Website defacement is an attack on a website that changes the visual appearance of the site or a webpage. These are typically the work of system crackers, who break into a web server and replace the hosted website with one of their own. Defacement is generally meant as a kind of electronic graffiti, although recently it has also become a means to spread messages by politically motivated “cyber protesters” or hacktivists.
Website Defacement Attack Characteristics
Some of the characteristics of a Website Defacement attack are as follows:
Web page Defacement: The most straight forward and visually identifiable attack where the web page content is changed and replaced by the perpetrators. The website data is not deleted.
Data Deletion: This is a second stage of damage where the website is defaced and also the data and other pages are deleted.
Addition of invisible element: Invisible contents are added to web pages so as to improve referrals to hacker own sites in search engines.
Install Malicious Software: Website defacement can be augmented by introducing a malicious code in the target environment to establish stronghold. The malicious code can then be used for further compromises such as lateral movement.
IRC bot: In more severe case, once the attacker has established a foothold, they can install an IRC bot which can then be controlled through IRC channels.
One of the most important tactics for preventing defacement is to keep your operating systems and applications and databases up to date with the latest security patches. Other common-sense defenses against defacement include configuring as read-only any file systems used to store static content in Web servers and securing databases that house Web content within separate DMZs (demilitarized zones.). A number of tools that protect against general attacks on Web servers will also, of course, help prevent Web site defacements, e.g. application firewalls, etc.
Website Defacement Considerations
The following workflow highlights standard practices and techniques used for identifying, managing and handling Website Defacement attacks:
Implement proactive measures to improve threat preparedness
- Setup routines to take daily backups – if traffic is more, setup to take more frequent backups. More recent backups reduce the time to recover in case of a compromise.
- Build a backup website up and ready, on which content can be published.
- Create a hot cluster of servers to run website. While this helps with load balancing, in case of a server being compromised, the traffic can be diverted to other servers in the cluster without any down time.
- Enable detailed logging in Web Server. All web application should be tested for security controls like input output validation, security vulnerabilities, penetration loopholes, error loggings, etc.
- Be sure your hosting provider enforces policies to log all events.
- Make sure you have an up-to-date network map for the assets concerning the website.
- Ensure that the website is periodically tested for security vulnerabilities and before moving a new website to production.
- Ensure that the website users have least privileges required to carry out their activities
- Ensure that the admin module is only restricted to the site administrator.
- Always keep web server behind a web application firewall and IPS with detailed logging enabled on perimeter defense components.
- Have up-to-date schemes describing applicative components related to the web server.
- Deploy monitoring tools to quickly detect any abnormal behavior on your critical websites.
- Procure third party monitoring services to add an extra layer of security and control and also support out-of-hours monitoring.
- Export the web server’s log files backups to an external server. Make sure clocks are synchronized between each server.
- Reference external contents (static or dynamic) and create a list for each of them. Reference contact points of your hosting provider.
- Provide users with an option of reporting problems noticed while browsing.
Identification & Verification
Correctly identify the threat by monitoring and verification techniques
- Home page and other critical pages should be setup to be verified periodically. This verification can be performed by comparing page size, modification time stamps, etc.
- Visual indications commonly are unwanted text or graphics on web pages typically conducted to cause annoyance and/or target reputation.
- Check log files. Especially look for “multiple page not found” errors from single IP, script tags, multiple request for same web page/file and large file transfers or excessive successive failed login attempts
- Monitor web site statistics and validate sudden jump in traffic
- Scan the databases for malicious scripts and content.
- Monitor the system logs on which the web server is running.
- Monitor all supporting services running on the website servers.
- Check the connections to other systems, which might be compromised.
Limit the damage caused
- Take the infected host out of the cluster.
- Redirect all traffic to the backup servers.
- If the source of the attack is another system on the network, disconnect it as soon as possible.
- Conduct site/page replication for redirection, as required.
- Disable links to affected page or redirect to a correct version of the page.
- Backup all data stored on the web server for forensic purposes and evidence collecting. The best practice here if applicable is to make a complete bit-by-bit copy of the hard-disk containing the web server. This will be helpful to recover deleted files.
Investigate how the attack happened and detect its origin
- Check files with static content (in particular, check the modification dates, hash signature).
- Check mash up content providers.
- Check links presents in the web page (src, meta, css, script etc).
- Review source code for vulnerabilities
- Review database for modifications, content changes, traces of script injections, etc.
- Review server logs and application access logs.
- Look for evidence of data exfiltration.
- Always give consideration to the fact whether this attack was designed as a distraction for another threat to get passed unnoticed.
Remove vulnerabilities and eliminate all causes
- Patch identified vulnerabilities (including all technical and source code vulnerabilities).
- Remove code/scripts installed by the attacker.
- Change all user passwords if the web server provides user-authentication and/or there is evidence or any reason to think that passwords may have been compromised.
- Update patches, anti-virus and malwares and scan the system for vulnerabilities.
- Follow Malware eradication strategies to adhere to a defined standard.
- Compare eradication outcome against a known good backup.
Recover from the attack and resume normal operations
- Full restore from a good known backup.
- Apply validated and verified latest database content updates on top of the good known backup if required to compensate for any content changes between compromise and recovery.
- Reconnect dependent systems.
- Perform testing (sandbox test environment, user acceptance testing etc).
- Reconnect web server to the internal LAN/Internet, as required.
- Introduce the system back into the cluster.
- Confirm normal operations.
Conduct post-incident activities
- Perform communications (internal/external user groups, public media etc.).
- Perform forensics to identify the source of attack and motivation like state sponsors.
- Identify if the attackers used a third party (e.g., contractor, client, joint venture) as an attack vector.
- Identify the anatomy of an attack and its learning to avoid repetition.
- Perform malware analysis if a sample is found to be used for website defacement.