Hi All,
I've joined a company that do work for retailers/cc companies when they have been compromised.
I'm kinda new to this arena, mostly working in a corp environment, and not really looking at hacks/cc stuff… so I have alot to learn…
I would love some guidance in regards to what I should be looking at, Im greatful to have a good team around me but I still want to learn more and more…
I know about searching for T1/T2 data.
compromise wise, what should I be looking for? I know theres the age old SQL injection (not sure on what techniques are used today)
also the customers normally have webservers, so have in the past been accessed via the online store, some sort of web server vuln? again what sort of this should I look for in the logs etc?
(does anyone know of any good tools to be able to examine logs?) I don't want to use encase for everything!! )
any other advice would be greatly welcomed!
Thanks all )
I've joined a company that do work for retailers/cc companies when they have been compromised.
Well, since there's only one UK company on the QIRA list, that's sort of a dead giveaway! 😉
compromise wise, what should I be looking for? I know theres the age old SQL injection (not sure on what techniques are used today)
also the customers normally have webservers, so have in the past been accessed via the online store, some sort of web server vuln? again what sort of this should I look for in the logs etc?
Every exam is different. One of the first things about these types of issues is understanding the traffic flow…where does sensitive data transit, and where is it stored or processed?
Getting down to the host level, a lot of times you really have no solid direction in which to proceed, even after detailed interviews with the customer/victim. Determining if a system was compromised is only the beginning, and really depends on what you have available. For example, do you have just an image of the system, or do you also have a memory dump? What are your log files telling you about what happened? Was it, as you reference, SQL injection, or what is something else?
(does anyone know of any good tools to be able to examine logs?) I don't want to use encase for everything!! )
Well, there's Perl, of course. Mandiant recently released Highlighter, so there's another tool.
However, tools are irrelevant if you don't know what you're looking for. The best tool to use for any log file analysis is that wet lumpy mass between your ears. 😉
I've joined a company that do work for retailers/cc companies when they have been compromised.
Well, since there's only one UK company on the QIRA list, that's sort of a dead giveaway! 😉
Oops !!!
lol thanks NOVA…
that wet lumpy mass is getting used a hell of a lot, I've learned a ton in the first week… ), but I still want to up my game as they say and learn more and more.
I have vol data, looked at all the ports that are mapped, apps that are running, pid's etc, nothing out of the ordinary for this one so far. (webserver)
I have found some IIS logs, an theres alot of "looks" like automated attempts could be nikto or something along those lines due to the frequency of the attempts…
I'll take a look at highlighter, thankyou! )
back to log file stuff, just wanted something that would make like a little easier (as its hard enough looking at one log, but when you have a few thousand odd lines it can become a bit of a headache)!!! S
well anyway loads to read and learn, but am really enjoying it as well )
lol thanks NOVA…
NoVA is the location…
that wet lumpy mass is getting used a hell of a lot, I've learned a ton in the first week… ), but I still want to up my game as they say and learn more and more.
You'll need to…the PCI stuff can be a real mess.
I have vol data, looked at all the ports that are mapped, apps that are running, pid's etc, nothing out of the ordinary for this one so far. (webserver)
I have found some IIS logs, an theres alot of "looks" like automated attempts could be nikto or something along those lines due to the frequency of the attempts…
It won't be frequency…tools like nikto have a definite signature. I'm willing to be that you'll see signatures for Nessus nearby, as well.
One of the things you need to do now is go back to the customer and find out (a) who they contract with for PCI scans, and (b) what IP address(es) they come from.
back to log file stuff, just wanted something that would make like a little easier (as its hard enough looking at one log, but when you have a few thousand odd lines it can become a bit of a headache)!!! S
Exactly. Data reduction comes from knowing what you're looking for. SQL injection is pretty well documented by now, so that's easy…in fact, I would go so far as to say that the hardest part of examining IIS web server logs for traces or indications of SQL injection is just waiting for the scans to complete.
If you're looking for tools, there's grep, MS Log Parser, Perl, etc.
sorry Keydet, doing twenty things at once!!!
I'll go back an find out as an when the scans etc were done (if they were done that is)… )
I've found quite a bit on SQL stuff, so looking and analyzing now.
yep using grep, and perl, I'll have a play with the ms one as well )
any other guidance will always be appreciated!!! D
sorry Keydet, doing twenty things at once!!!
???
I'll go back an find out as an when the scans etc were done (if they were done that is)… )
The logs should include date-time stamps, so you will know when the scans were done.
any other guidance will always be appreciated!!! D
Not sure what else I can provide…by your own words, you're "doing 20 things at once". I've already provided guidance…the next step would be to do the work for you…
sorry, meant go back an find out "if" the scans were requested by the customer!! )
ahhh sounds like an offer I can't refuse lol… ;), but then I wouldn't be learning if I got you to do the work for me!!!! )
Well, there's Perl, of course. Mandiant recently released Highlighter, so there's another tool.
However, tools are irrelevant if you don't know what you're looking for. The best tool to use for any log file analysis is that wet lumpy mass between your ears. 😉
Thanks for mentioning Highlighter! This is exactly what I was thinking when I started developing it. I'm one of the main Highlighter developers from Mandiant. Highlighter is meant to be a practical tool that can help in a variety of situations, and essentially augments that wet lumpy mass to help you find evil and solve crime faster.
Since each incident is a little different, we designed Highlighter to be useful whether or not you know what you are looking for. The unique field highlights feature can reveal patterns of interest that lead to finding evil. Also, the events over time histogram can help reveal anomalies associated with time. For more information on those functions, check out the user guide we made. I welcome any feedback and suggestions you might have. Feel free to contact me directly.
Fuzed, to address your question directly, a lot of knowing what to look for comes with experience. Personally, I look at these compromises as having two main categories of things to look for 1) items related to the network compromise 2) items related to the financial/card processing compromise. When it comes to the network compromise, concentrating on finding access methods and malware is key. You will use information gathered to create a comprehensive list of both network and host-based indicators to use for scoping - this is very important. You can try and start with finding the initial compromise vector, but that is sometimes impossible, so I typically do not start there. You need to pick a spot and start there - try to get grounded with some facts about a system that was compromised and fan out from there. For the financial side, you need to get familiar with their card processing systems and flow. Then inspect those systems.
Most of the recent cardholder data incidents I have seen have involved a Web vulnerability - typically SQL injection. Usually a Web page that has nothing to do with the main business was the target. Also, most breaches do not involve anything like rootkits, because there is no need to. The hackers are successful without them.
A great log processing/analysis tool from Microsoft is LogParser. I use it quite a bit. LogParser can also collect information too. Check it out.
Good luck.