Security Monitoring/Analysis

Security Analysis for Web Server using SIEM and Packet Analyzer

As a Security Analyst, the most important information needed for analysis to protect assets are:
  • Log Files 
  • Network Packets / Traffic Flow (ingress/egress) / (internal/external)  

Log Management (SIEM)

Collects the logs from your assets and coverts into a user friendly structure for much better data analysis.
Splunk, Sumo Logic, Alienvault and many more are used for data (log) analysis. 

Packet Analyzer

The most affected method for Network & Security analysis. Wireshark is the open-source packet analyzer widely used to analysis the traffic flow. 

Add IDS which will match the signature matching the traffic (Snort/Suricata). 


Web Server Security Analysis:

Logs and Traffic Flow Structure


In this analysis, Web server is the asset and log files are being sent to the SIEM for data/log analysis along with that packet analyzer running on the internal interface.

SIEM >>> Sumo logic and Alienvault
Packet Analyzer >>> Wireshark
IDS >>> Snort

Packet Analysis

As a Security Analyst, will be analysis unknown requests on web server or known exploits. 
HTTP response codes determines the errors corresponding to the requests which describes if the traffic is malicious or not. 

The source ip is scanning unknown pages and response is 404 not found. Since, there are so many unknown requests which determine the traffic is suspicious. 
PROFIND request is used for Remote Code Execution. 

Attacker IP: 45.40.254.145 
Exploit Attempt

http response code

Conclusion, Remote code execution was attempted from the attacker IP and exploit was unsuccessfully since http response was 404 - Not Found using packet analyzwe.

Great packet analysis done by Manikandan Ramkumar on ct21-Webserver >> Link

In addition, IDS rule match for RCE for the attacker IP

Snort Rule  


Log/Data Analysis (SIEM)


Data analysis helps in more depth to know more about the attacker such as counts, reputation, Geo location and much more.

Overview/Dashboard gives a great summary of the logs collected in a user friendly structure which help to investigate accurately.

Alienvault Analysis



Top host are being listed to priority the analysis.

Once the log is collect the tool convert the log data into EVENTS to analysis.

Attacker IP: 193.112.100.154, Events: 400 errors

Event

Further investigation, 

Filtering the source IP and finding all the events triggered.


Investigating the Event and verify the logs data. Log indicates the reason for error code 404. 

"POST /w.php HTTP/1.1"  >> POST request 



IDS event triggered as packet matches the signature (rule) placed.


IP reputation >> Link


External is having bad reputation. Remote Code Execution attempted and unsuccessful. 

As a solution, block the external IP on the firewall/End device so that the traffic is reset to the exploit attempts. 

Sumo Logic Analysis

Data analysis for http status code will summarize the traffic on the Web Server.
Error code 404 is more compared to others. 


Filtering the search for error code = 404 with corresponding source ip.  


Source IP: 45.40.254.145, most number of counts. 


Filtering to Source IP =  45.40.254.145, Time intervals = 5s
External hits are too fast and suspicious.




Messages are the log file, observing the url from above screenshot external ip is scanning for a exploit on admin pages.

Solution: Number of attempts is higher and GET request for admin pages confirm malicious activity from the external IP, block the external IP on the firewall/End device.


In conclusion, working with open source tools and free version softwares with help to develop your security skills, know about exploits and there mitigation which will lead to a best Security Analyst personnel. 

Posted by No comments:
Labels: , , , , , ,

Phishing - Main Source for Cyber Attack

What is Phishing?

Phishing is similar to fishing, cyber criminals hooks a malware and wait until someone is caught. Cyber criminals hooks individual in the form of Emails, SMS, Calls, Replica of know websites and many more methods. In the case of a computer, once caught then the attacker is the owner of the computer or your important accounts credentials. In the case of SMS and Calls, scaring to get the personal information or credit card details and websites, login credentials. 


Sometimes its hard to recognized that you are really being hooked or phished. 

How this Phishing works? 

I am using Email phishing example since its the most common and people are still getting hooked on emails. 

Email was sent to me which went to SPAM but its not always the case. 

Looking at the Email below is very obvious to be curious to know what invoice this email is talking about.  




Once clicked on the link you are hooked but still can manage to get out of the danger.



When you open the download file is when you are completely hooked and caught perfectly (danger zone). 



As you can see there is no content on the file but just the marcos which is the malicious code to impact the computer. 

At this point, you might just ignore the file but you are phished and on background few process are running and trying to connect to malicious servers to submit data, also called as C&C (Command-and-control).

Following is the background analysis on the file downloaded.

My system configuration: 

***THIS ANALYSIS IS PERFORMED IN VIRTUAL ENVIRONMENT***
***PLEASE DON'T USE THE LINK ON YOUR ACTUAL COMPUTER FOR ANALYSIS***



This is the traffic of the impacted computer started to contact to GET more files to compromised the system entirely.   



Above process show how an email phishing works and compromise the system.

How to detect a phishing method?

The most important to detect phishing emails is from where is came from, Name is not important email id is the most important part to see. 

Below screenshot points out important things to watch before clicking or downloading a file. 
  • Email ID (@"domain-name") 
  • Wrong details
  • Unknown link (Suspicious link)
  • Grammar
  • File Name (once downloaded)
This are few important points which confirms that its a phishing email which can be deleted or reported. 







Similarly, things to check on phishing websites: 
  • Domain Name (URL)
  • Grammar
  • Copyrights
  • Website certificate (https://)

How to verify if file is malicious or not? 


VirusTotal ( https://www.virustotal.com ) is one of the best open source analyzer for files, website and domain names. It gives a good idea about a file is malicious or out according to the Anti virus companies scan or signatures. 

This is the link for the malicious file downloaded. 

For more details analysis, 

Hybrid Analysis ( https://www.hybrid-analysis.com/ ) is a good tool for detail analysis more suitable for IT professionals. 



##Take Away##

PERSONAL DATA or INFORMATION is an important part for an individual/organisations which is directly proportional to MONEY and REPUTATION. 

Don't be to busy which cause you to get hooked and compromised. Be safe and careful in this Cyber World.  

Posted by No comments:
Labels: ,
Subscribe to: Posts (Atom)