true two unanticipated unaware understand unintended until use usm video vlan vulnerabilities vulnerability vulnerable warehouse warehouses watchguard weakness web which within world |
| Tags | Vulnerability Threat Guideline |
| Stories | |
| Notes | |
| Move | 
|
L'article ne semble pas avoir été repris aprés sa publication.
L'article ne semble pas avoir été repris sur un précédent.