This website uses cookies. By clicking Accept, you consent to the use of cookies. Click Here to learn more about how we use cookies.
Accept
Reject
Register Now
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
NetWitness Community Blog
Subscribe to the official NetWitness Community blog for information about new product features, industry insights, best practices, and more.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Detecting and Investigating Webshells – Another Reason for Deepening Your Security Visibility

Anonymous
Not applicable
‎2016-03-29 12:19 PM

What would you call a piece of code or a script that runs on a server and enables remote server administration?  If you answered – “Webshell” – you would be correct.  While often used for legitimate administrative purposes, it is also a favored technology used by attackers for illegitimate purposes.  Attackers often infiltrate externally accessible Web servers at their target organizations with Webshells to gain an initial foothold as well as to setup a waypoint in the organization’s DMZ to support the eventual exfiltration of data.

 

Successfully using a Webshell as a key step in a targeted attack largely rests on the fact that most organizations do not have sufficient – or often any – visibility into their network sessions, thus their ability to effectively detect and understand that something nefarious is going on is extremely limited.  Many organizations still rely on traditional security technologies such as anti-virus, firewalls, and log-centric SIEMs to prevent and detect the use of Webshells and other common attacker techniques and technologies.  Of course, attackers know about such common defensive techniques and respond by hiding their payloads and commands from them.

 

What should organizations do to combat Webshells (and other hard to find attacker technologies in general)?  Increase the depth of their security visibility using technologies that collect relevant data and provide analytics covering all stages of an attack:  Delivery, Exploit & Installation, Command & Control, & Action.

 

In the particular case of WebShells full network packet capture provided by products such as RSA Security Analytics, provides the primary visibility needed to detect and understand WebShells and the impact they have had.  With full-packet capture the detection focused analytic algorithms and the human security analysts alike are provided maximum visibility into the Webshell’s initial entry vector, its command-and-control (C2) activity, as well as any data exfiltration that has occurred from the time the Webshell was successfully installed.

 

Interested in learning more?  RSA has a new series of content focused on showing organizations how to more easily detect and respond to more advanced threats, such as those using WebShells.  The bottom line is it is critical to deepen your security visibility or you literally won’t know what hit you.

 

He can be followed on Twitter @jmatthewg1234

0 Likes
© 2022 RSA Security LLC or its affiliates. All rights reserved.