Matthew Gardiner

Detecting and Investigating Webshells – Another Reason for Deepening Your Security Visibility

Blog Post created by Matthew Gardiner Employee on Mar 29, 2016

What would you call a piece of code or a script that runs on a server and enables remote server administration?  If you answered – “Webshell” – you would be correct.  While often used for legitimate administrative purposes, it is also a favored technology used by attackers for illegitimate purposes.  Attackers often infiltrate externally accessible Web servers at their target organizations with Webshells to gain an initial foothold as well as to setup a waypoint in the organization’s DMZ to support the eventual exfiltration of data.


Successfully using a Webshell as a key step in a targeted attack largely rests on the fact that most organizations do not have sufficient – or often any – visibility into their network sessions, thus their ability to effectively detect and understand that something nefarious is going on is extremely limited.  Many organizations still rely on traditional security technologies such as anti-virus, firewalls, and log-centric SIEMs to prevent and detect the use of Webshells and other common attacker techniques and technologies.  Of course, attackers know about such common defensive techniques and respond by hiding their payloads and commands from them.


What should organizations do to combat Webshells (and other hard to find attacker technologies in general)?  Increase the depth of their security visibility using technologies that collect relevant data and provide analytics covering all stages of an attack:  Delivery, Exploit & Installation, Command & Control, & Action.


In the particular case of WebShells full network packet capture provided by products such as RSA Security Analytics, provides the primary visibility needed to detect and understand WebShells and the impact they have had.  With full-packet capture the detection focused analytic algorithms and the human security analysts alike are provided maximum visibility into the Webshell’s initial entry vector, its command-and-control (C2) activity, as well as any data exfiltration that has occurred from the time the Webshell was successfully installed.


Interested in learning more?  RSA has a new series of content focused on showing organizations how to more easily detect and respond to more advanced threats, such as those using WebShells.  The bottom line is it is critical to deepen your security visibility or you literally won’t know what hit you.


He can be followed on Twitter @jmatthewg1234