Web Servers are one of the critical vector which have been exploited by threat actors to breach an organization. The breach at Equifax is one such example, affecting 143 million customers. In this breach, a threat actor was able to access the internal network and exfiltrate the confidential data by exploiting a vulnerability in a Web Server. The blog first presents the steps in a breach which involved the web server as an entry vector. The blog then presents the deception based architecture which can be used to detect and divert a threat actor to the deception and engagement platform.
As a part of the first step, a web server is compromised by exploiting a remote code execution vulnerability or a SQL injection vulnerability. The next steps involve identifying the high valued assets such as databases, and FTP servers in the organization which are connected to the web server.
Figure 1.0 China Chopper WebShell Code
These databases or FTP servers are then accessed either by compromised credentials or by brute force attempts leading to accessing these high-value assets. Figure 1.0 shows the code from china chopper web shell used to connect and perform queries to the SQL server.
Figure 2.0 View for a Threat Actor for a Breach involving Webserver
A deception centric solution as a part of first step involves placing breadcrumbs and honey flows from the web server. These breadcrumbs and honey flows are strategically crafted according to the understanding of the past breaches and the malicious files used by the threat actors. The solution then projects deceptions such as a SQL or FTP server inside the network. In the case of a intrusion, a threat actor will access these breadcrumbs and get diverted to the deceptions such as honey databases, honey FTP servers, etc. preventing the attacker from reaching real assets storing critical data. The probability of deceptions such as Honey Databases, FTP servers getting legitimately accessed via breadcrumbs at web server is negligible. Hence any access of deception assets via breadcrumbs on the web server becomes an instant indicator of a breach with a probability close to 100%.
Figure 3.0 View for an Threat Actor having deceptions in case of breach.
Web Servers are one of the critical assets which have actively been used by threat actors for breaking into an organization and compromising the critical data. A distributed deception centric architecture provides an excellent, deterministic method for detecting intrusions which involve web server as an initial entry vector. This architecture also ensures that there is no extra computational overhead on the web server, which makes it another great reason to deploy deception to protect web servers.
[1 ] Equifax officially has no execuse, https://www.wired.com/story/equifax-breach-no-excuse/