Responding to Security Incident

Dr. Lamiaa Basyoni

Responding to Application Security
Incidents
Containment
Listing :

• Blackhole Feature: Enable the Blackhole feature on the web application to drop requests from the same source after a
limit.
• Blacklist IPs: Blacklist or block single IPs if the attack seems to originate from them.

DoS:

• Increase Server Capacity: Upgrade server capacity to handle more connections and deter low-and-slow attacks.
• Use Anti-DDoS Services: Employ services like CloudFlare for DDoS protection and maintaining web application availability.
• Manage Authenticated User Load: Define limits for authenticated users' load on the web app and terminate old requests
for new ones.

Filtering:

• Filter Traffic with Special Routers: Use routers to filter legitimate traffic from incoming ones, based on protocols and
patterns.
• Traffic Flow Restriction: Restrict traffic flow from compromised systems and networks.
• Use Web Application Firewall (WAF): Deploy WAF to monitor and block potential threats.
• Enable Egress Filtering: Restrict traffic flow from compromised systems using egress filtering.
Containment
Negotiate with Attackers: Negotiate with attackers in certain incidents to buy time
Negotiate for management approvals and minimize data loss.

Regular Malware Scans: Perform malware and virus scans, delete browser cookies
Perform regularly.

Vulnerability Scanning: Scan for injection and session-based vulnerabilities and

Scanning patch them.

Indicator of Compromise Detection: Check for indicators of compromise across

Check servers and applications and remove them.
Containment Methods

Whitelisting/Blacklisting

Web Content Filtering

Proxy Servers
 Whitelisting/Blacklisting
An application whitelist is a list of authorized applications that are
legitimate and safe to be present and active on a computer in an
organization.

Any application present in the list of application blacklist is not

permitted due to its association with malicious activity.

Application whitelisting is considered more reliable and effective in

mitigating security incidents.
Whitelisting/
Blacklisting:
Tools
 Web Content Filtering
Web content filtering helps incident responders to filter web
applications used by attackers to host malware or to launch phishing
and spam campaigns.

The main aim of web content filtering is to restrict the use of web
applications that are unsafe if they are run or executed on the system.

Incident handlers should perform web content filtering to avert

employees from accessing web pages that may contain computer
viruses or malware.
Web
Content
Filtering:
Tools
 Proxy Servers
Proxy Servers act as doorways between the user and the web application that are browsed by
the user.

They are used to prevent IP blocking and maintain anonymity.

There are several advantages of using proxy servers as they provide a high level of privacy and
protect the users and the organizational network from any harm from malicious activities.

Incident handlers should use proxy servers in order to filter the web traffic either explicitly and
transparently.
Proxy
Servers:
Tools
Eradication
Eradication
Directory Traversal Attacks:
Define access rights to the protected areas of
the website.
Apply checks/hot fixes that prevent the
exploitation of the vulnerability such as
Unicode to affect the directory traversal.
Web servers should be updated with security
patches in a timely manner.
Cookie/ Session Poisoning
Attacks:
Do not store plain text or weakly encrypted
password in a cookie.
Implement cookie’s timeout.
Cookie’s authentication credentials should be
associated with an IP address.
Make logout functions available.
Eradication
XSS Attacks:
Ensure that the application performs proper
validation of all the parameters of a user
request such as headers, cookies, query
strings, form fields, and hidden fields against a
rigorous specification.
Use testing tools extensively during the design
phase to eliminate such XSS holes in the
application before it goes into use.
The meta-characters are suspicious and might
cause XSS attack on the web servers, incident
handlers must encode input and output for
SQL Injection Attacks:
Limit the Length of User Input:
Isolate Database Server and Web Server: The
web server runs in a DMZ as it should provide
access to the public and if the attackers
compromise it, they can also use its privileges
to access the database.
Implement user input validation and
sanitization to restrict malicious SQL queries
to the web server and database.
Use typesafe Variables or Functions: The
responders should make sure that the server
Recovery

Scan all the web Elevate logging and

application resources such monitoring levels of the web Check the web application Remove the malware from
as servers and databases application to gather backups for traces of attack the affected applications
for malware and traces of realistic information about and clean them. and its resources.
attack and remove them. latest events.

Configure firewall, IDS, and
Change the administrative other security solutions to
passwords of all the detect the identified attack
devices and resources. using signatures and
behavior analysis.
Identify the compromised
user accounts from the web
server and remove those
accounts after informing
the users.
Use the cleaned, verified,
and patched backup
version of the web
application to restore the
services.

Check if the application has

recovered completely along Restart any services Restore the web servers
with the user accounts, terminated as a part of the and databases from clean
privileges, and containment process. and trusted backups.
configurations.
Responding to An Insider Incidents
 Containment
After detecting the incident,
incident responders must
isolate the affected systems.
They should also give strict
guidelines to other employees
to discourage tailgating, use of
unauthorized drives, transfer of
data using unencrypted means,
and discussing confidential
matters in common areas.
The IT and computer security
team should block the
suspect's organizational email
account and network
credentials, seize their
desktops, laptops, mobile
devices and other devices.
Continuously monitor the
employees, contractors, third-
party vendors or outsiders
identified as spies until the
organization terminates them
from the office.
Seize the allocated devices and
take proper permissions to
seize their personal mobile
devices that they might have
used during the incident.
Thoroughly check the suspect
for portable devices carrying
the stolen data and gather all
his accounts data used during
the incident.
The IR team should inform the
concerned department
affected by insider and ask
them to check for potential
losses.
Register a proper complaint in
the respective jurisdiction and
take proper legal action.
 Containment

The HR team should block all

Issue guidelines to other
Restrict the suspect from
employees about the insider
entering organization
to protect manual
premises.
information transfer.
accesses of suspicious
Order all the users to change
employees and put them
their account and system
under continuous monitoring
passwords.
until further decision from
the management.

Examine and contain attack

Dismiss the privileges and
credentials assigned to the
user responsible for that
incident, as required.
vectors such as malware,
Prosecute the employee Prioritize the threats that lead
portable storage devices,
responsible for that data to espionage and patch
secret cameras, phone
breach as per law. them.
tapping devices, recorders,
etc., used to spy.
 Access Control
• The best method for controlling insider threats is limiting and controlling access.
• To eradicate insider attacks, the organization must allocate the least amount of
access and privileges to the employees that they require to perform their job.
• In case the employees require any additional privileges, they must obtain
permission from the authorities and scrutinize the necessity of additional
privileges before provision.

Data Encryption
• The organization should encrypt its data at all levels: at rest, in motion, and in
use.

Eradication • To ensure safe encryption standards, an organization should implement the

usage of cryptographically generated random and multiple keys of at least 256-bit
and sufficient length across its devices and application.

Isolate the Storage

• Organizations should never store sensitive information on a networked computer.
• The storage systems and devices should not be accessible to regular network
traffic and only few trusted individuals should have access to it.
• Store the devices, systems, servers, and databases in secure environment with
physical access restrictions.
• Use password and biometric authentication-based locks to protect these
devices.
 Change Passwords Regularly
• The organization should have a strong password policy to secure
critical data.
• The policy must mandate all the employees to change their
passwords at regular intervals and keep them private. It must also
ensure that the employees lock their system before leaving the
workspace even for smaller intervals.
• The policy must prohibit the employees from exchanging their
system or account passwords or saving passwords on their
systems.
Eradication Data Centric Audit and Protection (DCAP)
• Organizations should adapt DCAP solutions in order to monitor
and analyze user privileges, thereby, detecting unauthorized
changes made to these permissions.
• A DCAP solution can be used to automate the process of
managing user accounts and monitoring of usage patterns.
• Organizations can setup DCAP solution that includes automated
tools to discover and classify their critical or sensitive data.

Gather the evidences required to
submit in the court of law by
performing forensic process.
These evidences will help the
organization to claim insurance
to recover the damages.
If the attacker has damaged any
data or placed malware, the
incident responder must remove
Recovering all the traces of malware and
recover the data from backups.
Develop and implement the data
backup plan to recover data in
case of any security incident or
accidental data deletion.
If the stolen data impacts the
user accounts, change the
passwords of all the accounts
and make it mandatory to use
two factor authentication. In
case of stolen application data
use copyrights to prevent other
companies from using it.
Implement recovery processes
and backup to continue business
operations after the incident.
Secure the backup media and its
content from alteration, theft, or
destruction. It must ensure that
the administrators perform
regular backups and test them
for integrity and availability.
 Implement separation of duties and configuration management procedures to
perform backups on computer systems, networks, and databases.

Implement a person-to-person rule to secure the backup process and physical

media.

Maintain a chain-of-custody document for accessing and handling backup media.

Recovering
Developing a data backup plan requires the investment of time and money but it is
far better than burden of recreating data. The main primary task is to understand
what data is to back up and protect. As a part of data backup plan, determine the
following:
•What data to back up?
•Which compression method to use?
•How often backup needs to run?
•What type of backups to run?
•What kind of media to use for backup?
•Where to store backup data to keep it secure?
Responding to Malware Incidents
Containment
Incident responder must In case the malware has
simultaneously gather and compromised multiple systems,
After confirming the presence of
analyze network logs of the you must cut the network
malware, separate the
system to find the events of services of these systems and
compromised host from the
malware propagation through prioritize them according to the
operational network.
shared files and connected importance of the affected host
systems. for business continuity.

Use separate virtual local area Start analysis of the

Allow the connections through
networks (VLAN) for infected compromised host to find
an access control network or
hosts to find the processes the malware signature, pattern or
VPN for the non-compromised
malware employs to join the behavior that you can use to
devices.
network when connected. contain the incident.
Containment

Disable the targeted

Run host-based Run registry monitoring
services, applications Block all unnecessary
antivirus, firewall, and tools to find malicious
and systems until the ports at the host and
intrusion detection registry entries added by
exploited vulnerabilities firewall.
software. the backdoor.
are patched.

Remove or uninstall the

Remove the malicious Delete malicious files
program or application
registry entries added by related to the backdoor
installed by the
the backdoor Trojan. Trojan.
backdoor Trojan or virus.
Eradication

Content Filtering Tools

• An organization must make use of various tools that can mitigate malware threats.
• Antivirus software, intrusion prevention systems (IPS), content filtering tools, and firewall can help the IRT team in blacklisting the malware.
• Content filtering tools are highly useful when blocking malware with static characteristics, such as strings and loaders.
• For example, a responder can block malicious spam mail by configuring the email servers and clients, and anti-spam software to filter the
suspicious mails based on their attributes such as content, name and type of attachment, origin of the mail, its signature, etc.

Network Security Devices

• Network connectivity of the compromised host plays a major role in the spread of malware and in establishing communication between the
attacker’s tool with its control and command server. Thus, it is very effective to impose temporary restrictions on network connectivity to
curb such malware’s attempts to compromise other hosts.
• Incident responders must disconnect the compromised devices by blocking their IP address or physically removing its network cables. This
approach includes isolation of uncompromised subnets from the main network or eliminating network access to remote VPN users. For
example, the responder can keep servers and workstations on separate subnets to ensure minimal disruption of functionality.
• IPS devices can prevent malware based on their signatures and heuristics. An inline network based IPS can identify and block the malware
from entering the organization’s hosts. An incident responder should reconfigure IPS sensors based on the severity of the infection. The IPS
devices can contain spread of malware occurring from both the incoming and outgoing attacks. Also, a responder can customize them
based on the malware attributes and signatures.
 Blacklist

• An incident responder can also use blacklisting technique to block malware from
executing.
• This method is applicable even if the responder did not receive malware signatures
from the vendor.
• For this, the incident responder can simply enter the names of the files that should
not be executed into operating systems, host based IPS products, and other security
tools in the network.
• Antivirus tools can quarantine and contain existing malware but may not be much
effective in case of new malware. An incident responder should hence update the
antivirus software with the latest signatures.

Antivirus Tools

Eradication • A responder may eradicate malware by cleaning with antivirus, quarantining with
antivirus software, using malware removal tools, through manual intervention,
vulnerability management technologies, and using network access control software.
An organization may also use automated eradication methods, such as triggering
antivirus scans remotely.
• To remove the binaries and the related registry entries, the responders should run a
full antivirus scan. For this they should use an antivirus software that contains
updated signatures. An incident responder may also run an online antivirus scan or
make use of best practices that antivirus vendors suggest.
• Responders should remember that while eradicating sophisticated malware,
rebuilding the system from is the safest approach. An incident responder can rebuild
the system from a trusted source, such as system installation disk or a clean system
image.
Eradication

Updating the Malware Database

• Update the malware databases in the organization with the signatures of newly found malware and, also report the
same to the malware vendors and antivirus developers. Save the signatures in the form of Hashes for future reference of
organization as well as the public recognition.

Fixing Devices

• Once the IRT team detects the vulnerability on their network that the malware has exploited, it must address them on
the other systems in the network as well. Some examples are security misconfigurations, which an incident responder
can rectify by implementing proper access controls, or vulnerabilities in shared drives, that a responder can update or
stop their usage to contain the attack.

Manual Scan

• Run a full scan of the compromised system with an updated antivirus program to remove the malicious codes, binaries,
related registry entries, scheduled tasks and other files and folders related to the malware. Recheck the recovered
devices for traces of malware before introducing it to the functional network.
 Recovery

The IRT must review and Inform and educate users,

update the computer security
and malware prevention
policies as per the report and
outcome of the recent
malware incident.
clients, stakeholders, and
employees about the recent
malware attack and actions
that can prevent such
incidents in future.
The IRT should ensure that
the organization follows an
effective data backup and
recovery process.

The organization should

The organization should
identify critical hosts and
educate its employees about
install host-based IDSs on
safely dealing with email
them, to monitor their traffic
attachments.
flow and to detect anomalies.
 Recovery

The responders should check The organization should

The Organization should
restrict usage of removable
devices on organizational
systems, unless necessary.
whether all hosts have
updated firewalls and
antiviruses that can block the
installation of spyware
software.
review and update its IR
processes and facilities such
that it can deal with malware
incidents as quickly as
possible with minimal losses.

Organizations should use

All the employees and users
of the organization should
have email filters that can
spot and filter out spam.
secure email clients with
features, such as digital
signatures, PGP encryption,
scanning feature for
attachments, and so on.
Thank you