How to detect and prevent web shells: New guidance from the NSA and the Australian government

Introduction

It’s not every day that governments of different countries draft guidance rules about any subject together. It is even rarer that they create joint guidance for cybersecurity reasons. It may come as a surprise to many that the United States government (NSA) and the Australian government (Australian Signals Directorate or ASD) have issued joint advisory guidance rules for how to detect and prevent web shells. 

This article will detail the CSI between NSA and ASD and will explore guidance for how to detect web shells, prevent web shells and response and recovery.

A meeting of the minds between the United States government (NSA) and the Australian government

On April 22, 2020, the NSA and ASD released a Cybersecurity Information Sheet (CSI) addressing a common threat — web shell malware. 

Web shells are malware used by attackers, normally on the victim’s web server, that are capable of executing arbitrary system commands. They are deployed by exploiting vulnerabilities of web applications or are uploaded to compromised machines and can serve as backdoors (for persistence). 

The CSI categorizes their advisory guidance into three categories: detection, prevention and response and recovery. These categories will be used to present these pieces of guidance to you in the most organized way possible. While this article will provide the top guidance suggestions, it is not an exhaustive list. For the full CSI, click here

Detection

Comparing with “known-good” web applications

Web shells are known to rely upon modifying or creating files within web applications. What is considered the best method of web shell detection is comparing the production version of a web application against that of a web shell that is verified to be benign. Any discrepancies should be reviewed manually for authenticity. For more information click here.

It should be noted (Read more...)

*** This is a Security Bloggers Network syndicated blog from Infosec Resources authored by Greg Belding. Read the original post at: http://feedproxy.google.com/~r/infosecResources/~3/4yTz0X0iSnU/