Be prepared with tools available to aid in both detection and log analysis.
A few are listed below:
Weblog Expert,
Sawmill,
Deep Log Analyzer
Understand the web traffic patterns
Web Defacement can be broken down into 2 categories.
Data on the file system can be modified like Files modified via FTP, Files modified via SMB,
Suspicious User logged in to the server and modified files.
Data in a database that sources the web site could be modified. This is typically due to SQL Injection
|
Have a maintenance page up and available always. With contact details.
Use a reputable automated website scanners that will not cost any of your time and will thoroughly scan your site for vulnerabilities regularly.
Be prepared to defend against common points of exploitation such as SQL injections and XSS attacks
Have up-to-date schemes describing your applicative components related to the web server.
Build a backup website up and ready, on which you can publish content.
Define a procedure to redirect every visitor to this backup website.
Deploy monitoring tools to quickly detect any abnormal behaviour on your critical websites.
Export the web servers log files to an external server.
Make sure clocks are synchronized between each server.
Reference external contents _(static or dynamic)_ and create a list for each of them.
Dont forget third parties for advertisement.
Be sure your hosting provider enforces policies to log all events.
Make sure you have an up-to-date network map.
|
Understand the criticality and business impact of the website affected.
Check if it is blocking any business transactions.
Collect any clues as to who the hacker is or what organization they are working for.
|
Response depends on which website of the company has been defaced. Is the main site impacted or any sub site and page of a bub unit impacted.
**Backup all data**
Backup all data stored on the web server for forensic purposes and evidence collecting.
The best practice here if applicable is to make a complete bit-by-bit copy of the hard-disk containing the web server.
This will be helpful to recover deleted files.
**Verify location of vulnerability**
Check your network architecture map.
Verify that the vulnerability exploited by the attacker is not located somewhere else.
**Verify location of vulnerability**
- Check the system on which the web server is running,
|
Remove all altered content and replace it with the legitimate content, restored from earlier backup.
Make sure this content is free from vulnerabilities.
Once the source of the attack has been determined, apply the necessarily steps to ensure this will not happen again. This may include modifying code or editing access rights.
If necessary and/or applicable, prepare an apology/explanation of the attack that occurred for users or anyone who witnessed the defacement. Ensure that is it clear that the defacement content does not reflect your organization in any way.
Closely monitor and mandate access to administrative content. Only allow individuals access to what they need access to. This will reduce the chance of human error leading to cyber attacks.
|
Enable tactical response and coordinate with all stakeholders - War room, regular updates
Key is to scope the incident - has the adversary gone deeper into the network?
|
Backup servers and intermittent web pages deployed
|
