Embed Size (px)
Citation preview
World Bank 2 Nov 2017
Baltimore Cyber Range Proprietary
Seminar for Senior Bank Supervisors
Web Defacement
Forensic Exercise
02 Nov 2017
World Bank 2 Nov 2017
Baltimore Cyber Range Proprietary
Victim Enterprise Network
Victim Server (BBC News)
Events:An Internet IP address attacks DMZPerforms Port scanning to ID accessPerforms ‘Fuzzing’ to understand ‘Shell’Executes Pass Word GuessingUp loads compromised filesInstalls defaced web site
World Bank 2 Nov 2017
Baltimore Cyber Range Proprietary
SIEM and Firewall ReviewPort Scanning At 11:51:46
Port Scanning was detected
Came from the Internet (199.203.100.232)
Victim IP Address (130.2.1.22 – NAT)
Activity on Check point FirewallWe Know:The network is being examined, we know who is looking and what they are looking at
World Bank 2 Nov 2017
Baltimore Cyber Range Proprietary
Look Up NAT AddressOn Firewall Dashboard
NAT Address, exposed to Internet
Internal network Address
World Bank 2 Nov 2017
Baltimore Cyber Range Proprietary
SIEM and Firewall ReviewBrute Force Password Guessing
At 11:54:24Password Guessing
The Victim - BBC web server At 172.16.100.22
Activity detected by Firewall Time to look at Server Logs!
World Bank 2 Nov 2017
Baltimore Cyber Range Proprietary
“Fuzzing”
Logged on as administrator, on the Web server, in the var/log directory
Looking at the Authentication Log / Tracks log attempts
The Attacker is flooding the server to understand the ‘Shell’
World Bank 2 Nov 2017
Baltimore Cyber Range Proprietary
Port Scanning
Logged on as administrator on the Web server in the var/log directory
Looking at the Authentication Log / Tracks log attempts
The Internet Attacker IP address
World Bank 2 Nov 2017
Baltimore Cyber Range Proprietary
Brute Force Password CompromiseFailed Password Guess
From the Attack IPSuccessful - Password Guessed
By the Attack IP
The Attacker has access as Root (Administrator)!
World Bank 2 Nov 2017
Baltimore Cyber Range Proprietary
Compromised victim web page
We know the web server has been compromised and when we log in:
World Bank 2 Nov 2017
Baltimore Cyber Range Proprietary
Compromised Web Page Code
The compromised file that controls the web page
World Bank 2 Nov 2017
Baltimore Cyber Range Proprietary
Mitigation / New Firewall Rules
Add firewall rules to deny access to the attacker IP and deny ‘shell’ access from the Internet
World Bank 2 Nov 2017
Baltimore Cyber Range Proprietary
Remediate the compromised Web page
Team will use the backup OLD_BBC directory to over-write the compromised BBC directory
World Bank 2 Nov 2017
Baltimore Cyber Range Proprietary
Remediated Web page
World Bank 2 Nov 2017
Baltimore Cyber Range Proprietary
Questions / Comments
Baltimore Cyber RangeBaltimore, Maryland
703 795 0843
