Defensive Security Project

by: [Dylan Adams, Vernon Worthy II, Jimmy Nguyen, Cameron Harding, Hamza Suraj, Kysten Raleigh]

​

1

Table of Contents

This document contains the following resources:

Monitoring Environment

​

Attack Analysis

Project Summary & Future Mitigations

2

01

02

03

Monitoring Environment

​

3

Scenario

• We were approached by VSI to monitor their Windows and Apache server logs through the use of Splunk after they were attacked by a possible rival company

​

4

Whois XML IP Geolocation API

​

​

​

5

Whois XML IP Geolocation API

6

• This app allows users to search IP addresses in order to find information such as country, city, internet service provider and more.

​

• Our interest in this tool was regarding possible use of VPNs by attackers

Whois XML IP Geolocation API

​

7

• JobeCorp, VSI’s adversary, has been known to attack their competitors by using international VPNs and TOR to launch application attacks.

​

• By using the Geolocation API to search suspicious IPs we can find where they are coming from.

​

• This tool allowed us to find an additional user located in Ukraine that was participating in the attack

​

• We can also see city, country, and internet service providers for each IP address

​

• Most users were located in Ukraine with the exception of a couple

​

​

Whois XML IP Geolocation API Images

8

Whois XML IP Geolocation API Images

9

Logs Analyzed

These logs contain user accounts, user and Windows activities, as well as security events categorized by severity.

Windows Logs

These are attack logs from the Apache servers that run VSI’s back-end systems. They were captured during the time when the attack occurred.

Apache Logs

10

1

2

Windows Logs

​

11

Reports—Windows

Designed the following Reports:

​

​

12

Images of Reports—Windows

13

Report Image

Report Image

Report Image

Report Image

Signatures and IDs

Top Windows Status

Top Windows Severity

Alerts—Windows

Designed the following alerts:

​

​

14

JUSTIFICATION: The hourly events stuck around 5 with occasional spikes up to around 9-10, so to prevent the normal spikes from being caught we set it at 12.

Alerts—Windows

Designed the following alerts:

​

​

15

JUSTIFICATION: Most of the activity jumped around 8-14 with the peak reaching 21 for one hour. In order to prevent a peak like 21 from being caught often we set it a bit above to 25.

Alerts—Windows

Designed the following alerts:

​

​

16

JUSTIFICATION: Most of the activity sat between 9-16 with two notable jumps too 21 and 22. To prevent normal activity from triggering the alert it was set at 30 for a bit of leeway.

Dashboards—Windows

17

Place image here

Place image here

Line Chart of Signatures Over Time

Line Chart of User Activity Over Time

Dashboards—Windows

18

Place image here

Place image here

Chart of Signatures

Chart of User Activity

Radial Chart of Modified Actions Over Time

Apache Logs

​

19

Reports—Apache

Designed the following reports:

​

​

20

Images of Reports—Apache

21

Report Image

Report Image

Report Image

Top Left - HTTP Method Table

Top Right - Top Referrer Domains Table

Bottom Left - HTTP Response Codes

Alerts—Apache

Designed the following alerts:

​

​

22

JUSTIFICATION: The baseline from the Apache Logs sat at around 90 counts with some going up too 100 and others going down to 80. We set the threshold at 135 in order to be alerted to any significant spikes.

Alerts—Apache

Designed the following alerts:

​

​

23

JUSTIFICATION: The baseline for the POST activity was sitting between 3 and 4 counts per hour with one spike to 7. We decided that anything at 9 or more counts should probably be observed in order to remain secure.

Dashboards—Apache

24

Place image here

Place image here

Place image here

Place image here

Signatures Over Time

Clientip Cluster Map

URI Pie Chart

Top 10 Countries Table

Dashboards—Apache

25

Place image here

Place image here

User Agent Pie Chart

Successful POST Request Radial Guage

Attack Analysis

​

26

Attack Summary—Windows

Summarize your findings from your reports when analyzing the attack logs.

​

• Number of high severity alerts increased from roughly 7% to 20%
• Significant increase in successful activities in half the time
• Increase in suspicious user actions

​

​

27

Attack Summary—Windows

Summarize your findings from your alerts when analyzing the attack logs. Were the thresholds correct?

​

• Hourly failed windows activity spiked passed our baseline of 8 to 35.
• Our alert threshold of 12 easily caught it.
• Hourly logons went from 23 to 196 and 77.
• Both caught by our threshold of 25 without any false positives.
• Number of deleted accounts had no suspicious activity.
• No false positives were created thanks to the alert threshold of 30.

​

28

Attack Summary—Windows

Summarize your findings from your dashboards when analyzing the attack logs.

​

• Significant jump in successful logins
• Large number of password change attempts
• Possible brute force attack to escalate privilege

​

29

Screenshots of Attack Logs

30

Attack Summary—Apache

Summarize your findings from your reports when analyzing the attack logs.

​

• The number of HTTP POST Requests jumped up by almost 20%.
• The attacker was possibly trying to modify or obtain information from the server.
• The counts of all referrer domains dropped significantly during the attack time period.
• Most domains were referred to the account login page.
• This could possibly be a brute force attack.

​

31

Attack Summary—Apache

Summarize your findings from your alerts when analyzing the attack logs. Were the thresholds correct?

​

• Hourly activity outside of the U.S. jumped from below 100 to over 800.
• Our alert was triggered with a threshold of 135.
• POST activity jumped up by almost 20% of normal activity.
• Our HTTP POST activity alert was triggered.

​

32

Attack Summary—Apache

Summarize your findings from your dashboards when analyzing the attack logs.

​

• HTTP Time Chart shows spike in POST activity between 7:00 and 9:00 PM.
• Peak occurs at 8:00 PM.
• Cluster Map for Activity Outside of the U.S. spikes in Ukraine at the same time by close to 800 counts.
• Count spikes occur in Kiev and Kharkiv
• The URI Pie Chart shows that at 8:00 PM the counts of account logins spike to almost 30% of all URI activity.

33

Screenshots of Attack Logs

34

Dashboard During Attack

Dashboard Before Attack

Summary and Future Mitigations

​

35

Project 3 Summary - Findings

• What were your overall findings from the attack that took place?

​

• The attack on the Windows server was possibly an attempted brute force attack by login attempts and password reset requests.
• The Windows brute force had some success with over 100 accounts accessed.
• The Apache server had similar brute force attacks and similar results.
• All alerts worked properly and we received no false positives.

​

36

Project 3 Summary - Further Mitigations

​

​

• To protect VSI from future attacks, what future mitigations would you recommend?
• Because of the brute force attempts and successes we recommend time outs for multiple attempts to login/reset passwords
• Firewall parameters to block IPs that are engaging in suspicious activity
• Location bans for floods of requests from specific countries
• Stronger passwords and two factor authentication

37