Академический Документы
Профессиональный Документы
Культура Документы
January 2009
OVERVIEW WEB SITE PHISHING ATTACK SCENARIOS IDENTIFICATION REPORTING (NOTIFICATION) CONTAINMENT RECOVERY FOLLOW-UP CONCLUSIONS REFERENCES 3 4 6 8 10 13 15 17 17
CorrespondentAuthorsContactData:
SuzyClarke,Suzy.Clarke@asb.co.nz DavePiscitello,dave.piscitello@icann.org Disclaimer:PLEASENOTE:TheAPWGanditscooperatinginvestigators,researchers,andservice providershaveprovidedthismessageasapublicservice,baseduponaggregatedprofessional experienceandpersonalopinion.Theserecommendationsarenotacompletelistofstepsthatmay betakentoavoidharmfromphishing.Weoffernowarrantyastothecompleteness,accuracy,or pertinenceoftheserecommendationswithrespecttoanyparticularregistrarsoperation,orwith respecttoanyparticularformofcriminalattack.PleaseseetheAPWGwebsite http://www.apwg.orgformoreinformation.Institutionalaffiliationsareprovidedfor identificationpurposesanddonotnecessarilyrepresentinstitutionalendorsementofor responsibilityfortheopinionsexpressedherein.
ContributingResearchers
JoeStSauver,PhD, UniversityofOregon RyanMacfarlane,FBI PaulLaudanski,Microsoft PaulNankervis,NationalAustraliaBank DavidZamler,FederationofSecurityProfessionals DarrenBilby,Google
Overview
Somephishersusecompromisedcomputerstohostmaliciousorillegalactivities, includingidentitytheft,fraudulentfinancialactivities,aswellascollecting personalinformationandbusinessidentitiesfromtheirvictimsforfutureuse. Othersattackorhackintoandgainadministrativecontroloverthelegitimate websites1ofbusinessesandorganizationsofallsizes.Suchhackedwebsites disguisethebadactsthephishersperform.Moreimportantly,websitehackersare fullyawarethatthewebsitestheyhackandownarereputablylegitimate.Law enforcementandantiphishingrespondersrespectandoperateunderestablished business,technical,andlegalconstraintswhentheyseektoremedyortakedown hackedwebsites.Thesemeasuresprotectlegitimatewebsiteoperatorsbut unfortunatelyservetheattackeraswellbyextendingthedurationoftheattack. TheAntiPhishingWorkingGroup(APWG)offersthisdocumentasareference guideforanywebsiteowneroroperatorwhosuspects,discovers,orreceives notificationthatitswebsiteisbeingusedtohostaphishingsite.Thedocument explainsimportantincidentresponsemeasurestotakeintheareasof identification,notification,containment,recovery,restoration,andfollowupwhen anattackissuspectedorconfirmed.
Thisdocumentservesaguidelineforwebsiteowners.Thelistofresponses describehereisnotexhaustive.Weprovidealistofcomplementaryresourcesto helpwebsiteownerslearnmoreabouteachrecommendedaction.Inseveralcases, thedocumentmentionssoftwarethatawebsiteownermayfindusefulwhen attemptingtoperformrecommendedactions.Thesoftwarelists,too,arenot exhaustive.Theexamplesprovidedintheselistsarerepresentativeofaverybroad setofcommercialandopensourceprogrammingsolutions.Websiteownersare encouragedtoresearchandexperimentwithothersoftwareaswell. Manyactionswillrequirebusiness,technical,andlegalexpertisethatarebeyond thescopeofthisdocument.Websiteownersareencouragedtodiscusssuch matterswithexpertsineachofthesedisciplines.
1
http://www.theregister.co.uk/2007/07/10/plug_and_play_phishing/
containmentactionsthepartieshavedeterminedtobeappropriate.(Seethe sectionentitledContainmentforadditionalinformation.) 4. Thewebsiteownerandoperatorinitiaterecoveryactions.Here,bothparties assessthedamagetoidentifywhatdataandservicesmustberecovered.The timelineassistspartiesindeterminingwhetherdatarecoveryisrequiredand whetherthereisanyaccuratedataavailableforrecovery.(Seethesection entitledRecoveryforadditionalinformation.) Thewebsiteownerandoperatorinitiaterestorationactions.Here,efforts focusonreturningthewebsitetofull,uncompromised,normalactivity. (SeethesectionentitledRestorationforadditionalinformation.) Thewebsiteownerandoperatorrevisittheincidenttostudyhowandwhy theincidentoccurredtodeterminewhatadditionalmeasuresmightbetaken toreducethepossibilityoffuture,similarincidents.(Seethesectionentitled FollowUpforadditionalinformation.)
5.
6.
Note:(2)and(3)mayoccurinreverseorder,dependingontheorganizations preparednessandhowitisstructured.Someorganizationsempowerwebsite operatorstocontainwithoutpriorapprovalwhileothersdonot. Manyorganizationsoutsourcewebsitehostingtoserviceproviders.Thirdparty webhostingprovidersshouldhavetheirownproceduresfordealingwith phishingsiteshostedontheirservers.Askyourhostingprovidertodiscussthese procedureswithyoubeforeaneventoccurs.Allwebsiteownersshouldalsomake certainthatthewebsitehostingprovideriscontractuallyobligatedtonotifythem intheeventofahackedwebsiteincident,andbothpartiesshouldagreeona commonsetandorderofresponseactionsinadvance.Ifyourwebsitehosting providerindicatesitdoesnothaveproceduresinplacetodealwithwebsite phishingattacks,pleasereferthemtothisdocument.
Identification
Stealth,evasion,andcovertoperationaptlydescribehowphishersandother attackerscompromiseandremotelyoperatesystemsthathostwebsites. 1. HowcanIknowifourwebsitehasbeenattacked? Themostcommonform ofidentification(notice)includesThirdParty Notifications.Youmayreceiveanoticebyphoneoremailfromanindividualor organizationthatclaimsknowledgeofanattack.Obtainasmuchinformationfrom thethirdpartyaspossible,including: a) Thepersonsname b) Nameoftheirorganization c) Returncontactinformation(phone,email,postaladdress,organizationsweb site) d) Webpage(s),includingtheURL(link)thepartyallegestobeaphishwebsite e) Natureofattack(attempttostealpersonalinformation,tocompleteabogus creditcardtransaction,toobtainuseraccountcredentials,etc.) f) Adescriptionofanymaliciouscontentthatappearstobedownloadablefrom yourwebsite(e.g.,spyware) Usethisinformationtoreporttheincidentinaccordancewithapredetermined incidentreportingandresponseplan.(SeethesectionentitledReportingfor additionalinformation). 2. CanItrustthirdpartynotifications? No,theclaimmaynotbeaccurate.Whileanoticefromthirdpartywhosuggests thatyourwebsitehasbeenhackedisunsettling,remaincalm.Besuspiciousifthe partyrefusestoprovidetheabovementionedinformationtoyou.Donotbe frightened,coerced,orotherwisesociallyengineeredintotakinganyactionthe partyrecommendsbeforeyouinvestigatetheclaim.Attempttocorroborateall contactinformationquicklyandbeforeyouescalatetheclaimthroughanincident responseprocess.Forwardanycourtorder,criminalcomplaintorsubpoenato yourownlegalcounselforreview. 6 An APWG Industry Advisory
http://www.apwg.org info@apwg.org
3. HowcanIidentifywebsitephishingattacks? Organizationsthatproactivelymonitortheirwebsitescan(anddo)discoverweb sitephishingattacks.Herearesomeexamplesofhowvariousproactive monitoringcanhelpyouidentifyattacks: a) Trafficmonitoring.Yourwebsitedevelopersoryourinformationtechnology (IT)staffmaynoticeunusualaccesstoyourwebsite,unusualtrafficvolume directedatyourwebsite,orunusualtrafficemanatingfromyourwebserver, oranunusualnumberofrequestsfornonexistentURLs.Forexample,aweb serverdevotedsolelytohostingwebpagesthatbegintotransmitthousandsof emailmessagespersecondmeritsinvestigation. b) Filesysteminspection.Throughroutineinspection,yourauthorizedstaff mayidentifysuspiciousfiles,directories,orexecutableprograms;again, imagineifyourstaffdiscoversadatabaseofcreditcardinformationonyour webserverandnoneofthecustomersareyours. c) Webserverconfigurationinspection.Throughroutineinspection,your authorizedstaffcandetectunauthorizedorunintendedchangesinweb serveroroperatingsystemconfigurations;forexample,imagineifyourstaff discoversthatyourdedicatedwebserverishostingInternetRelayChat(IRC) sessions. Eventloggingandreportingsystemsareextremelyimportantsourcesfor identifyingwebsiteattacks.Takeadvantageoffirewall,webserver,server operatingsystem,andserverapplicationlogs.Theseoftencontaininformationthat allowsdailyoperationsstafforincidentresponse(IR)teamstodeterminehowa phishergainedunauthorizedaccesstoyoursystems. Attackersarefullyawareoftheforensicvalueofeventlogs,soitisimportantthat youtakemeasurestoprotectyourlogcollectionandreportingsystemfromattack. Establishasecurearchivalandretrievalprocessforeventlogs.Inaddition,make copiesoflogsfrombefore,during,andafteranincident.Thesemayprove invaluableatalatertime,forexampleduringsubsequentinvestigationsintothe incident. Larger organizations may wish to consider a centralized (networked) logging system too. Centrally maintained logging may be less vulnerable to destruction or manipulation by attackers than on system logs. (Seethesection entitledFollowUpforadditionaldiscussion.) An APWG Industry Advisory
http://www.apwg.org info@apwg.org
Recordthewebpage(s)orsuspiciousactivityorconfigurationandreportthe incidentinaccordancewithapredeterminedincidentreportingandresponseplan. 4. Cansecurityassessmentshelpidentifywebsitephishingattacks? Yes.Yourorganizationoryourwebsitehostingprovidershouldconsiderroutine examinationsorscansofwebserversforsuspiciousorknownmalicious programs,improperlypatchedcomponents,andconfigurationsthatdonotcomply withapplicablesecurity(orregulatory)policies.Yourstaffcanperformasecurity assessmentusingawebapplicationvulnerabilityscanner.Freeandopensource examplesofsuchtoolsincludeBacktrack,HackerGuardian,Nessus,Nikto,and Sandcat(Note:asearchenginequeryforwebapplicationscannerswillyield multipletrusteddownloadsitesfortheseandsimilarapplications).Security consultantsandauditorscanperformmoreexhaustiveassessmentsandcanbe contractedtodosoonarecurringbasis.Yourstaffcanimproveantihackingand securewebapplicationdesignandprogrammingbyregularlyperformingscans. Acarefulsecurityassessmentshouldcomparethecontentonyourwebserver againstknowntobecorrectversionsthecontentyouintendedtohost.Eyeballing filesorcomparingfilesizesisnotsufficient:usechecksumsgeneratebyapplications suchasOpenSourceTripwiretoassurethatfilesareidentical.Whenyouperform suchassessments,generateadetailedreportthatcanbeusedinaccordancewitha predeterminedincidentreportingandresponseplan. Onceyoususpect,havediscovered,orbeennotifiedthatyourwebsiteishostinga phishingsite,reporttheincident,inaccordancewithapredeterminedincident reportingandresponseplan.
Reporting (Notification)
1. ShouldIreporttheincident? Theexactreportingprocedureandthepartiestowhomaphishingwebsite incidentaredisclosedmaybeinfluencedbybusiness,regulatory,andlegal responsibilities.Aspartofanoverallsecuritystrategy,organizationsthatoperate publicfacingwebsites(inparticular,thosethatcollectpersonal,financial,and othersensitiveinformation)shouldconsultwithexecutives,communications personnel(e.g.,publicrelationsdepartments),andlegalcounseltoaskthatthey provideinputtotheincidentreportingproceduresthatspecificallyaddressweb siteattacks. 8 An APWG Industry Advisory
http://www.apwg.org info@apwg.org
2. TowhomshouldIreportit? Asyouprepareyourreportingprocedures,considerwhenandhowtoreportyour incidentto: a) Antiphishingnetworks b) Antivirusandantimalwareorganizations (Incaseswhereyoudiscovermaliciousexecutablesorscripts) c) CERTorganizations d) CommonVulnerabilityandexploit(CVE)disclosurelistadministrators(in caseswhereyoudiscoveravulnerabilityorbugincommercialsoftware) e) Customers f) Lawenforcement,e.g.,throughtheInternetCrimeComplaintCenter1 g) Regulatorycomplianceagencies h) Softwaredevelopers (Incaseswhereyoudiscoverbugsincustomapplicationsoftwareor webwaredevelopedexclusivelyforyourorganization) i) Anyindividualororganizationdirectlyaffectedbythephishingattack,even iftheydonotfitintooneoftheothercategorieslistedabove. j) Thegeneralpublic Someofthesenotificationswillnotalwaysbeapplicableorappropriatefora particularincident.Ifyourwebsitebelongstoacorporation,anotforprofit organization,agovernmentagency,oranyorganizationthatmustsatisfy regulatorycompliancecriteria,youshouldreportawebsitephishingattackthat resultsinamaterialbreachtoexecutivemanagementorinhouselegalcounsel. Evidenceofawebserverbreachthathasdatabreachimplicationsinthecontextof healthcare,privacy,orfinancialreportingregulationsmayinstigateafullreview ofthecompromisedsystemtodeterminetheextentofcompromiseandalsoto determinewhat,ifany,complianceviolationsmayhavecontributedtoorresulted fromtheincident. Managementandlegalcounselarebestsuitedtoprepareandcoordinateexternal reportingandnotificationtoresponseteams,CERTS,regulatoryagencies,andlaw enforcement.Communicationsdepartmentsshouldbeconsultedpriortocontacting
The Internet Crime Complaint Center (IC3, http://www.ic3.gov) provides a central referring mechanism for cyber criminal complaints. IC3 accepts complaints from Internet users and refers them to appropriate (local, state, federal and international) law enforcement and regulatory agencies.
1
customers,thepress,andgeneralpublic.Theyhavethetraining,skills,and relationshipsneededtoeffectivelycommunicateinformationpertainingtoan incident,andexperiencemanagingreactionstowhatmaybealarmingnews. Havingwelldocumentedincidentreportingproceduresinplacetypicallyassures thateveryoneintheorganizationunderstandsherroleinthereportingprocess.It minimizesconfusion,delays,anderrorsinrespondingtoanincident;limitsworry overembarrassmentandtarnishtobrand;anditexpeditescontainment,recovery, andrestoration. IncidentreportingproceduresmayrequirethatyoucontactyourITsupport,web hostingprovider,andISPsothatallpartieswhoparticipateinprovidingor supportingyourpublicwebpresenceareengagedintheresponse.Eachpartymay havespecificactionstheyneedandexpectyoutotakeinadditiontothoseoutlined inthisguide.Bepreparedtoprovideallrelevantinformation,suchaslogsfrom yourwebserver,firewall,andoperatingsystem,aswellascopiesofthe unauthorizedcontent,dates,andtimesthatyouweremadeawareoftheissue (alsoknownasanincidenttimeline).Keeparecordofwhatinformationyou provided,andtowhom. Theseadministrativeactionshelpinformtheappropriatepeopleaboutthe incidentsothatyoucanensureamoreunifiedresponse. APWGencouragesyoutoreportthephishingsiteURLtotheAPWGviatheemail addressreportphishing@antiphishing.org.Reportingtothisaddresswillcause mostantiphishingorganizationstoreceiveanotificationofthephishingwebsite. Securityproducts,e.g.,antiphishingtoolbars,willbeupdatedwiththeoffending URL,thusofferingprotectiontothousands,ifnotmillionsofpotentialvictims. Ifyoureunsureaboutwhomyoushouldreporttheincidentto,seekadvicefrom inhouseorexternallegalcounselorprofessionalincidentresponseorganizations.
Containment
Considerthefollowingissuesifyouhavethenecessarylevelof(administrative) accesstoyourwebsite.Ifyououtsourcewebhosting,discusscontainment measuresinadvancewithyourwebsitehostingprovidertoassurethatyouand yourproviderhavethesameresponsestrategyoryoumaywastetimeresponding ontheflythatmightotherwisebespentminimizingdamageandloss. 10 An APWG Industry Advisory
http://www.apwg.org info@apwg.org
1. ShouldImakeacopyoftheunauthorizedcontent? Generally,yes.Saveacopyofthephishingsitepagesandanyunauthorized content,scripts,orexecutableprogramsyoudiscoverduringyouranalysis.These willhelpwebsiteoperators,systemadministrators,and/oranIRteamtoverify thatthecontentchangewasunauthorized,intentional,andmalicious.Theymay alsohelptodeterminewhichvulnerabilityletthephishersalteryourwebsite.You maywishtocopytheunauthorizedcontentassoonasyouisolateanddiscover eachpage,executableprogram,etc. If you or your hosting provider cannot obtain a disk copy of the system involved in the phishing, consider creating a logical copy, i.e., copy the files and preserve the folder structure. When creating a logical copy of files from the compromised computers, use tools such as Robocopy or the Unix cp command. Pleasenotethatcertaincontentinparticularcontentsuchaschild pornographyposesseriouslegalimplicationsifplacedinthepossessionof personswhoarenotlawenforcementagentsorarenotactingonbehalf(andwith fullknowledge)oflawenforcement.Ifyoufindanyindicationthatillegalcontent ispresentonyoursystem,donotmakecopies!Stopallinvestigativeactivities, contacttheappropriatelawenforcementinyourjurisdiction,andfollowtheir instructionsregardinghowtoproceed. 2. ShouldItakemysiteoffline(temporarily)? Youmustdecideinadvancewhetheritsappropriatetosuspendservicetoyour websiteforashortperiodoftimewhileyouattempttoinvestigatetheattack. Makethisdecisionaspartofdefiningyouroverallincidentresponsehandling strategy.Thisstrategypreventsadditionalvisitorsfromfallingvictimtothe phishingscamandalsopreventsthephisher/attackerfromremotelycontrolling yourwebsite.ConsultwithITandIRteamstodeterminewaystoshutdownyour sitewithouttheriskoflosingtracesofthephishersactivities,andconsultwith lawenforcementandapplicableregulatorycomplianceexpertstounderstandthe implicationsoftemporarysitesuspension. Youmaybeadvisedorchoosetoleavethesiteonlinelongenoughtoprovide incidentresponseteamsandlawenforcementwithanopportunitytomonitorthe phishersactivities.Ifyouchoosetostayonline,askyourIRteamorlaw enforcementwhetheryoushouldchangeadministratoranduserpasswords immediately.Someinvestigatorsmaywanttocontinuetomonitoranattackers 11 An APWG Industry Advisory
http://www.apwg.org info@apwg.org
useofacompromisedaccount.DiscusswithyourIRteamwhetherthephisher appearssophisticatedenoughtohaveinstalledaprogramthatwillattemptto deleteallevidenceofhisactivitiesupondetectionoflossofaccess. 3. ShouldIdisabletheunauthorizedcontent? Ifyoudochoosetokeepyourwebsiterunning,removeordisableaccesstothe unauthorizedwebpagesofthephishingsite.Makecopiesof,removeandsubmit anymaliciouscontenttoanantivirusorantispywarevendor.Redirectanyvisitors attemptingtovisitaphishedpagetoawebpageyouhavepreparedthatexplains theyhavebeentrickedbyaphishingemailandthatyouhaveremovedthepage theywereluredintovisiting.TheAPWGprovidesastandardyouvebeen phished!redirectionpageandinstructionsforitsuseat http://education.apwg.org/r/about.html.Thisstrategywillpreventfurtheruseof thephishingsite,keepyourcustomersinformed,keepyourwebsiteonlineforreal timeanalysis,andaffordyouadditionaltimetoperformcontainmentactions. 4. Arethererightandwrongwaystomakecopiesofcontent? Howyoumakecopiesmatters.Filesystembasedcopies(e.g.,copyingfilesfrom thecompromisedsystemtoremovablemediaortoanetworkfileshare)donot havetheforensicandevidentiaryvalueasafull(sectorbysector)diskorpartition copy.TheUnixddandWinDDutilities,NFGDump,andSelfImageareexamples ofutilitiesyoucanusetocreatecloneimagesoftheentireharddiskand partitionwhereyoudiscoveredthephishersunauthorizedcontent.Itisoften useful(ornecessary)tocopycontentfromthecompromisedsystemusinga bootablerescueCD(alsocalledLiveCD).ProgramssuchastheTrinityRescueKit, Knoppix,Helixfromwww.efense.comorSLAXareexamplesofsuchutilities. TheseandotherusefulforensicsoftwaretoolsarefreelyavailableundertheGNU GPLorsimilaropensourcelicenses(asearchenginequerywillyieldmultiple downloadsitesfortheseapplications,pleaseexercisecareandverifyboththetool anditsorigin). Savecopiesofyourwebsiteandalleventlogsthatmaybeusefulforincident analysisoffline,e.g.,onaDVD,CD,oronincreasinglyaffordableportablehard drivedevices.Include(digitallysigned)checksumsorhashesofyourwebpages onthisDVD/CDsothatitiseasytodistinguishyourintendedandauthentic contentfromunauthorizedsubstitutionsandadditionalcontent.Manyhash generatorprogramsandfilesystemantitamperingsoftwareareavailableforthis purpose.Considercreatingimagesofcompromisedwebserveroperatingsystem andapplicationpartitionsforforensicanalysisandfollowup. An APWG Industry Advisory
http://www.apwg.org info@apwg.org
12
Recovery
Recoverycanbeaslowandcostlyprocessifyouhavenotpreparedproperlyin advance.Dontwaitforanincidenttoarchiveyourauthenticcontent.Routinely saveandarchivecopiesofyourwebsiteandlogstoalocationoutsideoftheweb root.Saveallconfigurationfilesandmaintainacarefulrecordofconfiguration updates.Ifpossible,burnallthisdataalongwithacopyofyourwebsitetoaDVD, CD,orcopytoaportableharddrivedeviceorbackupsystem. Considerroutinelycreatinganexactcopyofyourwebsiteforbackuppurposes.In additiontoarchivingyourcontent,createimagesofwebserveroperatingsystems andapplicationpartitionsaswell.Thesecanbeespeciallyhelpfulinrestoring systemstoaprevious,knownsecurityprofile;forrestoringsecurityconfiguration files;andforrestoringoperatingsystemstoaknownpatchlevelandknownsetof testedandapprovedpatchesandhotfixes. Periodicallyorroutinelyrestorefilesfromarchivedmediatomakecertainthat yourbackupprocedures,media,anddevicesareinworkingorderandthatthe backupsyoumakedoindeedrestoreyourwebsitetothestateyouintendedwhen designingtheprocedure.Therestoreoperationsdescribedbelowarebest performedoffline,usinglocaladministrationonasecurednetwork(e.g.,from behindafirewall). 1. ShouldIrestorefrombackuporrebuildfromscratch? Theonlywaytoensurethatyourserversarecleanistorebuildfromoriginal installmediaortodoanOSrestorefromknowngoodbackupsinofflinemode,as recommendedabove.(Ifyoucannotrebuildorrestoreoffline,dosoonlinebut behindafirewall).Priortorestoringfromabackuporrebuilding,youmust determinewhenandhowthewebsitewascompromised.Knowingwhenthe compromiseoccurrediscriticalbecausethisidentifiesthelastknowngoodbackup ofyourcontentandotherrecoveryimages.Whenalsoestablishesapointintime afterwhichallarchivesofyourwebsitemustbetreatedassuspect.Thesemaybe relevanttoanyforensicinvestigationyouconductforthisincident. Determininghowyoursystemswerecompromisedbeforeyourebuildorrestoreis criticallyimportant.Thephisherdiscoveredavulnerabilityaconfigurationerror orsoftwarebugandexploitedthistoobtainadministrativeaccesstothe system(s)thathostyourwebsite.Ifyoudonotcorrectthisvulnerability,the 13 An APWG Industry Advisory
http://www.apwg.org info@apwg.org
phisheroranotherattackerwillinvariablyexploititagain. 2. WhenshouldIupdatemysoftwareandcheckmyconfiguration? Whenyourestore,youreturnyourwebsitetoaknowngoodstate,butyouare alsogoingbackintime.Itispossiblethatpatches,securityupdates,and configurationchangeswereintroducedduringtheinterimbetweenthecurrent dateandthedateofyourrestoreimages.Ifyouarerebuildingfromoriginal mediae.g.,Windows2003Server,OpenBSD,orLinuxinstallationCDsitis evenmorelikelythatyourinstallationmediaaremissingcriticalupdatesthatwere releasedafteryouobtainedthemedia.Beforeyoureturnyourwebsitetoa productionenvironment,updateallofyoursoftwaretothelatestversionsand installallrelevantpatchesandhotfixes.Thisincludespatchingoperatingsystems, thirdparty,andcustomapplicationsthatyoumayhaveinstalledonyoursystems. ItisextremelyimportantthatyouverifythatyourwebserverOSandapplications areconfiguredproperly.Duringtherestoreprocess,youmayinstalladefault configuration(commonwhenyourebuildfromscratch)oraconfigurationthat youhadmodifiedsubsequenttothedateofyourrestoreimages.Performa securityassessmenttoverifythattherestoredsystemisconfiguredcorrectly(and securely)beforeyoureturnthewebsitetoaproductionenvironment. 3. ShouldIchangeallmypasswords? Whenyouareconfidentthatyouhaverestoredyourwebsitetoanauthenticand normaloperatingstate,thatyouhaveinstalledallnecessarysoftwarepatchesand hotfixes,andafteryouhavetakenmeasurestomitigatethevulnerabilitiesthe phisherexploited,changeallthepasswordsusedtoaccessaccountsonthehitherto compromisedsystem(s).Thephishersmayknowthecurrentpasswords.Itis importanttoacknowledgethatevencompetentusersandadministratorsusethe samepasswordonmultiplesystems(somebusiness,somepersonal,andsome public!),soconsiderwhetheritisappropriatetoperformanextensivepassword resetprocedure.Someorganizationsmayalsowanttoconsiderthemeritof implementingmultifactorauthentication,e.g.,ahardwarecryptographictoken,to makeloginprocessesmoresecure. Changingpasswordsonaregularbasis(e.g.,every30days)isconsideredagood operationalpracticeingeneralandanessentialpracticeforwebandsystem administrators.Incidentsraiseawarenessoflaxpracticesandcreateincentivesto improvebothsecuritybaselinesandroutinemaintenanceschedules,sotakethis An APWG Industry Advisory
http://www.apwg.org info@apwg.org
14
opportunitytodefinearigorouspasswordsecuritypolicythatnotonlyenforcesregular passwordchanges,butminimumlength(e.g.,8characters)andcomplexitycriteria(e.g., passwordmustcontainupperandlowercaseletters,numbers,andspecialcharacters). Whileyouarefocusedonpasswordmanagement,makesurethatallformsofremote authenticationandloginsareperformedoverencryptedconnections. Unlessotherwisedirectedbyaforensicsteamorlawenforcement,change passwordsimmediatelyandthenagainonceyoubelieveyouhavecompleted remediationandhaverestoredyoursite.Thissignificantlyreducestherisk anattackerwillcontinuetouseyouraccountwhileyouareattemptingto remediate.
Follow-up
Organizationsbenefitfromapostmortemanalysisofanincident.Duringthis analysis,studytheentirechronologyofeventsleadingto,during,andfollowing thewebsitephishingattack. 1. WhatlessonshaveIlearned? Duringthefollowupprocess,ask,WhatwouldIdodifferentlynexttime?and WhatprocesseswouldIchangenowtoavoidasimilarsituationinfuture?as wellasanysimilarlytoughquestionsyouneedtoanswer. Gatherwebsiteowners,operators,serviceproviders,ITandIRteamstoshare informationabouttheincident.Taketimetofamiliarizeallpartieswiththe anatomyoftheattack.Identifycharacteristicsoftheattackthatmightbeusefulin earlydetectionoffuture,similarattacks.Identifysoftware,configuration,and operationalchangesthatareconsideredappropriateandnecessarytoprevent similarattacksinthefuture. 2. HowcanIdobetter? Websitesareprimetargetsforphishers.Considerthefollowinglistof recommendedpracticesforminimizingawebsitesvulnerabilitytoattackby phishers. a) ServerOShardening.Hardeningisaprocessofsecuringanoperating systemsothatitisdifficulttoattack.Usecommercialandopensource vulnerabilityscannersandsecuritybaselineanalysistoolstoidentify 15 An APWG Industry Advisory
http://www.apwg.org info@apwg.org
b)
c) d)
e)
f)
g)
unnecessaryservices,accounts,andimproper(exploitable)configuration settings.TheCenterforInternetSecurityoffersanalysistoolsandsecurity templatesforcommercialandopensourceoperatingsystemscommonlyused forwebserverhosting. Webapplicationhardening.Webapplicationhardeningisaprocessof securingwebserverapplicationsoftware(MicrosoftIIS,Apache,etc.),web applicationsandscripts,anddynamiccontentagainstattacks.Again,use commercialandopensourcewebvulnerabilityscannerstoidentifyimproper configurationsettingsandexploitablecontent.Considerusingacommercialor opensourcewebapplicationfirewallsuchasModSecurityprovideinline,real timeexaminationofincomingwebtrafficforattackpatternsandanomalies. Patchmanagement.Maintaincurrentpatchlevelsonalloperatingsystems andapplicationsusedforyourwebsite. Secureprogramming,safescripting.Donotuseexecutableprograms withoutverifyingtheauthenticityandtrustworthinessofthedeveloperand theintegrityofthecodeitself.TheOpenWebApplicationSecurityProject (OWASP)isausefulsourceforlearningaboutsecureprogrammingandsafe scripting(formoreinformationonOWASP,seetheReferencessectiononpage 17).Onlyuseexecutableprogramsfromtrustedcommercialvendorsand trustedopensourcedeveloperswhoseworkproductsaretypicallyMD5 hashedanddigitallysigned.Donotuseeventhemosttrivialscriptswithout reviewingthesource:becertainyouknowexactlywhatthescriptdoes,and everythingitdoes,beforeyouemployit. Compartmentalize.RunningmultipleapplicationserversDNS,mail,web, ActiveDirectoryonacommonserverisarecipeforanincident.Operating databaseserverscontainingsensitiveinformationandpublicserversona commonLANsegmentisacompanionrecipeforanincident.Createsecurity domainswithinyournetworkandseparatethesewithsecuritysystems(e.g., firewalls)sothatsuccessfulattacksagainstoneserverorservicecanbe contained. RoutineSelfexamination.Performregularnetwork,host,andweb vulnerabilityandpenetrationtests.Ifpossible,haveanindependent, experienced,andcertifiedpartyperformasecurityorvulnerability assessmentonsystemsthatsupportyourwebsite. Implementbestpracticesforingressandegressfirewallfiltering.Restrict trafficflowatfirewallsastightlyaspractical.OnlyallowaccesstoTCPor UDPportswhereyourauthorizedservicesarelistening,andfurtherrestrict flowstotheIPaddressesofthesystemsonwhichyouarehostinglistening services.Restrictoutboundtrafficflowsfromserversaswell.Wherepossible, onlyallowserverstoestablishoutboundconnectionstoauthorizedservices An APWG Industry Advisory
http://www.apwg.org info@apwg.org
16
h)
ondesignatedexternalhosts. Logging,eventreporting,loganalysis,intrusiondetection.Logtraffic,OS, andwebapplicationeventsattherightlevelofdetail,takinginto considerationperformance,costandtheutilityofinformationcollected. Collectlogandeventrecordsatasecurelogserver.Regularly(andsecurely) archivelogfilesandroutinelyanalyzetrafficandeventlogsforunusualor anomalousaccessandactivities. Proactivesecuritymeasures.Complementaggressiveloggingandanalysis withrealtimenetwork,host,andwebintrusiondetectionsystems. Stayinformed.Operatingsystemandwebapplicationvulnerabilitiesare discoveredandexploitedonanalmostdailybasis.Subscribetoa vulnerabilitynotificationserviceofferedbyregionalCERTs,SANS, SecurityFocus,andothersecurityservicesorganizations.(Formore information,seetheReferencessection).
i) j)
Conclusions
Anysecurityincidentisdisturbing.Websitephishingattackscanbefrustrating, costly,andembarrassingexperiences.Thethreatoftheseattackscanbegreatly reducedbyimplementingappropriatesecuritymeasuresaloneorwiththe assistanceandcooperationofwebhostingandInternetserviceproviders.Equally important,thecostandembarrassmentofanactualsecurityincidentcanbe greatlyreducedbycarefullyplanningforandimplementingappropriateincident responseproceduressuchasthosedescribedinthisdocument. References: AntiPhishingWorkingGroup(APWG),http://www.apwg.org Backtrack,http://www.remote-exploit.org/backtrack.html CERTCyberSecurityAlerts,http://www.uscert.gov/cas/signup.html CenterforInternetSecurity,http:///www.cis.org InternetCrimeComplaintCentre,http://www.ic3.gov MicrosoftBaselineSecurityAnalyzer, http://www.microsoft.com/technet/security/tools/mbsahome.mspx Modsecurity,http://www.modsecurity.org/ MyNetwatchmanSecChecktool,http://mynetwatchman.com/tools/sc/ OpenSoureTripwire,http://www.tripwire.org PhishTank,http://www.phishtank.com/ PhishingReportingNetworks,http://www.phishreport.net Robocopy,http://technet.microsoft.com/en-us/library/cc733145.aspx SANSConsensusSecurityAlert,http://www.sans.org/newsletters/risk/ 17 An APWG Industry Advisory
http://www.apwg.org info@apwg.org
18