Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

New cheat sheet: Incident Response for Web Applications. #1468

Open
wants to merge 5 commits into
base: master
Choose a base branch
from

Conversation

ChaseOnTheWeb
Copy link
Contributor

Credit goes to @aditya6298 for creating it, I'm just making the PR.

This PR covers issue #1235.

You're A Rockstar

Thank you for submitting a Pull Request (PR) to the Cheat Sheet Series.

🚩 If your PR is related to grammar/typo mistakes, please double-check the file for other mistakes in order to fix all the issues in the current cheat sheet.

Please make sure that for your contribution:

  • In case of a new Cheat Sheet, you have used the Cheat Sheet template.
  • All the markdown files do not raise any validation policy violation, see the policy.
  • All the markdown files follow these format rules.
  • All your assets are stored in the assets folder.
  • All the images used are in the PNG format.
  • Any references to websites have been formatted as [TEXT](URL)
  • You verified/tested the effectiveness of your contribution (e.g., the defensive code proposed is really an effective remediation? Please verify it works!).
  • The CI build of your PR pass, see the build status here.

If your PR is related to an issue, please finish your PR text with the following line:

This PR covers issue #<REPLACE WITH ISSUE NUMBER>.

Thank you again for your contribution 😃

@szh szh added the bug_bash_cincy OWASP Cincinnati 2024 Bug Bash! label Aug 7, 2024
New abbreviation used in Incident Response for Web Applications Cheat Sheet.
…Web_Applications_Cheat_Sheet

Adding "IDS" to `.textlintrc` did not work. The terminology dictionary appears to be case insensitive, and whichever came first of "IDs" and "IDS" would cause the other form to fail.
@szh
Copy link
Collaborator

szh commented Aug 8, 2024

That took care of the "IDS" issue! Now there's a new error:
cheatsheets/Incident_Response_for_Web_Applications_Cheat_Sheet.md:18 MD032/blanks-around-lists Lists should be surrounded by blank lines [Context: "- Employ anomaly detection alg..."]

Also do you mean "Short" instead of "Snort"?

Lint failed with: `cheatsheets/Incident_Response_for_Web_Applications_Cheat_Sheet.md:18 MD032/blanks-around-lists Lists should be surrounded by blank lines [Context: "- Employ anomaly detection alg..."]` because I guess that comment broke up the list item.
@ChaseOnTheWeb
Copy link
Contributor Author

Also do you mean "Short" instead of "Snort"?

Snort is an IDS product. That line looks to be a sample rule for it.

Copy link
Collaborator

@szh szh left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM, since the text is copied from #1235 which has approval

@szh szh linked an issue Aug 8, 2024 that may be closed by this pull request
@ChaseOnTheWeb
Copy link
Contributor Author

FYI I opened a discussion in textlint-rule-terminology about the IDS/IDs trouble.

Copy link
Member

@jmanico jmanico left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This is excellent work but I want to wait for others to review before I approve.

@szh
Copy link
Collaborator

szh commented Aug 14, 2024

@kwwall Any chance you can review this? Thanks!

Copy link
Collaborator

@kwwall kwwall left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Here are some a semi-random general comments / observations.\

  • Somewhere, we need to point out the steps that you ABSOLUTELY MUST COMPLETE before an incident versus those that you can do during an incident investigation. Because to a large extent, if you don't have certain things already done, you don't have much of a prayer.
  • I'm not convinced this is currently sufficiently detailed to formulate an action-plan. Its more like a general outline of steps. I think that is okay as long as somewhere near the beginning, you clearly set expectations.
  • Looking at some of this (e.g., running with DEBUG logging enabled, without being very specific) comes at a huge cost, especially if you are in the cloud and paying for log storage. Also, there is such a thing as getting overwhelmed by data, especially if that data is unfamiliar to the IR team. If it's unfamiliar, then lots of things look like anomalies. As a result, it may be better to set up canaries (such as honey pots) and use technology such as Tripwire and monitor for those events as likely early warnings.
  • Forgot to mention it earlier, but memory analysis should probably proceed disk analysis because by its very nature, it's more ephemeral.

Lastly, despite all my comments (which I hope you find as constructive rather than as critical), this is a great start and definitely fills a need.

Enable verbose logging: `LogLevel debug`
<!-- textlint-disable terminology -->
- Implement intrusion detection systems (IDS) for real-time monitoring. \
Snort IDS rule example:
Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Given that we are OWASP, wouldn't it be better if we had an example with mod_security CRS instead of Snort?

### 3. Containment and Eradication

- Isolate affected systems to prevent lateral movement. \
Network isolation using iptables: `iptables -A INPUT -s <infected_IP> -j DROP`
Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

A few things:

  1. Using iptables is likely to confuse a lot of people, especially those only using Windows of BSD (and thus use pfsense).
  2. Only old school Linux system administrators probably still use iptables. Now they likely use either nft (for nftables) or ufw.
  3. When I see something referencing iptables, I usually think of (Linux) host-based firewalls, not a firewall appliance. Host-based firewalls is probably not the place you want to do this from because there are just too many hosts.
  4. Definitely want to log the dropped packets as well. Generally there will already be a rule for that, but it's probably worth mentioning.

For that reason, I would suggest rewriting this something along these lines:

  • Configure your all your relevant network appliance firewalls to drop and log all packets originating from any known compromised IP addresses.


- Isolate affected systems to prevent lateral movement. \
Network isolation using iptables: `iptables -A INPUT -s <infected_IP> -j DROP`
- Employ network segmentation to contain the spread of the incident. \
Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

And if you had led with this, I probably wouldn't have bothered to write out all the details of my previous comment. With this in place, if you want to supplement this network segmentation with additional host-based firewalls for high value target hosts, it may make sense.

Network isolation using iptables: `iptables -A INPUT -s <infected_IP> -j DROP`
- Employ network segmentation to contain the spread of the incident. \
VLAN configuration example: \
`switchport mode access` \
Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Not everyone uses Cisco IOS for this, so since YMMV, I'd recommend using English-based description here. For example "Segment the traffic of the suspected compromised IPs onto their own VLANs".

@@ -0,0 +1,97 @@
# Incident Response for Web Applications Cheat Sheet
Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I'm going to start off with a confession. IR is not my field of expertise; AppSec is. And while I've worked alongside of people in IR teams (mostly on the digital forensics side of things), I still have relatively little direct experience except what I've absorbed in 25+ years of working with these teams. So take everything you read that I'm commenting on with a huge grain of salt. I am NOT an expert. (If fact, I almost told @szh "no; I don't think I'm qualified to review this".)

Anyway... when I first read this title, I was thinking to myself "what about REST APIs?" Shouldn't they be included, since from an IR perspective, they're not that much different. However, after I read though this, I don't see why you've added the "for Web Applications" at all. This covers way more than HTTP based stuff.

Until we flesh out this skeleton those, I might call it "Incident Response for Beginners Cheat Sheet". Once we add more details, we can drop the "for Beginners".

- Monitor network traffic for signs of malicious activity during the recovery phase. \
Wireshark filter for suspicious traffic: `tcp.flags == 0x02 && ip.src != trusted_IP`
- Validate data integrity to ensure recovered systems are not compromised. \
File integrity validation using md5sum: `md5sum -c integrity_checksums`
Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

MD5? Come on. Really? Collisions could truly come into play here if you are attacked by a Nation State actor. Ditto SHA1. Should at least use sha256sum here.

Of course, the bigger concern is that you actually have an offline copy of 'integrity_checksums' file that you can trust. If you only had an online copy stored on the compromised server, you're probably SOL unless you had a SHA256 digest of that file stored offline and you have a way to verify your checksum file.


### 5. Lessons Learned

- Conduct a thorough post-incident analysis (PIA) to identify vulnerabilities and weaknesses.
Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

You call it PIA, but it's generally what the rest of the world calls root-cause analysis or sometimes a postmortem.

However, if we really want a new acronym, how about 'post-incident trauma analysis' (PITA)? 😜


### 1. Incident Response Plan

- Develop a detailed incident response plan (IRP) specific to web application security.
Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Again, this CS does not seem specific to 'web applications', so I'd drop that and maybe just change it to cyber-security.

- Draft incident notification templates for internal and external stakeholders.
- Implement secure communication channels, considering encrypted email and secure messaging apps.

### 3. Evidence Preservation
Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

You better well have thought of this LONG before now, unless you don't intend prosecution of the perpetrators of the current incident exercise you've been discussing (assuming they are ever caught), as chain-of-custody in handling evidence is extremely important to winning a court case whether it be criminal or civil litigation.


### 3. Evidence Preservation

- Document incidents thoroughly, preserving logs, screenshots, and memory dumps.
Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Good idea to video tape the process as well.

@kwwall
Copy link
Collaborator

kwwall commented Aug 15, 2024

@kwwall Any chance you can review this? Thanks!

To @szh - Be careful what you ask for. 😉

@mackowski
Copy link
Collaborator

@ChaseOnTheWeb can you respond to comments form @kwwall ;-)

Copy link
Member

@jmanico jmanico left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Kevin's comments are spot on. Once they are addressed I'd approve of this CS.

@kwwall
Copy link
Collaborator

kwwall commented Dec 20, 2024

@ChaseOnTheWeb - Do you intend to respond? I've had unresolved comments since Aug 14, 2024. If you want a 2nd opinion, I'd sure I can get someone I know who specializes in IR to comment on it, but they'd likely have way more things they would want changed that the relatively minor things I've requested. Please let us know one way or another. It's okay to say "Never mind. I'm not interested in making the requested changes" or "I don't have time" or whatever. No one in this group will think any less of you. But at least then we can close this PR and move on. Thanks in advance for letting us know.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
bug_bash_cincy OWASP Cincinnati 2024 Bug Bash!
Projects
None yet
Development

Successfully merging this pull request may close these issues.

New CS proposal: Incident Response for Web Applications
5 participants