Reconstructing a website defacement

Scenario: Potential and existing customers navigate to your company’s website one day, hoping to find the user-friendly and carefully branded homepage that your web design team worked so hard on. Instead, they are greeted with cat photos. The CEO is irate and everyone is in a panic. As a security analyst, your role is to investigate what happened, and reconstruct the steps the attacker took so that your organization can put measures in place to prevent a similar attack in the future.

How Splunk software can help

You can use Splunk software to identify artifacts and indicators of the defacement. Those indicators allow you to make decisions regarding containment and recovery, as well as to defend against future attacks. 

What you need 

The following technologies, data, and integrations are useful in successfully implementing this use case.

People

The best person to implement this use case is a security analyst who is familiar with web data sources. This person might come from your team, a Splunk partner, or Splunk onDemand Services.

Time

Reconstructing a website defacement using Splunk software can last from several hours to several days.

Technologies 

The following technologies, data, and integrations are useful in successfully implementing this use case: 

• Splunk Enterprise or Splunk Cloud
• Data sources onboarded
  • Web server data
  • Firewall data
• Splunk Stream

Microsoft Sysmon

• Windows event logs

How to use Splunk software for this use case

You can run many searches with Splunk software to reconstruct a website defacement. You can investigate the origin of the attack using these searches:

• IP address sending repeated requests to a web server
• Product or software accessing web server
• Web requests to a specific system in your environment
• IP address attempting a brute force password attack
• Executable uploaded to a web server
• MD5 hash of an uploaded file
• Web server initiating outbound traffic
• FQDN associated with an IP address

You can scope the impact of the attacking using these searches:

• Time elapsed between two related events
• Web requests to a specific system in your environment

Other steps you can take

To maximize their benefit, the how-to articles linked in the previous section likely need to tie into existing processes at your organization or become new standard processes. These processes commonly impact success with this use case: 

• Taking the web server offline
• Posting a temporary maintenance page
• Restoring the web server

Related resources 

These additional Splunk resources might help you understand and implement this use case:

• Blog: I Have a Fever, and the Only Cure for It Is More Feedback

How to assess your results

Measuring impact and benefit is critical to assessing the value of security operations. The following are example metrics that can be useful to monitor when implementing this use case:

• Time to detection: The time from when the defacement occurred to the time it was reported to the company
• Time to complete the investigation: The time from when the defacement was reported to the company to when the investigation was completed