NOC REPORTING TEMPLATE

Date Updated: 1/28/2022 Name: Jason Jeffares

A. Introduction
This vulnerability and its exploitation within the Psinuvia network were discovered through additional scanning
and analysis of the network, including additional deeper depth scans not normally performed during routine
network monitoring and analysis. This request was made by the Psinuvia Board of Directors because of recent
media attention to reports of similar exploits to other businesses across the county and their associated internet
presence.

B. Scan Summary
Scan results yielded numerous vulnerabilities on several systems within the Psinuvia network. The host that
was compromised is assigned IP Address 172.20.1.131; a total of 106 vulnerabilities were found on this
system, with 4 being considered “Serious” and another 32 noted as “High”.

Additional analysis and evaluation of scan data uncovered a compromise on the above-mentioned host through
the unpatched Apache Web Server with a combination of SQL Injection and Cross-site scripting attacks.

Also observed were several potential attacks on the host 172.20.1.129. SSH and an additional Apache Web
Server are running on this system. Noted in the Alarms report are several Brute Force attempts through the
SSH service; numerous other attacks were directed at this host, as the total number of attacks is 3,690.
Additional analysis is needed to determine the extent of the intrusion into this host.

Basic Assessment

1. Has the information been confirmed to be correct and accurate?

a. Analysis by multiple individuals within the Incident Response Team has led to the same
conclusion, which confirms the initial analysis.
2. Who, what, when, where, why, and how?
a. A SQL Injection attack was carried out against the host at 172.20.1.131 by way of the
vulnerable Apache Web Server running on Port 80 targeting the PHP web application and its
affiliated database. This was carried out through unmitigated vulnerabilities within the installed
version of the web server through unverified or unvalidated inputs on forms within the web
application.
3. What information is available from the firewall, router, server, system, intrusion detection system (IDS),
system logs, etc.?
a. Vulnerability Scan information, and the Alarms Report, along with NMAP output are the only
pieces of information currently available to evaluate, mitigate, and recover from this incident.
4. What type of data is involved, and what is its classification?
a. The incident involves a company web application and an associated database, but the contents
of the database and its structure is not currently available to the team. Given the business
nature of the web application and its purpose, the data could be considered “sensitive” or
“confidential”.
 5. Are there obscenities, child pornography, or confrontational data?
a. Given the nature of the affected system, the inference would be “no” – the information would be
assumed to be completely business related, however, without direct access to the information
the assumption cannot be confirmed.
6. Is there criminal activity?
a. Additional analysis of the affected system is required to determine if there was any loss or theft
of data as a result of this incident.
7. Is the data protected by an encryption solution?
a. At the time of the incident, the affected system was not using an encryption solution on the web
application, nor was one in place for the data connection between the web application and the
associated database.
8. What is the magnitude of the systems being impacted?
a. The affected system serves a critical web application, and its associated database contains
sensitive or confidential business-related information, making the incident a high magnitude.
9. Is the event still in progress?
a. Based on the information provided, it cannot be determined if the event is still in progress.
Additional reports from the IDS would be required to make such a determination.
10. Has preliminary containment been performed (i.e., disable account, reset password, remove remote
access, isolate device in segregated segment)?
a. Upon discovery of the incident, the affected hosts were removed from the network to prevent
any additional potential effects from a continued attack or a recurrence of the same incident.
11. What is the estimated value of the impacted systems?
a. Until additional analysis is performed on the affected system, the team is not able to determine
a value of the impacted system; this is mainly dependent on the outcome of the analysis to
determine if any data was lost or stolen. However, regardless of that outcome, there will be a
detrimental effect to the company’s reputation.

C. Detailed Analysis

1. Performed an NMAP scan of the internal network to identify open ports, and the services available
through those open ports across all devices on the network.
2. Performed a Vulnerability Scan with AlienVault OSSIM.
3. Identified vulnerabilities on several machines on the network, with the most severe being on the Host at
172.20.1.131.
4. Retrieved an Alarms Report, also from AlienVault OSSIM.
5. Identified the most exploited vulnerability on the network –SQL Injection attempts.
6. Combined the pieces of information from all applicable scans to determine, indeed that the Host at
172.20.1.131 was the target, and victim, of exploitation due to its outdated PHP instance, and outdated
Apache HTTP server instance. These out-of-date services are not updated with the most current
security fixes, thereby leaving them open to active exploitation.

D. Scan Response

After initial analysis of the scan results and the large number of SQL Injection attempts, the Security Manager
and the Incident Response Team were notified, as per policy, by email with an initial report of the incident
attached.
Following this initial notification, the Web Team was activated to begin preparing remediation updates to the
affected services.
Event Level: High – a consensus was formed by the team initially investigating the incident to classify this
event as a Level: High event. This is mostly due to the nature of the data contained on the affected system –
business-sensitive – and its role as a public-facing production server.
The incident will be escalated, as per policy to the Chief Technology Officer, Chief Information Security Officer,
Director of Security Operations, and the Legal Department.
The initial response must be completed within 2 hours. Continuing updates must be made hourly until services
are restored.

E. Remediation
Given the affected host’s role as a public-facing server, the best initial response is to disconnect the host from
the network but leave the system running. This, unfortunately, will render the Company’s internet present
unavailable temporarily while remediation occurs on the system. Disconnecting the system from the network
removes the possibility that intrusions can recur or continue; leaving the system running will serve to preserve
any temporary evidence of the attacker and their methods. Given the nature of the affected system, it may be
best to produce a clone of the machine, examine any latent temporary evidence that may remain on the
primary system, remediate the vulnerabilities on the existing production machine and place it back in service as
soon as appropriate. Further examination of the cloned system can be performed to determine what, if any,
data was exfiltrated from the system.

F. Recommendations
Administrative Controls: Technical Controls:

Implement regularly scheduled Cybersecurity training Deploy a Web Application Firewall where appropriate,
for employees – quarterly topics to keep employees providing an additional layer of protection against
thinking about cybersecurity. attacks

Planned Phishing simulations – helps employees Implement CAPTCHA or Re-CAPTCHA to mitigate

better recognize phishing email. automated attack vectors

Increase vulnerability scanning frequency; Implement encryption for all data – especially when at
concurrently increasing the frequency at which rest, and in transit.
updates are provisioned to servers – better
managing and mitigating vulnerabilities