After an application failure, understanding the causes of the incident is paramount. To do so, there is a method called post-intrusion analysis, also known as Forensic.
It is a method in accordance with the 5 W’s. Where : Which machines have been compromised? Were there repercussions on another machine? It should be verified whether the IS has been affected and whether the compromise has spread. What : which data and files have been exfiltered. Who : Find the IP responsible for the initial compromise. Why : Was the attack targeted or opportunistic? What was the end goal? Was it about undermining cryptocurrency? To steal bank or customer data? When : When did the compromise occur? In fact, it often takes several weeks or even months to realise it.
First of All…
Before performing any service, a certain amount of customer information must be available. Firstly, the location of the application logs is essential. In fact, there are as many ways to manage a machine as there are system administrators.
It is necessary to obtain a quick history of the facts (what and when) so that the right period of time can be analysed.
Finally, the customer and the teams must provide the timestamps as well as the corrections already carried out. Without this, the Forensic teams might confuse actions carried out for corrective purposes with those of the attacker.
A Study of Compromise
Once all of these elements are present, the analysis can begin. The journals are studied in order to retrace the breadcrumb trail that they represent. The aim here is to target the actions carried out at the time of the compromise (access to a backdoor ,among others). In most compromises, perpetrators use multiple IP addresses. In this particular case, retrieving all of the actions performed by the latter can quickly become tedious. This is why it is preferable to limit this by defining a search by keywords in the logs and by relying on the skills of the analysts. In the case of a backdoor repository, for example, it would be possible to search for all POST queries that returned a code 200 as well as traces of SQL injections and the names of files identified as malicious.
It then becomes possible to trace the actions that led to the compromise and, more importantly, the method used during the attack. Let’s emphasise the fact that the compromise most often results from obsolete site components. It goes without saying that in this case, it is useful, if not essential, to identify the versions of the components deployed on the server. Nevertheless, this verification can only be carried out by the teams having control of the server. When this is not possible, we use Wappalyser, an internally developed tool based on open source. It enables a correlation between all detected versions and the associated vulnerabilities. Once these vulnerabilities have been identified, the next step is to find the vulnerability with a similar purpose to the one targeted on the server. If this identification is positive, it is still necessary to find out if a Public Exploit is accessible. This method makes it possible to determine if that flaw was the one used during the attack.
Identification of Compromised Files
Once the compromise scenario is known, it is still necessary to examine the files on the server and to identify the malware.
A Forensic analysis of a LAMP environment is carried out using a PHPMalwareFinder. It allows you to identify suspicious files with a corrupted code or potentially dangerous actions.
When these files are identified, they are analysed in order to understand their usefulness and function. It must also be ensured that they do not have permanent access to the platform.
Finally, once this task has been completed, it must be investigated whether the attacker has altered configuration files or the system through user creations or by adding a recurring task.
With the why and how of the compromise defined, it is time to move on to recommendations.
The first recommendation is to act within the legal framework. After the results of the analysis, it is necessary to indicate if personal data theft has taken place. If this is the case, the victim(s) must report this to the FDPC as part of data regulation.
Finally, a support strategy is necessary in order to avoid a new compromise. This support involves application measures such as changing passwords or a pedagogical approach to implementing best practices.
With 20 years experience, our teams are able to help you carry out these post-intrusion analyses. In addition, we have a variety of solutions available through our secure cloud.
Need support? Contact us!