seminar for senior bank supervisors web defacement...

World Bank 2 Nov 2017

Baltimore Cyber Range Proprietary

Seminar for Senior Bank Supervisors

Web Defacement

Forensic Exercise

02 Nov 2017

World Bank 2 Nov 2017

Baltimore Cyber Range Proprietary

Victim Enterprise Network

Victim Server (BBC News)

Events:An Internet IP address attacks DMZPerforms Port scanning to ID accessPerforms ‘Fuzzing’ to understand ‘Shell’Executes Pass Word GuessingUp loads compromised filesInstalls defaced web site

World Bank 2 Nov 2017

Baltimore Cyber Range Proprietary

SIEM and Firewall ReviewPort Scanning At 11:51:46

Port Scanning was detected

Came from the Internet (199.203.100.232)

Victim IP Address (130.2.1.22 – NAT)

Activity on Check point FirewallWe Know:The network is being examined, we know who is looking and what they are looking at

World Bank 2 Nov 2017

Baltimore Cyber Range Proprietary

Look Up NAT AddressOn Firewall Dashboard

NAT Address, exposed to Internet

Internal network Address

World Bank 2 Nov 2017

Baltimore Cyber Range Proprietary

SIEM and Firewall ReviewBrute Force Password Guessing

At 11:54:24Password Guessing

The Victim - BBC web server At 172.16.100.22

Activity detected by Firewall Time to look at Server Logs!

World Bank 2 Nov 2017

Baltimore Cyber Range Proprietary

“Fuzzing”

Logged on as administrator, on the Web server, in the var/log directory

Looking at the Authentication Log / Tracks log attempts

The Attacker is flooding the server to understand the ‘Shell’

World Bank 2 Nov 2017

Baltimore Cyber Range Proprietary

Port Scanning

Logged on as administrator on the Web server in the var/log directory

Looking at the Authentication Log / Tracks log attempts

The Internet Attacker IP address

World Bank 2 Nov 2017

Baltimore Cyber Range Proprietary

Brute Force Password CompromiseFailed Password Guess

From the Attack IPSuccessful - Password Guessed

By the Attack IP

The Attacker has access as Root (Administrator)!

World Bank 2 Nov 2017

Baltimore Cyber Range Proprietary

Compromised victim web page

We know the web server has been compromised and when we log in:

World Bank 2 Nov 2017

Baltimore Cyber Range Proprietary

Compromised Web Page Code

The compromised file that controls the web page

World Bank 2 Nov 2017

Baltimore Cyber Range Proprietary

Mitigation / New Firewall Rules

Add firewall rules to deny access to the attacker IP and deny ‘shell’ access from the Internet

World Bank 2 Nov 2017

Baltimore Cyber Range Proprietary

Remediate the compromised Web page

Team will use the backup OLD_BBC directory to over-write the compromised BBC directory

World Bank 2 Nov 2017

Baltimore Cyber Range Proprietary

Remediated Web page

World Bank 2 Nov 2017

Baltimore Cyber Range Proprietary

Questions / Comments

Baltimore Cyber RangeBaltimore, Maryland

703 795 0843