Here at Graylog, we have recently had an increase in conversations with security teams from leading companies and were inspired by Rob Joyce’s presentation at the USENIX Enigma 2016 conference. We want to share our key findings with the Graylog community!
This will be a 3 part series covering specific ways log management can be used to tighten security. To kick off Part 1, we have an overview of the 5 phases of intrusion and how to best combat attackers that are trying to infiltrate your networks and computer systems.
In order to stay protected, one must think like an infiltrator. The good thing is that cyber criminals use a methodical approach when planning an attack. By understanding their process and knowing your network, you will be better prepared and able to stay one step ahead.
STAGE 1 OF INTRUSION: RECONNAISSANCE
ATTACKER’S FOCUS: ANALYZING THE TARGET
In this stage, attackers act like detectives, gathering information to truly understand their target. Detail is everything! From examining email lists to open source information, their goal is to know the network better than the people who run and maintain it. They hone in on the security aspect of the technology, study the weaknesses, and use any vulnerability to their advantage.
The reconnaissance stage can be viewed as the most important because it takes patience and time, from weeks to several months. Any information the infiltrator can gather on the company, such as employee names, phone numbers, and email addresses, will be vital. Attackers will also start to poke the network to analyze what systems and hosts are there. They will note any changes in the system that can be used as an entrance point. For example, leaving your network open for a vendor to fix an issue can also allow the cyber criminal to plant himself inside.
By the end of this pre-attack phase, attackers will have created a detailed map of the network, highlighted the system’s weaknesses, and then continue on with their mission. Another point of focus during the reconnaissance stage is understanding the network’s trust boundaries. With an increase in employees working from home or using their personal devices for work, there is an increase in areas of data breaches.
HOW TO COMBAT: KNOW YOUR NETWORK
It is important to fully inspect your network, know the technologies inside, and any possible cracks in your system. The best way to fully understand the network and have information readily available for research is to centrally collect the log messages from your network hardware. A tool like Graylog provides a visual of your network communications and path of connections using the one source of truth: log messages about established or rejected connections. In addition, hiring a red team is a great way to put your security to the test. The red team will test your system to identify vulnerabilities in the infrastructure. If they successfully breach your network, they’ll show you which areas need more protection and how to correct the errors.
STAGE 2: INITIAL EXPLOITATION
ATTACKER’S FOCUS: INTRUSION
Persistence is key and infiltrators use numerous methods in exploitation. Water-holing is used by an attacker to compromise a popular website that is visited by company employees. Once the employee visits the infected site, the cyber criminal can attack their computer in hopes of gaining credentials and access to the company network. Other examples of vectors used by attackers is by spear phishing, SQL injection, infecting emails, and tainting removable media.
HOW TO COMBAT: LOGS AND PROCEDURES
In order to protect your system, you need to focus on the most detailed information about the network, the logs! Logs are the key to spotting any anomalies or breaches in your system. Having an enterprise-ready log management system, such as Graylog, will make it more difficult for cyber criminals. You need to be constantly monitoring your network traffic and looking for anomalies and signs of attacks. Also, to make intrusion harder, among other measures, add two factor authentication to the services your users use or implement the principle of least privilege as extra security methods.
STAGE 3: ESTABLISH PERSISTENCE
ATTACKER’S FOCUS: DIGGING INTO THE SYSTEM
At this point, cyber criminals are in your system and focused on gaining additional access to build up presence. In order to take over the network, they will need to obtain more control and dive deeper into the system. One method is through privilege escalation in which the attacker uses any error or flaw in the system to either vertically or horizontally obtain extra privileges or ones that were not intended for the user. Other points of entry could be through too open systems or finding SSH keys.
HOW TO COMBAT: MONITOR CONNECTION PATHWAYS
With the infiltrator in your network, most likely there will be a command and control channel from the outside into your infrastructure. Your task is to detect and disarm the control channel before the attacker can start to move laterally inside your network, causing more harm. You can use network and operating system logs to find connections from the outside that should not be there. Just like the detection of attackers who are poking on your perimeter security measures, this is also a constant task that should be partly automated or managed with an easy to access dashboard.
STAGE 4: MOVE LATERALLY
ATTACKER’S FOCUS: FINDING KEY PIECES
Cyber criminals usually do not land in the exact spot of their target, thus, they need to move laterally in order to find their key pieces to complete their mission.
HOW TO COMBAT: PROTECTION THROUGHOUT NETWORK
If an attacker has made it inside your system, it is imperative to halt their movement. The amount of protection around your network needs to have the same strength as inside. You can strengthen your defense through network segmentation, monitoring your logs, and limiting administrator privilege.
STAGE 5: COLLECT, EXFIL, AND EXPLOIT
ATTACKER’S FOCUS: GET IN, GET OUT
The attackers have succeeded. They compromised your network and your sensitive data is moved out. The attackers can now leak this information and the ultimate goal of their mission is complete.
HOW TO COMBAT: ALWAYS BE IMPROVING!
You need to be continually improving your defense systems, implementing policies and procedures, and always be analyzing your logs, because it is the first place to detect malicious activity.
HOW TO MONITOR YOUR NETWORK LOGS WITH GRAYLOG
Our Graylog engineers are always helping the community with using log management to detect anomalies and hardening their infrastructure. Check back next Tuesday for Part 2 where we will discuss the use of log management for network security using Graylog examples.
Introduction to Penetration Testing and Web Applications
CISO and CTO have been spending a huge amount of money on web applications and general IT security without getting the benefits, and they are living with a false sense of security. Although IT security has been a top priority for organizations, there have been some big security breaches in the last few years. The attack on the Target Corp, one of the biggest retailers in the US, exposed around 40 million debitand credit card details and the CEO and CIO were forced to step down. The attack on the Sony PlayStation network was a result of a SQL injection attack—one of the most common web application attacks—and the network was down for 24 days. This exposed personal information of 77 million accounts. These personal details and financial records then end up in underground markets and are used for malicious activities. There have been many more attacks that have not reported in the news with much vigor. Web applications may not be the sole reason for such huge security breaches, but they have always played an assisting role that has helped the attacker to achieve their main goal of planting malware for exposing private data. It’s not only the web server or the website that is responsible for such attacks; the vulnerabilities in the client web browser are equally responsible. A fine example would be the Aurora attack that was aimed at a dozen of high-profile organizations, including Google, Adobe, Yahoo!, and a few others. The attackers exploited a zero-day heap spray vulnerability in Internet Explorer to gain access to corporate systems through end user devices; in this case, a vulnerability in the web browser was a contributing factor.
Another reason why web applications are so prone to attacks is because the typical IT security policies and investments are reactive and not proactive. Although we are moving ahead in the right direction, we are still far away from our goal. Adisgruntled employee or a hacker would not read your network and access control policy before stealing data or think twice before kicking the server off the network, so creating documents would not really help. Application layer firewalls and IPS devices are not keeping up with the pace of evolving attacks. The embracing of BYOD by many companies has increased the attack surface for attackers and has also created additional problems for IT security teams. However, they are here to stay and we need to adapt. Internet-facing websites have been a favorite of attackers and script kiddies. Over-the-counter developed websites and web solutions have mounted more problems. No or little investment in code reviews and a lack of understanding of the importance of encrypting data on a network and on a disk makes the jo of your adversaries far easier. If we take a look at the two of most common types of attack on web applications, that is, SQL injection and Cross-site scripting attack (XSS) (more on this in the coming chapters), both of these attacks are caused because the application did not handle the input from the user properly. You can test your applications in a more proactive way. During the testing phase, you can use different inputs that an attacker would use to exploit the input field in the web form and test it from a perspectiv of the attacker, rather than waiting for the attacker to exploit it and then remediat it. The network firewalls and proxy devices were never designed to block such intrusions; you need to test your applications just how the attacker would do it and this is exactly what we will be covering in the coming chapters. Proactive security testing Penetration testing or ethical hacking is a proactive way of testing your web applications by simulating an attack that’s similar to a real attack that could occur on any given day. We will use the tools provided in Kali Linux to accomplish it. Kali Linux is a re-branded version of Backtrack and is now based on Debian-derived Linux distribution. It is used by security professionals to perform offensive security tasks and is maintained by a company known as Offensive Security Ltd. The predecessor of Kali Linux was Backtrack, which was one of the primary tools used by hackers for more than 6 years until 2013 when it was replaced by Kali Linux. In August 2015 the second version of Kali Linux was released with code name Kali Sana. This version includes new tools and comes with a rebranded GUI based on GNOME3. Kali Linux comes with a large set of popular hacking tools that are ready to use with all the prerequisites installed. We will dive deep into the tools and use them to test web applications which are vulnerable to major flaws found in real-world web applications
Who is a hacker?
A hacker is a person who loves to dig deep into a system out of curiosity in order to
understand the internal working of that particular system and to find vulnerabilities
in it. A hacker is often misunderstood as a person who uses the information acquired
with malicious intent. A cracker is the one who intends to break into a system with
Hacking into a system that is owned by someone else should always be done after
the consent of the owner. Many organizations have started to hire professional
hackers who point out flaws in in their systems. Getting a written consent from the
client before you start the engagement should always be at the top of your to-do
list. Hacking is also a hotly debated topic in the media; a research paper detailing a
vulnerability that you discovered and released without the consent of the owner of
the product could drag you into a lot of legal trouble even if you had no malicious
intent of using that information.
Crackers are often known as Black Hat hackers.
Hacking has played a major role in improving the security of the computers.
Hackers have been involved in almost all the technologies, be it mobile phones,
SCADA systems, robotics, or airplanes. For example, Windows XP (released in the
year 2001) had far too many vulnerabilities and exploits were released on a daily
basis; in contrast, Windows 8, that was released in the year 2012, was much more
secure and had many mitigation features that could thwart any malicious attempt.
This would have not been possible without the large community of hackers who
regularly exposed security holes in the operating system and helped make it more
secure. IT security is a journey. Although security of computer systems has improved
drastically over the past few years, it needs constant attention as new features are
added and new technologies are developed, and hackers play a major in it.
The Heartbleed, Shellshock, Poodle, GHOST, and Drupal vulnerabilities discovered
over the past 12 months have again emphasized the importance of constantly testing
your systems for vulnerabilities. These vulnerabilities also punch a hole in the
argument that open source software are more secure since the source code is open; a
proper investment of time, money, and qualified resources are the need of the hour.
Different testing methodologies
Often people get confused with the following terms and use them interchangeably
without understanding that although there are some aspects that overlap within
these, there are also subtle differences that needs attention:
• Ethical hacking
• Penetration testing
• Vulnerability assessment
• Security audits
Very few people know that hacking is a misunderstood term; it means different
things to different people and more often a hacker is thought of as a person sitting
in a closed enclosure with no social life and with a malicious intent. Thus, the word
ethical was prefixed to the term hacking. The term ethical hacking is used to refer to
professionals who work to identify loopholes and vulnerabilities on systems, report
it to the vendor or owner of the system, and also, at times, help them fix it. The tools
and techniques used by an ethical hacker are similar to the ones used by a cracker or
a Black Hat hacker, but the aim is different as it is used in a more professional way.
Ethical hackers are also known as security researchers.
This is a term that we will use very often in this book and it is a subset of ethical
hacking. Penetration testing is a more professional term used to describe what an
ethical hacker does. If you are planning for a career in hacking, then you would
often see job posting with the title penetration tester. Although penetration testing
is a subset of ethical hacking, it differs in multiple ways. It’s a more streamlined
way of identifying vulnerabilities in the systems and finding if the vulnerability is
exploitable or not. Penetration testing is bound by a contract between the tester and
owner of the systems to be tested. You need to define the scope of the test to identify
the systems to be tested. The rules of engagement need to be defined, which decide
the way in which the testing is to be done.
At times organizations might want to only identify the vulnerabilities that exist
in their systems without actually exploiting it and gaining access. Vulnerability
assessments are broader than penetration tests. The end result of vulnerability
assessment is a report prioritizing the vulnerabilities found, with the most severe
ones on the top and the ones posing lesser risk lower in the report. This report is
really helpful for clients who know that they have security issues but need to
identify and prioritize the most critical ones.
Auditing is systematic procedure that is used to measure the state of a system against
a predetermined set of standards. These standards could be industry best practices or
an in-house checklist. The primary objective of an audit is to measure and report on
conformance. If you are auditing a web server, some of the initial things to look out
for are the ports open on the server, harmful HTTP methods such as TRACE enabled
on the server, the encryption standard used, and the key length.
Rules of engagement
Rules of engagement (RoE) deals with the manner in which the penetration test is to
be conducted. Some of the directives that should be clearly mentioned in the rules of
engagement before you kick start the penetration test are as follows:
• Black box testing or Gray box testing
• Client contact details
• Client IT team notifications
• Sensitive data handling
• Status meeting
Black box testing or Gray box testing
There are do’s and don’ts of both the ways of testing. With Black box testing, you get
an exact view of an attacker as the penetration tester starts from scratch and tries to
identify the network map, the types of firewalls you use, what are the internet facing
website that you have, and so on. But you need to understand that at times this
information might be easily obtained by the attacker. For example, to identify the
firewall or the web server that you are using, a quick scan through the job postings
on job portals by your company could reveal that information, so why waste your
precious dollars in it? In order to get maximum value out of your penetration test,
you need to choose your tests wisely.