Issue link: https://insights.oneneck.com/i/1517356
Critical Detection Capabilities Fortra.com Alert Logic WLA capabilities include: • Signature-Based Detection of General Web Attack Methods - SQL Injection - Cross-site Scripting (XSS) - Automated Threats - File Path Traversal - Command Injection (CMDi) • Known Vulnerability and Exploit Detection and Attribution - Exploits Targeting Known Vulnerabilities (CWE) - Known Web Shell Compromises that Lead to Remote Exploitation • Anomaly-Based Detection - Brute-force Password Guessing Login Attempts - Unknown Web Shell Compromises These detection capabilities allow Alert Logic to detect incidents across a wide spectrum which includes: Alert Logic WLA is a unique solution that identifies attacks across all custom web apps throughout an enterprise, providing visibility into the most vulnerable and attacked applications. It also allows security leaders to make data-driven decisions on security controls. File Integrity Monitoring Forta's Alert Logic File Integrity Monitoring (FIM) detects unauthorized change events to operating system, content, and application files for Windows and Linux servers. This includes integrity of system directories, registry keys, and values on the operating system. By monitoring for suspicious file change events, your organization can meet many compliance standards. We see the primary use case in compliance for PCI-DSS 10.5.5 and 11.5 which is change detection for log files and critical system files. It also satisfies additional compliance requirements including SOX Section 404, HIPAA - §164.312 (b), (c)(1) & (2), SOC 2, and HITRUST, all of which include change detection controls for integrity of files and folders. This detection technology leverages the rich telemetry data from our agent installed on servers so no additional agent footprint is necessary. Once configured, it creates a repository of all SHA1 hashes of the monitored paths and records any deviations. Alert Logic recommends a recurring reporting and review schedule to investigate the detected changes. Reporting will include information of any file-change events including time stamp, host name, file path, event type, and deployment. This helps provide context to understand if the changes are from external bad actors, well-meaning insiders, or malicious insiders engaging in nefarious activities. INCIDENT DESCRIPTION Web Reconnaissance Clear enumerating or attack activity detected Server Error Attack activity generating 500-type error responses from targeted web server Access to Unauthorized Resource Injection or Remote Command Execution followed by access to potentially uploaded (anomalous) resource indicating upload and access to web shell Access to Anomalous Resource Access to URL paths that are anomalous Attack Targeting Specific Vulnerabilities Exploits against specific known vulnerabilities Unauthorized Vulnerability Scan Web server attack observation from an unknown source Authorized Vulnerability Scan Attack from Alert Logic or other known provider as part of security assessment, auditing, or pen testing Page 6