LetsDefend SOC Walkthrough | SOC142 — Multiple HTTP 500 Response
Hello! TopCyberDawg here still taking down alerts from the SOC on the LetsDefend platform. In my pursuit to become a seasoned SOC analyst, my goal is to overexpose myself to practical labs and SOC alerts to prepare myself for when the opportunity knocks.
Thankfully LetsDefend has an amazing platform that mimics a security operation center — allowing users to work alerts pertaining to different security scenarios. They recently did an overhaul on the look of the site and it’s a huge improvement visually in my opinion! *KUDOS*
So walk with me as I dive into another alert…struggle a bit and sharpen my security skills!
What is LetsDefend?
LetsDefend is a hands-on Blue Team training platform that enables people to gain practical experience by investigating real cyber attacks inside a simulated SOC.
I’m a VIP member and find great value in package so far.
What is a SOC?
A Security Operations Center (SOC) is like the command center of an organization’s cybersecurity defense. It monitors digital activities, detects and analyzes threats, and takes action to protect against and respond to cyber incidents, using a combination of technology, processes, and skilled personnel.
What are HTTP response codes?
HTTP response codes are standardized codes sent by a web server to
indicate the result of a client's request. They are part of the HTTP
protocol and help the client understand whether the request was successful,
if there were errors, or if further action is needed. Different HTTP attacks?
HTTP attacks are various forms of cyberattacks that exploit vulnerabilities in the HTTP protocol or web applications.
Here are some common types of HTTP attacks:
- Denial of Service (DoS):
Attackers overwhelm a server with excessive requests, making it unavailable to legitimate users. This can be achieved through techniques like HTTP flooding.
- Distributed Denial of Service (DDoS):
Similar to DoS but involves multiple compromised systems (botnets) attacking a single target, amplifying the traffic.
- SQL Injection (SQLi):
Attackers inject malicious SQL queries into input fields, potentially gaining unauthorized access to a database and manipulating or extracting data.
- Cross-Site Scripting (XSS):
Attackers inject malicious scripts into web pages viewed by users, enabling them to steal cookies, session tokens, or other sensitive information.
- Cross-Site Request Forgery (CSRF):
An attacker tricks a user into executing unwanted actions on a web application where they are authenticated, potentially compromising user accounts.
- Man-in-the-Middle (MitM):
Attackers intercept and alter communication between the client and server, potentially stealing sensitive data or injecting malicious content.
- Directory Traversal:
Attackers exploit improper validation of user input to access restricted directories and files on the server.
- Session Hijacking:
Attackers capture session tokens to gain unauthorized access to a user’s session, often through methods like XSS or network sniffing.
- Remote File Inclusion (RFI):
Attackers exploit vulnerabilities to include remote files, potentially allowing execution of malicious scripts on the server.
- Credential Stuffing:
Automated attacks using stolen username-password pairs to gain unauthorized access to accounts on various sites.
Event ID 89: — Multiple HTTP 500 Response
Based on the information that the alert provided, it appears that there is a server in our environment that may be compromised due to consecutive HTTP 500 responses.
Table of Contents- Check SOC ticket queue
- Take ownership
- Create case
- Utilize Playbook
- Detection
- Analysis
- Containment
- Remediation
- Report Artifacts & IOCs
- Close ticketCheck the SOC ticket queue
Task 1
The Security Operations Center (SOC) ticket queue is a critical component in managing and responding to cybersecurity incidents. The reasons are Incident Tracking and Management, Prioritization and Triage, Accountability, Reporting, Trend Analysis, and Compliance and Audit Readiness.
LetsDefend’s practice SOC features 3 tabs named “Main Channel, Investigation Channel, and Closed Alerts”.
Navigate to the SOC by clicking “Practice” tab and select “Monitoring” then click the “Main Channel” tab.
Now we can see our SOC ticket queue and see some alerts with various severity levels.
Take ownership
Task 2
Each ticket in the queue is typically assigned to a specific analyst or team, ensuring clear responsibility and accountability for incident resolution. This fosters a structured and organized approach to incident management.
EventID: 89 will allow us to get some reps in with alert’s dealing with SQL based attack.
Create case
Task 3
Creating a case allows the SOC to prioritize incidents based on severity and potential impact. This helps ensure that the most critical issues are addressed first, optimizing resource allocation and response times.
We have already decided to investigate EventID: 89 and will click the icon under “Action” to make it official.
Utilize Playbook
Task 4
Playbooks are crucial for a Security Operations Center for several reasons. A couple of those reasons are Consistency and Standardization. Playbooks ensure that incident responses are handled consistently across the team. By standardizing procedures, SOC analysts can respond to threats in a uniform manner, reducing the chances of errors or missed steps.
Once we have our case created we can begin running plays from our playbook.
Detection
Task 5
As Analysts, we must verify whether this alert is a true positive or a false positive. But more important we need to understand the why.
Let’s verify some crucial details within our alert.
Note: The potential attack was "Allowed"Analysis
Task 6
Analysis in cybersecurity is essential for maintaining a robust security posture, enabling organizations to detect and respond to threats effectively, manage risks, ensure compliance, and continuously improve their security strategies.
Let’s check out the noted IP in our alert.
Virustotal does not like this IP at all. Let’s check with Abuseipdb and see what they have to say about the address.
This address is out of our network with origins from Hong Kong and has been flagged as malicious.
Yes, We can mark this as “Malicious” and answer the next question.
Next up…
Let’s check our endpoint network details to see if inappropriate conversations were made.
The malicious IP can be seen talking with our endpoint.
2021-04 19 77:05 -------- 101.32.223[.]119
Let’s dive into the network logs and get some truth in the details.
We can see a ton of events were found based on our query search. Let’s take a peak at some of these initial events.
This syntax is often used to manipulate or extract data from a database by injecting SQL commands into a web application’s input fields. The attacker met failure with the response code 500.
They continued throwing a handful of different SQL injection requests on the server. Some requests were successful and many others failed.
We received or saw no information that this was a planned test in our environment.
Containment
Task 7
Containment plays a pivotal role in cybersecurity by limiting the impact of security incidents, protecting data and operations, facilitating effective incident response, preserving evidence for forensic analysis, and ensuring compliance with legal and regulatory requirements.
Based on what we have uncovered during our investigation it would be wise for us to contain this server endpoint to prevent further damages.
Remediation actions
Task 8
Remediation is a fundamental component of a robust cybersecurity strategy. It involves fixing vulnerabilities and addressing security issues to prevent exploitation, protect data, maintain operations, and comply with regulations, ultimately contributing to a more secure and resilient organization.
- Isolate the compromised machine from the network to prevent the attacker from accessing other resources and systems within the organization.
- Input Validation.
- Implement custom error handling that does not reveal sensitive information about the database or application logic.
- Regular Security Audits.
Implementing these steps can significantly reduce the risk of SQL injection attacks and enhance the overall security of your systems.
Report Artifacts & IOCs
Task 9
Once we’ve completed the analysis, we will document the findings in the “Analyst Note” section.
The document should include your reasoning, relevant data or observations, and steps taken during your investigation. It is critical as it provides a record of your analysis and can be used for future reference or in resolving similar alerts.
Close ticket
Task 10
The alert needs to be analyzed to determine if it is a true positive or a false positive. A true positive means the alert is legitimate and requires further action, whereas a false positive means that the alert is a false alarm.
Once the playbook has been completed and all inquiries have been dealt with, including the analysis phase, we must return to the Monitoring page within the Investigation channel to officially close the alert.
Navigate to “Monitoring” section and “Investigation Channel”.
Click the close alert icon (Check symbol) to the far right.
Are newly closed alert can now be found in the “Closed Alerts” tab.
We can then see that under the “Results” column we have passed the investigation and can click the check icon to see a final report write-up on the entire investigation.
Conclusion
The SOC alert we investigated was an alert linked to the detection of several HTTP 500 responses on our SQL server. The attacker utilized SQL injection on our server endpoint and through analysis techniques we confirmed the attack was malicious and unsuccessful/successful. This alert was great in providing further exposure to a common threat an organization may encounter.
Please consider following my journey on my social media accounts below. I will catch you all in the next one, peace.
Linkedin: @tijanhydara
Instagram: @topcyberdawg
Twitter: @topcyberdawg
YouTube: @topcyberdawg
