Responding to incidents that have been escalated by the Alert Logic® ActiveWatch™ team is an important part of maintaining a secure environment. The following information will help you better understand ways to respond to the five most common incidents that are escalated to Alert Logic customers.
For more information on the Alert Logic incident handling policy, or on managing incidents, see the following knowledge base articles prior to this article:
In This Article
- SQL Injection Incidents
- Apache Struts RCE Incidents
- Vulnerability Scans
- Brute Force Incidents
- Remote Code Execution Incidents
SQL Injection Incidents
SQL injection is the most common incident type that Alert Logic escalates to customers, and injection in general is number one on the OWASP list of top ten security risks. SQL injection attack attempts are designed to inject an unintended SQL query into your back-end database. These queries can result in sensitive database table information being returned, data being modified in the database, or the allowance of administration operations to be performed on the database.
The following mitigations should be considered in every organization that utilizes an SQL database. Alert Logic highly recommends that you consult with developers of these systems to ensure mitigations are in place. If they have not been implemented already, it is recommended that you consider the feasibility of implementing OWASP's SQL injection mitigations into your environment.
- Use prepared statements with the use of parameterized queries
- Implement stored procedures
- Validate user input
- Escape user-supplied input
- Consider enforcing Least Privilege on accounts
- Hash and salt passwords for stored user credentials
Apache Struts RCE Incidents
Apache Struts is an open-source framework used to create Java web applications. With the vast number of incidents that Alert Logic analyzes, the Apache Struts remote code execution (RCE) vulnerability is one of the most common incidents that we observe being targeted. This framework has been known for its exploitability, which can allow remote code to be executed on the vulnerable system and exfiltrate, modify, or delete data, etc. This vulnerability exists because of the lack of validation of user-provided untrusted input into the core of the Struts framework.
- Safely upgrade Apache Struts to the latest version, if not already done
- Consider implementing a web application firewall
There are many scanning tools that Alert Logic escalates incidents for, regardless of whether originating IP addresses are internal or external, and we escalate these by default. However, Alert Logic will not escalate vulnerability scans if a customer specifies that they do not want them escalated. Further, Alert Logic will not escalate vulnerability scans if the scan is originating from Alert Logic or a trusted vendor, unless the customer has specified that we should. Vulnerability scanners expose weaknesses on a network or application that may be exploited and that could expose sensitive information.
If unauthorized vulnerability scans are being performed against your network or applications, there are several mitigations that can be put in place to ensure that vulnerabilities and sensitive information are not exposed.
- Consider implementing a web application firewall
- Consider disabling unused ports or services
- Ensure that no pages are publicly accessible, unless specifically required
- Implement rate limiting, which throttles the number of requests an IP address can make during a specific time frame
- If the same IP address is scanning a network, consider blocking this address at the perimeter firewall
Brute Force Incidents
Brute force incidents are assigned various threat ratings based on factors such as persistence, impact, and indicators of success. There are numerous types of brute force incidents that Alert Logic escalates, including SSH, FTP, SMB, UNIX, Web Login attacks, etc.
A brute force attack may not always be the result of an attacker attempting to brute force accounts on your system. If the traffic is internal, this may indicate a misconfigured script attempting an authorized login with incorrect login credentials, ultimately triggering an incident. Several mitigations can be implemented if the attack is legitimate, or if it a misconfigured script.
- Confirm whether the activity is expected
- Consider updating any scripts used to log in that may have outdated credentials
- Ensure that default authentication credentials are not being used
- Implement a strong password policy for user accounts
- Add a delay when checking a password
- Lock out an IP address with multiple failed login attempts
- Implement device cookies
- Ensure all authentication methods use encryption
- Key-based authentication will massively reduce the chance of a successful brute force attack
- For HTTP-based brute force attacks, utilize generic custom error pages that will not indicate if the user exists; this can be something as generic as a 404 Not Found message
Remote Code Execution Incidents
Remote code execution is used as an umbrella term to describe an attacker's ability to remotely take control of or execute commands or code against a target system. This can be done by running arbitrary malicious software, exploiting vulnerable plugins, or exploiting a vulnerability that allows the machine to load its own code. The term 'remote code execution' is broad and encapsulates many incident types that Alert Logic observes and may escalate to the customer. Examples of common remote code execution incidents that Alert Logic escalates are PHPUnit eval-stdin.php, WordPress EasyCart, and Apache Struts.
Remote code execution vulnerabilities exist within many systems and programming languages. A common, high-profile example of this attack vector is the Apache Struts vulnerability, which is caused by a lack of input validation of untrusted user input. This results in Object Graph Navigation Language expressions being sent over the internet to be evaluated and ultimately leading to potential remote code execution.
Exploitation of remote code execution vulnerabilities vary in terms of delivery methods. These exploits may require some interaction from the victim, whether it be using a malicious email to coerce an unsuspecting user into downloading the malicious program or creating a server, hosting a website, and tricking the victim into clicking a malicious link to download the file.
Sometimes these exploits do not require any interaction from the victim, which is usually the result of vulnerabilities in software rather than the victim being tricked into clicking a malicious link or downloading a file. An example of a vulnerability being exploited to achieve remote code execution is CVE-2017-9841, where a vulnerability lies within the eval-stdin.php script used in versions before 4.8.28 and in 5.x before 5.6.3 of the PHPUnit software package. The vulnerability allows the attacker to inject a maliciously-crafted PHP payload, granting the attacker the ability to execute arbitrary commands on the target machine.
There are several mitigations that can be implemented to ensure that the risk of a successful remote code execution attack is lowered, and the attack surface minimized.
- Ensure that software, particularly including known vulnerable software, are updated to latest versions
- Consider implementing Least Privilege on accounts and permitting minimal access rights
- Avoid command line calls in code
- Escape user input
- Reduce attack surface by not exposing systems that do not need external access
- Consider implementing anti-virus tools and Extended Endpoint Protection, which would employ a layered defense