Report on Threat Hunting and Investigation

Introduction

Threat hunting is like a vigilant cybersecurity superhero that goes above and beyond to keep your organization safe. Instead of relying solely on traditional security measures, threat hunting takes a proactive approach to identify and neutralize potential threats that might have slipped through the cracks.

Imagine a skilled detective searching for clues in a vast digital landscape. Threat hunters actively scour an organization's networks, systems, and data, looking for any signs of malicious activity or compromising indicators. Their mission is to detect and respond to threats before they have a chance to wreak havoc or steal sensitive information.

To capture their discoveries and actions, security analysts and incident response teams create a Threat Hunting and Investigation Report. This document serves as a treasure trove of valuable information, detailing the findings, observations, and steps taken during the investigation. It helps us understand the incident, assess its impact, and implement effective remediation measures. In essence, it acts as a guiding light in navigating the cybersecurity realm and protecting what matters most.In this task, we have a Ubuntu-based Splunk machine on which we have to perform the attacks. The attacks are Remote code execution, SQL Injection, SSH Bruteforce, Directory traversal, and Arbitrary file upload. These attacks would be performed on different ports of the machine like ports 80, 4848, and 8079.

Objective

The objective of a threat-hunting and investigation report is to document the findings of a threat-hunting investigation. The report should include information about the threat that was identified, the evidence that was gathered, and the steps that were taken to investigate the threat. Analyse methods of ethical hacking for the evaluation of networked information systems. 

 Attacks 

Remote code execution

Remote code execution (RCE) is like a sneaky trick that some bad guys use to take over a computer from far away. It's a kind of weakness in a computer system that lets the attacker run any commands they want on that system. They do this by finding a hole or mistake in the system's defenses, like when a program has too much information and spills over into other areas or when it doesn't properly handle user inputs. Once the attacker runs their commands on the targeted system, they basically become the boss of that system and can do whatever they please.

These RCE weaknesses are a big problem for organizations because they put sensitive information at risk. Attackers can steal data, put harmful software on the compromised system, or even mess with the system's normal operations. The worst part is that RCE weaknesses are not easy to find and fix. They often show up in complicated software systems, making it tough to spot them. To protect themselves, organizations need to have a solid security plan in place. This plan should include regular check-ups to look for vulnerabilities, scanning tools to search for weaknesses, and training for employees to recognize and prevent RCE attacks.

Security solutions

• Input validation

• This is the most important security solution for preventing SQL injection attacks. It involves validating all user input before it is used in a SQL query. This can be done by using regular expressions or other techniques to check for malicious characters.

• Prepared statements

• Prepared statements are a way of templating SQL queries. They allow you to bind user input to variables in the query, which prevents the input from being interpreted as part of the query itself.

• Web application firewalls (WAFs)

• WAFs are a type of software that can be used to filter out malicious traffic before it reaches your web application. They can be configured to block SQL injection attacks, as well as other types of attacks.

Directory traversal

Directory traversal, also known as path traversal or directory climbing, is a sneaky security vulnerability that cunningly permits an attacker to venture beyond the boundaries of a web application's intended domain or directory structure. This loophole arises when the application fails to diligently validate or sanitize user-supplied input before employing it to form file or directory paths.

This vulnerability allows mischievous individuals to cleverly manipulate their input, traversing through directories, gaining access to delicate files, or executing unauthorized operations. It's like a crafty intruder who sneaks through an unlocked back door, bypassing the intended boundaries to explore and exploit what should have been off-limits.

Security Solutions

• Input validation: This is the most important step in preventing directory traversal attacks. All user-supplied input should be validated before it is passed to a filesystem API. This can be done by using a whitelist of permitted characters or by using a regular expression to match against known patterns.
• Sanitization: In addition to input validation, it is also important to sanitize user-supplied input. This means removing any dangerous characters that could be used to exploit a directory traversal vulnerability. For example, the characters .. and \ should be removed from all user-supplied input.
• Web application firewalls (WAFs): WAFs can be used to filter out malicious traffic that could be used to exploit a directory traversal vulnerability. WAFs can also be used to block known directory traversal attack patterns. (Sharif, 2022)

SSH Bruteforce

SSH brute-force attack is a type of cyberattack in which an attacker tries to gain access to a server by repeatedly guessing the username and password. This can be done manually, but it is more commonly done using automated tools.(Abdou, et. Al. 2015)

Arbitrary File Upload which leads to remote code execution

Arbitrary file upload is like a weak point in security that allows an unauthorized party to sneakily upload any kind of file to a web server. It's like a hole in the defense that can be taken advantage of by finding flaws in the web application's file type validation or by tricking the user into uploading a harmful file. Once an attacker successfully uploads a harmful file, they can go on to do whatever they want and run unrestricted code on the web server.

On the other hand, remote code execution (RCE) is an even more serious vulnerability that lets an attacker run any code they want on a targeted system from a remote location. It's like giving them the power to control things from far away. This kind of exploit can be achieved by using the weak point of arbitrary file upload or any other vulnerability that allows running any code on the server. Once the attacker manages to run any code they want on the server, they can take full control over the entire system. It's like having complete dominion over everything.

References

Abdou, A., Barrera, D. and van Oorschot, P.C., 2015, December. What lies beneath? Analyzing automated SSH bruteforce attacks. In International conference on PASSWORDS (pp. 72-91). Cham: Springer International Publishing.

Ehichoya, O. and Nnaemeka, C.C., 2022. Evaluation of Static Analysis on Web Applications. arXiv preprint arXiv:2212.12308.

Fahrnberger, G., 2022, June. Realtime risk monitoring of SSH brute force attacks. In Innovations for Community Services: 22nd International Conference, I4CS 2022, Delft, The Netherlands, June 13–15, 2022, Proceedings (pp. 75-95). Cham: Springer International Publishing.

Flanders, M., 2019. A simple and intuitive algorithm for preventing directory traversal attacks. arXiv preprint arXiv:1908.04502.

Hiesgen, R., Nawrocki, M., Schmidt, T.C. and Wählisch, M., 2022. The race to the vulnerable: Measuring the log4j shell incident. arXiv preprint arXiv:2205.02544.

Huang, J., 2021. Detecting Server-Side Web Applications with Unrestricted File Upload Vulnerabilities (Doctoral dissertation, Wright State University).

Ntagwabira, L. and Kang, S.L., 2010, July. Use of Query Tokenization to detect and prevent SQL Injection Attacks. In 2010 3rd International conference on computer science and information technology (Vol. 2, pp. 438-440). IEEE.

Sayar, I., Bartel, A., Bodden, E. and Le Traon, Y., 2023. An in-depth study of java deserialization remote-code execution exploits and vulnerabilities. ACM Transactions on Software Engineering and Methodology, 32(1), pp.1-45.

Sharif, M.H.U., 2022. Web Attacks Analysis and Mitigation Techniques. International Journal of Engineering Research & Technology (IJERT), pp.10-12.\]

Shcherbakov, M., Balliu, M. and Staicu, C.A., 2023. Silent spring: Prototype pollution leads to remote code execution in node. js. In USENIX Security Symposium 2023.

Upadhyay, D. and Sampalli, S., 2020. SCADA (Supervisory Control and Data Acquisition) systems: Vulnerability assessment and security recommendations. Computers & Security, 89, p.101666.

Xiao, F., Yang, Z., Allen, J., Yang, G., Williams, G. and Lee, W., 2022, November. Understanding and Mitigating Remote Code Execution Vulnerabilities in Cross-platform Ecosystem. In Proceedings of the 2022 ACM SIGSAC Conference on Computer and Communications Security (pp. 2975-2988).

Zhao, Y., Zhang, Y. and Yang, M., Remote Code Execution from SSTI in the Sandbox: Automatically Detecting and Exploiting Template Escape Bugs.

Wong, K., Dillabaugh, C., Seddigh, N. and Nandy, B., 2017, April. Enhancing Suricata intrusion detection system for cyber security in SCADA networks. In 2017 IEEE 30th Canadian Conference on Electrical and Computer Engineering (CCECE) (pp. 1-5). IEEE.

Kenkre, P.S., Pai, A. and Colaco, L., 2015. Real time intrusion detection and prevention system. In Proceedings of the 3rd international conference on Frontiers of intelligent comp