Thanks to visit codestin.com
Credit goes to www.scribd.com

Scribd
Upload
52 views2 pages

Scenario 5 - External Attack Against A Webserver

Uploaded by

degadisa104
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
52 views2 pages

Scenario 5 - External Attack Against A Webserver

Uploaded by

degadisa104
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
You are on page 1/ 2

Scenario 5: External Attack Against a Webserver

Synopsis
One common way by which hackers gain unauthorized access to an enterprise environment is via a victim organization’s
SYNOP web facing infrastructure. For instance, in July 2017, Equifax system administrators discovered that attackers had
SIS gained unauthorized access via the Internet to the online dispute portal that maintained documents used to resolve
consumer disputes (see figure 1).

The Equifax breach resulted in the attackers accessing personal information of at least 145.5 million individuals, with
the organization suffering over $1b monetary loss in clean up costs.

This is an example of how bad and costly an attack against a webserver can get if not prevented (or detected and
contained in a timely manner). As seen in figure 1, which depicts how the attack occurred, the first thing done by the
attacker was to scan the target server to detect a vulnerability that could be exploited. The attack was then able to
progress to further stages, leading up to significant business impact, once a critical vulnerability was detected and
exploited.

You can learn more about this high-profile data breach here:
https://www.gao.gov/products/gao-18-559

Figure 1: Equifax’s account of how attackers exploited web server vulnerabilities to steal millions of PIIs in its 2017 data breach

The Challenge
In this scenario, an external bad actor launched series of attacks against a webserver in an enterprise environment. As a tier
1 SOC analyst, your immediate task is to conduct initial investigations into the incident and gather enough data that can be
used by a more experienced member of your team to conduct more in-depth investigation.

Using alerts generated by the SIEM tool, detect and analyze the associated suspicious activities and answer the questions
that follow. Figure 2 provides some guidance as to the steps to follow in solving this challenge. Each step has one or more
questions that should be answered.

Hints
Event Timeline Scenario Complexity Estimated Completion Time

March 1 to June 7, 2022 Medium ≤ 45 minutes

Target Competencies CWF Ref

1 Working knowledge of characterizing and analyzing network traffic to identify anomalous T0023
activity and potential threats to network resources.

2 Ability to correlate security events using information gathered from a variety of sources T0166
within the enterprise to gain situational awareness and determine the effectiveness of an
observed attack

3 Ability to analyze network alerts received from various sources within the enterprise to T0214
determine possible causes of such alerts

Copyright © 2022 CYBERATION LLC. All Rights Reserved


Scenario 5: External Attack Against a Webserver

Identify Reconnaissance Activities


1. How many authentication failure and success events can
you observe on the dashboard?

2. How many web server error codes originated from the


same source?

3. What tool was used to conduct the scan?

Classify and Prioritize Alerts


4. What is the total number of level 10 alerts?

5. Which attack triggered a level 15 alert?

6. How many unique alert(s) is/are rated level 12 or


above?

Further Analyze Identified Attacks


7. How many times was a shellshock attack detected?

8. How many of those attacks succeeded?

9. How many times was a SQL injection attack


attempted?
10. If there were SQL injection attacks, how many of
them succeeded?
11. How many attacks (Shellshock and/or SQL) origi-
nated from the same source

Note: the events are timestamped in Coordinated Universal Time (UTC), so the timestamps in your answers would be
way off if your current time zone is far from the UTC. With that stated, you can always use https://www.utctime.net/
to validate your answer.

Copyright © 2022 CYBERATION LLC. All Rights Reserved

You might also like