seminar for senior bank supervisors web defacement...
TRANSCRIPT
![Page 1: Seminar for Senior Bank Supervisors Web Defacement ...pubdocs.worldbank.org/en/157661511190538554/11... · Web Defacement Forensic Exercise 02 Nov 2017. World Bank 2 Nov 2017 Baltimore](https://reader036.vdocuments.site/reader036/viewer/2022071215/604646b0c777b573ed72e74c/html5/thumbnails/1.jpg)
World Bank 2 Nov 2017
Baltimore Cyber Range Proprietary
Seminar for Senior Bank Supervisors
Web Defacement
Forensic Exercise
02 Nov 2017
![Page 2: Seminar for Senior Bank Supervisors Web Defacement ...pubdocs.worldbank.org/en/157661511190538554/11... · Web Defacement Forensic Exercise 02 Nov 2017. World Bank 2 Nov 2017 Baltimore](https://reader036.vdocuments.site/reader036/viewer/2022071215/604646b0c777b573ed72e74c/html5/thumbnails/2.jpg)
World Bank 2 Nov 2017
Baltimore Cyber Range Proprietary
Victim Enterprise Network
Victim Server (BBC News)
Events:An Internet IP address attacks DMZPerforms Port scanning to ID accessPerforms ‘Fuzzing’ to understand ‘Shell’Executes Pass Word GuessingUp loads compromised filesInstalls defaced web site
![Page 3: Seminar for Senior Bank Supervisors Web Defacement ...pubdocs.worldbank.org/en/157661511190538554/11... · Web Defacement Forensic Exercise 02 Nov 2017. World Bank 2 Nov 2017 Baltimore](https://reader036.vdocuments.site/reader036/viewer/2022071215/604646b0c777b573ed72e74c/html5/thumbnails/3.jpg)
World Bank 2 Nov 2017
Baltimore Cyber Range Proprietary
SIEM and Firewall ReviewPort Scanning At 11:51:46
Port Scanning was detected
Came from the Internet (199.203.100.232)
Victim IP Address (130.2.1.22 – NAT)
Activity on Check point FirewallWe Know:The network is being examined, we know who is looking and what they are looking at
![Page 4: Seminar for Senior Bank Supervisors Web Defacement ...pubdocs.worldbank.org/en/157661511190538554/11... · Web Defacement Forensic Exercise 02 Nov 2017. World Bank 2 Nov 2017 Baltimore](https://reader036.vdocuments.site/reader036/viewer/2022071215/604646b0c777b573ed72e74c/html5/thumbnails/4.jpg)
World Bank 2 Nov 2017
Baltimore Cyber Range Proprietary
Look Up NAT AddressOn Firewall Dashboard
NAT Address, exposed to Internet
Internal network Address
![Page 5: Seminar for Senior Bank Supervisors Web Defacement ...pubdocs.worldbank.org/en/157661511190538554/11... · Web Defacement Forensic Exercise 02 Nov 2017. World Bank 2 Nov 2017 Baltimore](https://reader036.vdocuments.site/reader036/viewer/2022071215/604646b0c777b573ed72e74c/html5/thumbnails/5.jpg)
World Bank 2 Nov 2017
Baltimore Cyber Range Proprietary
SIEM and Firewall ReviewBrute Force Password Guessing
At 11:54:24Password Guessing
The Victim - BBC web server At 172.16.100.22
Activity detected by Firewall Time to look at Server Logs!
![Page 6: Seminar for Senior Bank Supervisors Web Defacement ...pubdocs.worldbank.org/en/157661511190538554/11... · Web Defacement Forensic Exercise 02 Nov 2017. World Bank 2 Nov 2017 Baltimore](https://reader036.vdocuments.site/reader036/viewer/2022071215/604646b0c777b573ed72e74c/html5/thumbnails/6.jpg)
World Bank 2 Nov 2017
Baltimore Cyber Range Proprietary
“Fuzzing”
Logged on as administrator, on the Web server, in the var/log directory
Looking at the Authentication Log / Tracks log attempts
The Attacker is flooding the server to understand the ‘Shell’
![Page 7: Seminar for Senior Bank Supervisors Web Defacement ...pubdocs.worldbank.org/en/157661511190538554/11... · Web Defacement Forensic Exercise 02 Nov 2017. World Bank 2 Nov 2017 Baltimore](https://reader036.vdocuments.site/reader036/viewer/2022071215/604646b0c777b573ed72e74c/html5/thumbnails/7.jpg)
World Bank 2 Nov 2017
Baltimore Cyber Range Proprietary
Port Scanning
Logged on as administrator on the Web server in the var/log directory
Looking at the Authentication Log / Tracks log attempts
The Internet Attacker IP address
![Page 8: Seminar for Senior Bank Supervisors Web Defacement ...pubdocs.worldbank.org/en/157661511190538554/11... · Web Defacement Forensic Exercise 02 Nov 2017. World Bank 2 Nov 2017 Baltimore](https://reader036.vdocuments.site/reader036/viewer/2022071215/604646b0c777b573ed72e74c/html5/thumbnails/8.jpg)
World Bank 2 Nov 2017
Baltimore Cyber Range Proprietary
Brute Force Password CompromiseFailed Password Guess
From the Attack IPSuccessful - Password Guessed
By the Attack IP
The Attacker has access as Root (Administrator)!
![Page 9: Seminar for Senior Bank Supervisors Web Defacement ...pubdocs.worldbank.org/en/157661511190538554/11... · Web Defacement Forensic Exercise 02 Nov 2017. World Bank 2 Nov 2017 Baltimore](https://reader036.vdocuments.site/reader036/viewer/2022071215/604646b0c777b573ed72e74c/html5/thumbnails/9.jpg)
World Bank 2 Nov 2017
Baltimore Cyber Range Proprietary
Compromised victim web page
We know the web server has been compromised and when we log in:
![Page 10: Seminar for Senior Bank Supervisors Web Defacement ...pubdocs.worldbank.org/en/157661511190538554/11... · Web Defacement Forensic Exercise 02 Nov 2017. World Bank 2 Nov 2017 Baltimore](https://reader036.vdocuments.site/reader036/viewer/2022071215/604646b0c777b573ed72e74c/html5/thumbnails/10.jpg)
World Bank 2 Nov 2017
Baltimore Cyber Range Proprietary
Compromised Web Page Code
The compromised file that controls the web page
![Page 11: Seminar for Senior Bank Supervisors Web Defacement ...pubdocs.worldbank.org/en/157661511190538554/11... · Web Defacement Forensic Exercise 02 Nov 2017. World Bank 2 Nov 2017 Baltimore](https://reader036.vdocuments.site/reader036/viewer/2022071215/604646b0c777b573ed72e74c/html5/thumbnails/11.jpg)
World Bank 2 Nov 2017
Baltimore Cyber Range Proprietary
Mitigation / New Firewall Rules
Add firewall rules to deny access to the attacker IP and deny ‘shell’ access from the Internet
![Page 12: Seminar for Senior Bank Supervisors Web Defacement ...pubdocs.worldbank.org/en/157661511190538554/11... · Web Defacement Forensic Exercise 02 Nov 2017. World Bank 2 Nov 2017 Baltimore](https://reader036.vdocuments.site/reader036/viewer/2022071215/604646b0c777b573ed72e74c/html5/thumbnails/12.jpg)
World Bank 2 Nov 2017
Baltimore Cyber Range Proprietary
Remediate the compromised Web page
Team will use the backup OLD_BBC directory to over-write the compromised BBC directory
![Page 13: Seminar for Senior Bank Supervisors Web Defacement ...pubdocs.worldbank.org/en/157661511190538554/11... · Web Defacement Forensic Exercise 02 Nov 2017. World Bank 2 Nov 2017 Baltimore](https://reader036.vdocuments.site/reader036/viewer/2022071215/604646b0c777b573ed72e74c/html5/thumbnails/13.jpg)
World Bank 2 Nov 2017
Baltimore Cyber Range Proprietary
Remediated Web page
![Page 14: Seminar for Senior Bank Supervisors Web Defacement ...pubdocs.worldbank.org/en/157661511190538554/11... · Web Defacement Forensic Exercise 02 Nov 2017. World Bank 2 Nov 2017 Baltimore](https://reader036.vdocuments.site/reader036/viewer/2022071215/604646b0c777b573ed72e74c/html5/thumbnails/14.jpg)
World Bank 2 Nov 2017
Baltimore Cyber Range Proprietary
Questions / Comments
Baltimore Cyber RangeBaltimore, Maryland
703 795 0843