Disclaimer:
The following is a report on a burglary case that I dealt with many years ago. I'm involved in a long time with no mention of either party in this article.
The client was specifically a financial institution, and in which "the bank." Some techniques and details of this incident will be omitted, for obvious reasons. The names and specific locations were also changed. There are several ways to lead people and incident response handling. Therefore, there isare 31 flavors of ice cream.
Tuesday morning began like any other day. I sat in my office with my cup of coffee in the morning, when my phone rang. My boss said that he a call from a customer of the bank stating that they had survived attacks by hackers. Until that day, I had no knowledge of the infrastructure of the bank, I did not know where to identify the personnel, experience or expertise to correct an actual attack against a port scan, probe, viruses, etc. By had myExperiences working in security, I have come to know that many people are using slogans such as "hackers" to events that identify them do not quite understand it.
The first information I had was sketchy at best. I have learned that the bank had firewall at the front end along with a NIDS, and were in the process of implementation of the ASA solution in infrastructure. I contacted the Chief Information Officer of the Bank, as I grabbed my laptop bag and headed its corporate headquarters. Iwanted first-hand assessment of the current situation get. The details he told me they saw something more than just a simple port scan or viral anger.
The CIO stated that they change problems with an attacker repeatedly customer of the bank were to login portal. They believed that this page has changed allowing an attacker to the bank's customers ATM collect information to create duplicate ATM cards. Branch transactions reports,that the attackers successfully withdrawing funds customers. The bank was first alerted to the attacks, when customers started reporting unauthorized ATM withdrawals from their accounts. The CIO said he had a "Band Aid" solution available, but they are really necessary to identify the procedures for entry and stop the attack. The temporary solution was the frequency with which the page was last but not over the attack completely diminished. Since I moved to the corporate office, Iknew that walked the next few hours to get interesting.
During a quick meet and greet with the staff and management in the conference room, I had to restart the flow of information quickly and transfer of functions library. Since staff had not identified the item (s) of entry, I asked a network of infrastructure, including all sectors and in particular all network entry points into the network. In addition, I asked for a copy of the firewall logs andConfiguration, router configuration, access logs, IDS log, IIS log, event logs from the Web server and SQL logs. On the positive side, seemed to get most of the protocols and the history of some already stretched for several months. I asked for two copies of each protocol, the first copy with the last 12 hours of activity and the second copy, the complete log.
While the reports were generated, I asked the employees about the information that they knew the fact. SpeculationDuring the information-gathering phase can be more trouble than good cause, what a wild goose chase and a loss of focus on the facts. The MO through the management and employees described thought this was quite a complex operation that consists of a group or more persons was that involved.
The employees stated that they had experienced an identical attack in recent years has reported that a loss of around 30,000 U.S. dollars in unauthorized withdrawals from ATMs managed. This resulted in making the employeesVarious changes to firewall configurations, the introduction of IDS to monitor and changes to existing systems and network devices. The attacks stopped after those changes have been made, it was thought the problem has been corrected. The current cycle of attack had led to the loss of about $ 25,000 and grows time was a luxury that could not afford. The first attack profile developed by the staff from the previous and the current attack has shown that within 10-20 minutes ofCustomer financial information is collected, the assailants were making an ATM withdrawal from their account. The payouts are set at the level of the maximum withdrawal limit from the Bank of $ 400 per day. In the event there was not enough funds in that account, repeating the process the attacker on the next fake ATM cards. This method was tested on the ATM surveillance cameras. In order to slow the attackers, the Bank suspended all transactions at ATMs throughout the city Anyplace,Florida, occur where the illicit transactions. The unauthorized transaction began soon after, in Anywhere, California. Confirms ATM surveillance cameras and transaction reports, the attacker was in this place with the same MO that was used in Florida.
The staff installed an automated website publishing program to monitor the content of the customer login portal on a regular basis and would again be the original when the modified page is found. The stop-gapMeasure was changed for a few hours until the attack frequency. Is at this point, the Bank has decided to seek help from outside, and I was called.
Presented with these facts, I began, through the growing pile of logs to sift documents and diagrams. Since it stood, was the source of the attack from the Internet, but could also be based internally or backdoor method. Several infrastructure changes have been added recently, that's not been documented on the master chart andwill be updated on the fly. A modem bank resided in the net but was ruled out because they disabled persons and used for remote-access provider. The diagram shows that each branch corporate VPN tunnel connects back to. There were only two connections to the Internet, a primary and alternate for DR purposes. The backup link has been verified as is inaccessible from outside. The web server has been disconnected from each other on a network from the corporate network and nourished by an SQL server iswithin the corporate network. Once all the required logs have been collected, I began a Nessus scan on the internal network to help find all sorts of servers, services or communications equipment without documentation that the source could be. Multitasking and efficiency is the name of the game.
The firewall logs showed no signs of malicious traffic coming through. Looking back at the IDS logs did not produce any blame. The reason for this is later dropped. In addition, theFirewall configuration did not contain any "ANY" source / services, rules or configuration errors. The router logs, not all relevant information. Doing any kind of event correlation was beginning to bleak. The IIS logs were the largest and has the longest to acquire, because they had to be burned onto a blank CD. I began to search through the web server logs to find an instance when asked for the customer login portal page was. Because of their function is the search yielded severalthousands of entries. Deep in the thousands of entries was an HTTP request with "xp_cmdshell". Application of this extended stored procedure, SQL function, an FTP GET request was sent to a remote server, the change was published on the Web server. This had to be, but it does not have to explain why the firewall or IDS does not log or alert to it. The source IP address of the HTTP request came from the external interface of the firewall. A follow-up status meetingFocus was the answer to refocus.
I know my findings, the staff and was informed that one of the undocumented changes were made to the infrastructure that has IIS and SQL lived on the same server. The SQL server has been done on the web server to a recommendation by its own "security" has man I later learned the basis for the event was postponed released a porn server in the network of the bank. (Go figure.) Now that the method had been identified, was the next stepto see how bad the configuration, was and fix it.
Check the permissions have been found for the IIS / SQL Server is a variety of standard permissions, both the security of the system, IIS and SQL. Strangely enough, the permissions for the IIS log has been set appropriately-directory. I can only assume that either the attacker can access the logs, do not know how, or who does not have it. I was able to separate the Web server and SQL server relatively quickly over a secure document to buildand safety checklist. There were also some changes made it necessary to encode their developers. Once everything looked good and with two servers no longer tested, I started investigating the secret questions.
Why does the Web server to show the source address of the firewall as if on a separate segment? It seems that the IIS server originally used in the corporate network, and if it was moved, the table was never updated on the router. Traffic destined for the Webwas forwarded to the firewall, which passed, sends them to the web server. It was one of those strange situations, routing, that one would think do not work, but it works. Long story short is that the routing table was updated.
Why does the IDS system was not due to these attacks alarm? The IDS system was implemented before between the firewall and the router, a first class location. However, it was a change that do not support spanning connected. The staff false "proved" theIDS functionality by attacking the device directly. As a temporary solution that can take advantage of a network that has been the switch with a hub, may be implemented to replace an updated solution. It is not the cleanest solution, but it worked in the meantime.
Why is the firewall did not show any signs of this traffic? The firewall is not configured to log successful incoming connections. It has recorded successful outbound traffic and I was able to exclude the source of the attack originating fromthe corporate network. Connection logging can be filled up space on a device very quickly, and that was the case here. I alleviated this by configuring a remote syslog server for the firewall and router logs.
In summary, I located the source of the attack later that day. It turned out a compromised server in Sweden from an excavation company, whose shareholders. I informed them of the intrusion, and asked if she would look into it. I tracked down the source of the revised customer login portal pageThis was based on a "free on hosting sites in Tennessee. I have a similar question. The bank said that they did not want to pursue the attackers, although they had from the ATM video and lost more than 50,000 U.S. dollars. They felt that the negative PR is not worth it. Management also said that they had by the local FBI office in so many words, unless it was more than $ 100,000, really does not tell the FBI get involved. This statement was neverreviewed.
This uncertainty could have found more quickly, if I have the web server logs obtained at the beginning, but that was the hand I was dealt with at the time. Hindsight is always 20/20. In the days to follow, the attackers tried to use the same, and many other variants, including scans and probes, but without success. It would have been nice if given the opportunity to identify and begin to leave this group. However, it did make for an interesting day in the fight against the badguys.
Related : gift-basket. macintosh laptop mortgagerefinancing wine basket gift sale marketing cheap insurance quotes
No comments:
Post a Comment