Life-cycle of a security incident: from detection to response

Uploading a dangerous payload

What happens if a system is not secured by design? If you are lucky enough to have an effective security process somewhere in your company, there is a chance you intercept the project before it goes live. However, during his speech Giovanni showed an example where a security issue was there in a production environment. We knew about this web application only after the IT department deployed it and it was actively used by the users.

Demo time: exploit the RCE

This kind of attack is called RCE, Remote Code Execution, and is one of the worst vulnerabilities. It needs to be fixed as soon as possible.

  • go offline: shutdown the system until developers fix the issue;
  • stay online: mitigate the risk while keeping the system online.

Mitigate the risk of keeping the system online

Let’s imagine to go for keeping the system online, trying to mitigate the vulnerability risk. The first thing to do is understanding the scenario and collecting relevant logs. In the case shown by Giovanni, the web application run on an IIS Web server with ASPX on Windows.

  • collect the logs;
  • find the IIS log directory;
  • send the logs to a central log collector (configure a local agent to monitor in real-time the IIS logs and send them to the central collector that keep also a secure copy of the log files — it can also be useful in case of forensic activities);
  • analyse logs while the problem is happening;
  • find attack patterns.

Write your own detection rule

We are now ready to write our detection rule. To this end, we need to:

  • identify pattern unique fields: starting from the log analysis, we look for unique fields into the logs while the attack happens;
  • minimise the false positives: the goal is to be accurate to reduce the number of false positives, so security analysts will only work on real events;
  • schedule a search for the pattern: no one can identify the pattern by hand, we have to automate the detection phase;
  • create an alert: when the event happens an action will be executed, a script is called that will open a ticket on our service desk platform.

Respond to the incident

We are now ready to react to the attack. While the attack happens we are notified on our service desk and we can easily see the attack details. Having all process phases and procedures in place, we can react.

Final remarks

It is clear that, in my view, security is an enabler and not a blocker!



Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store



We help tech communities to grow worldwide, providing top-notch tools and unparalleled networking opportunities.