Skip to main content
 
 
 
Splunk Lantern

Reconstructing a website defacement

 

Potential and existing customers navigate to your company’s website one day, hoping to find the user-friendly and carefully branded homepage that your web design team worked so hard on. Instead, they are greeted with cat photos. The CEO is irate and everyone is in a panic. As a security analyst, your role is to investigate what happened, and reconstruct the steps the attacker took so that your organization can put measures in place to prevent a similar attack in the future. You can use Splunk software to identify artifacts and indicators of the defacement. Those indicators allow you to make decisions regarding containment and recovery, as well as to defend against future attacks. 

How to use Splunk software for this use case

You can run many searches with Splunk software to reconstruct a website defacement. You can investigate the origin of the attack using these searches:

Next steps 

To maximize their benefit, the how-to articles linked in the previous section likely need to tie into existing processes at your organization or become new standard processes. These processes commonly impact success with this use case: 

  • Taking the web server offline
  • Posting a temporary maintenance page
  • Restoring the web server

Measuring impact and benefit is critical to assessing the value of security operations. The following are example metrics that can be useful to monitor when implementing this use case:

  • Time to detection: The time from when the defacement occurred to the time it was reported to the company
  • Time to complete the investigation: The time from when the defacement was reported to the company to when the investigation was completed

The content in this use case comes from a hands-on security investigations workshop developed by Splunk security experts. To find out what educational resources are available to you, talk to your Customer Service Manager. These additional Splunk resources might help you understand and implement this specific use case:

Splunk OnDemand Services: Use these credit-based services for direct access to Splunk technical consultants with a variety of technical services from a pre-defined catalog. Most customers have OnDemand Services per their license support plan. Engage the ODS team at ondemand@splunk.com if you would like assistance.