Playing Hide and Seek In the Cloud

Tuesday, December 08, 2015

Or Katz

8eb7be5a13cc39a3e56b78aba08b2039

When we were young, we had fun playing hide and seek.  As 5 year olds there were a limited number of places our friends could hide, and we could methodically check each one and then giggle when we found them.  As we grew older, we expanded the boundaries of the game.  Today, as security researchers, hide-and-seek is no longer so fun because the boundaries are nearly infinite.  How do you find and evaluate the risk, for example, of one deadly SQL injection attempt across 200,000 daily attack events?”

Threat intelligence is the answer for that, by analyzing huge amount of data, it finds the malicious needle in the data haystack and provides actionable insights that will assist with mitigating the risk.    One of the advantages of threat intelligence is that it facilitates security teams to move from the reactive approach, which is one step behind, to proactive approach, which is one step ahead. The proactive approach improves mitigation tactics against current threats and at the same time upgrades future mitigation strategies.

A key factor for proactive insights lay in the ability to have visibility to rich, diverse and continuous data; Therefore, it is only natural that cloud networks, such as content delivery networks (CDN), should utilize the rich, diverse and continuous data, streaming through their infrastructure into threat intelligence.

This article will show the unique power of threat intelligence utilizing cloud networks and present a case study that find and correlate those malicious needles into insightful and actionable intelligence.

Case Study: Hole-In-One

Single SQL Injection Attack Analysis

While analyzing one of Akamai’s customers’ Web Application Firewall (WAF) logs, Akamai’s Threat Research Team came across an IP address that sent a single SQL injection (SQLi) attack, using the following payload in the HTTP parameter “viewform”: 

  SQL Injection Parameter

Further analysis on the attack payload shows that the attacker is targeting a known vulnerability in Joomla plug-in ArtForms. Once used against vulnerable applications, the attack outcome will result in retrieval of sensitive data from the application’s database.

In other words, the attacker is sending a single SQLi attack request to the application, trying to hit the hole-in-one.

Cloud Based Attack Analysis

Utilizing cloud capabilities and looking at malicious activities being executed by the same attacker across Akamai’s cloud network discovered new and unique findings. More than 500 applications were being targeted with that same malicious SQL injection payload, each application attacked by a single request.

When analyzing the targeted applications according to industry classification shows that the “Media & Entertainment” industry segment is the most targeted one. Moreover, the attacker is targeting applications across different industry segments indicating that its strategy is to scan the Internet for vulnerable applications. 

Apps targeted by DDoS Attacks    

Figure 1: Targeted applications by industry segments 

Single SQLi attacks can slip under the security team’s radar. On the other hand, noisy, multi targeted SQLi attacks against over 500 applications will result with raising red flags. 

Turning Insights Into Proactive Actions

Once the security teams consume such threat intelligence information, it is time for them to turn those insights into proactive actions:

  • Mitigation - Look for all applications in their organization that are using the vulnerable version of Joomla module and make sure those applications software will be patched or upgraded.
  • Prevention – Make sure malicious traffic initiated from that using security controls such as Web Application Firewall (WAF) is blocking IP address. 
  • Continues detection - It is possible that the attacker will try to: a - obfuscate detection by using Internet proxies or re-allocating IP address, b - change attack vector. Therefore continue using cloud based threat intelligence feeds provided by products such as Client Reputation. This will empower security teams to stay tuned with the attacker’s emerging malicious activities. 

Summary

One of the biggest challenges of security teams is the ability to analyze the overwhelming amount of security incidents that take place inside or outside of their organization while making sure no threats are left hidden. The ability to win the game of hide-and-seek depends on the visibility into the data and the usage of the right tools.

Cloud based threat intelligence can make threat detection fun again – and in the end, if our jobs aren’t fun the bad guys have already won.

20050
Cloud Security Enterprise Security CVE
SQL Injection
Post Rating I Like this!
The views expressed in this post are the opinions of the Infosec Island member that posted this content. Infosec Island is not responsible for the content or messaging of this post.

Unauthorized reproduction of this article (in part or in whole) is prohibited without the express written permission of Infosec Island and the Infosec Island member that posted this content--this includes using our RSS feed for any purpose other than personal use.