Products
- Products
  
  Platform
  ShadowPlex Advanced Threat Defense
  Deception for early detection of cyber threats with precision and speed
  
  ShadowPlex Identity Protection
  Visibility, management and protection of identity stores and attack paths
  
  ShadowPlex Threat Hunting
  Rapid threat investigation capabilities for SOC efficiency
  Acalvio Active Defense Platform
  Comprehensive and Award-winning Distributed Deception Platform
  
  What is Active Defense?
  Active defense detects and diverts attacks.
  
  Why do I need Acalvio Active Defense?
  Active Defense deceives and disrupts attackers.
Solutions
- Technology Solutions
  
  Industry Solutions
  Breach Detection
  Active Defense for breach detection and response, both in on-premises and cloud workloads
  
  Identity Threat Detection & Response
  Visibility into Identity attack surface and effective detect & respond solution for identity attacks
  
  OT / ICS Security
  Passive and low-risk agentless solution that is easy to deploy
  
  Active Directory Protection
  Visibility into AD attack surfaces and detection of AD Attacks
  
  Threat Hunting
  Active threat hunting, based on targeted deception, to confirm hunting hypothesis
  
  Ransomware
  AI-Driven Advanced Deception Technology to combat even zero-day Ransomware
  Public Sector
  Targeted solution for protecting Federal agencies in conformation with NIST and CISA recommendations
Resources
- Blog
- Events
- In the News
- Press Releases
- Analyst Reports
- Data Sheets
- E-Books
- Webinars
- White Papers
- Case Studies
Partners
- Strategic Partners
- Technology Partners
Company

Deception Centric Architecture to prevent Breaches involving WebServer.

by Team Acalvio | December 11, 2017

Web Server is becoming one of the critical vector which have been exploited by a threat actor to breach an organization. Breach at Equifax is one such example, affecting 143 million customers. In this breach, a threat actor could access the internal network and exfiltrate the confidential data by exploiting a vulnerability in a Web Server[1]. The blog first presents one of the flow of steps in a breach which involved web server as an entry vector. The blog then presents the deception based architecture which can be used to detect and divert a threat actor to the deception and engagement platform.

As a part of the first step a web server gets compromised which can be done by exploiting remote code execution vulnerability [2] or a SQL injection vulnerability. The next steps involve involves identifying the high valued assets such as databases, FTP servers in the organization which is connected to the web server.

Figure 1.0 China Chopper WebShell Code

These databases or FTP servers are then accessed either by compromised credentials or by brute force attempts leading to accessing these high-value assets. Figure 1.0 shows the code from china chopper web shell used to connect and perform queries to the SQL server.

Figure 2.0 View for a Threat Actor for a Breach involving Webserver

Deception centric solution as a part of first step involves placing breadcrumbs and honey flows from the web server. These breadcrumbs and honey flows are strategically crafted as per the understanding of the past breaches and the malicious files used by the threat actors. The solution then projects deceptions such as SQL server, FTP server inside the network. In the case of a breach, a threat actor will accesses these breadcrumbs and will gets diverted to the deceptions such as honey databases, honey FTP servers, etc. preventing the real assets storing critical data. The probability of deceptions such as Honey Databases, FTP servers getting legitimately accessed via breadcrumbs at web server is negligible. Hence any access of deception via breadcrumbs on the web server becomes an instant indicator of breach with a probability close to 100%.

Figure 3.0 View for an Threat Actor having deceptions in case of breach.

Web Servers are one of the critical assets which have actively been used by threat actor for breaching an organization and compromising the critical data. Distributed deception centric architecture provides a definite manner for detecting breaches which involve web server as an initial entry vector. The architecture also ensures that there is no extra computational overhead on the web server making it a recommended or rather a must detection architecture to prevent the breach involving web servers as an entry vector.

References:

[1 ] Equifax officially has no execuse, https://www.wired.com/story/equifax-breach-no-excuse/

[2] Responding Attack on Apache Struts, https://www.fireeye.com/blog/threat-research/2013/08/responding-attacks-apache-struts2.html