Skip navigation
All Places > Products > RSA NetWitness Platform > Blog > Author: Matthew Gardiner

What would you call a piece of code or a script that runs on a server and enables remote server administration?  If you answered – “Webshell” – you would be correct.  While often used for legitimate administrative purposes, it is also a favored technology used by attackers for illegitimate purposes.  Attackers often infiltrate externally accessible Web servers at their target organizations with Webshells to gain an initial foothold as well as to setup a waypoint in the organization’s DMZ to support the eventual exfiltration of data.


Successfully using a Webshell as a key step in a targeted attack largely rests on the fact that most organizations do not have sufficient – or often any – visibility into their network sessions, thus their ability to effectively detect and understand that something nefarious is going on is extremely limited.  Many organizations still rely on traditional security technologies such as anti-virus, firewalls, and log-centric SIEMs to prevent and detect the use of Webshells and other common attacker techniques and technologies.  Of course, attackers know about such common defensive techniques and respond by hiding their payloads and commands from them.


What should organizations do to combat Webshells (and other hard to find attacker technologies in general)?  Increase the depth of their security visibility using technologies that collect relevant data and provide analytics covering all stages of an attack:  Delivery, Exploit & Installation, Command & Control, & Action.


In the particular case of WebShells full network packet capture provided by products such as RSA Security Analytics, provides the primary visibility needed to detect and understand WebShells and the impact they have had.  With full-packet capture the detection focused analytic algorithms and the human security analysts alike are provided maximum visibility into the Webshell’s initial entry vector, its command-and-control (C2) activity, as well as any data exfiltration that has occurred from the time the Webshell was successfully installed.


Interested in learning more?  RSA has a new series of content focused on showing organizations how to more easily detect and respond to more advanced threats, such as those using WebShells.  The bottom line is it is critical to deepen your security visibility or you literally won’t know what hit you.


He can be followed on Twitter @jmatthewg1234

A teaser session on youtube from Jessvin Thomas of Accuvant.  At the Summit you can hear this and many other sessions live....If you attend!

One of the key themes of the upcoming RSA Global Summit is how best to build up as well as out a security operations center (SOC).  This is not an easy task as it requires, more so than any other area of IT or IT security, the seamless marriage of the classic triad of people, processes, and technology.  Once an organization starts to recognize the need for systematic improvement in their incident detection and response, they come to recognize that technology generally is the least hard part of the equation.  In fact the building up and out of an organization’s SOC often coincides with their recognition that there is no such thing as a security “magic box”.  What is needed is a balanced approach where the technology both maximizes the efficiency and effectiveness of the SOC analysts as well as helps drive, prioritize, and maximize the continual processes that make up an organization’s incident detection, investigative, and remediation program.  The bottom line for this blog entry is if you want to engage deeper into this conversation in support of building up and out your organization’s SOC, plan to attend RSA’s Global (user) Summit this September 9-11.

RATs are hard to deal with in part because they are small, scamper around generally unseen, and take your stuff without your knowledge.  Of course anyone in this product community who is reading this knows that I am talking about Remote Access Trojans and not the small mammals with small noses and big tails.  Computer RATs and the people that develop and use them are just as cunning as their furry namesakes, but are perhaps more dangerous.  There are many varieties of RATs out there (Hydraq, LURK, Sogu, Poison Ivy etc..), but in general they share many characteristics, such as they tend to be small and downloaded invisibly, delivered via an email attachment to an unsuspecting and sufficiently socially engineered user, typically enable user monitoring via keyloggers to steal the user’s credentials and other information, take screen shots of the host system for delivery to their master, install/delete software or reformat drives, not to mention “recruit” their hosts and others on the network into botnet armies.  In short, RATs can be extremely valuable to the bad guys and extremely annoying to you and your organization.  But how to detect and get rid of them? If you want to learn more about RATs and how to find and eradicate them from your environment, I encourage you to come and take part in our upcoming (early September in Washington DC) user conference, the RSA Global Summit.  There are two sessions that focus specifically on how to detect RATs, one by using RSA Security Analytics and its network-based visibility (Blind Spot Analysis – Finding RAT Communications Through Entropy and Analytics) and the other how to do it by leveraging RSA ECAT and its endpoint-level visibility (Catching the RAT with ECAT).  Both delivered by off-the-charts experts on the topic. Check out these sessions as well as dozens of others on the Summit registration site.

IT-Harvest's Richard Stiennon speaks with RSA's Matthew Gardiner about what incident response means today, why prevention is insufficient, and what capabilities are required to do it better, including the role of a CIRC or SOC.

IT-Harvest's Richard Stiennon speaks with RSA's Christina Jasinski about why traditional SIEM tools can't keep up with today's advanced threats and how RSA Security Analytics can provide the context and analytical capabilities required for incident detection and investigation.

Filter Blog

By date: By tag: