Threat Hunting and HTML Response Size

Introduction

Imagine that you are sitting at your workstation at work and you notice that your environment is experiencing a higher than usual HTML response size coming from your database that contains credit card information of your clients. You think that this may be caused by data exfiltration by an attacker. What should you do? This article will explore the relationship between threat hunting and HTML response size and what you as an Information Security professional can do about it.

Indicators of Compromise

Indicators of Compromise, or IoCs, are pieces of forensic data “breadcrumbs” that Information Security professionals use to track down potential threats in their environments. This normally translates to odd or unusual activity on a network and systems that can help you spot an attacker quickly and easily so that appropriate action can be taken to mitigate and neutralize the threat.

HTML Response Size as an Indicator of Compromise

HTML Response Size is an important IoC to take into consideration when threat hunting. In fact, according to a McAfee Labs Threat Report, HTML Response Size was used by 44% of threat hunters as an IoC that they rely upon when conducting a threat investigation. Of all data to be concerned with, why is HTML Response Size So Important?

According to Kyle Adams, Chief Software Architect for Junos WebApp Secure at Juniper Networks, the answer is quite simple. If the attackers use SQL injection to extract data through a Web Application, requests issued by the Web Application will issue responses that are markedly larger than what is normally issued. For example, your HTML response size is normally around 260 KB and what you are looking at is 50MB. This is easy to spot and should be a red flag for threat hunters.

SQL Injection

SQL Injection is one of (Read more...)