Your web application is the face of your business. It is the client-server software exposed to the world. For instance, when you want to book an airline ticket you visit the airline’s website to make the reservation. This public exposure and interaction is highly convenient to current and potential customers. However, it also makes your site susceptible to attacks.
In many cases, it’s easy to identify when a web application is compromised. In many cases—but not always. In fact, the M-Trends 2016 report from FireEye shows that it takes an average of 99 days to detect a security breach. Surprisingly, most reported intrusions are not detected by internal security processes. Rather, they’re disclosed by news reports, customer complaints, law enforcement, and other external sources.
It’s important to recognize that every attack is different. And attack consequences also vary. Here are six ways to determine if your web application has been compromised.
One of the most common and notorious types of attack is website defacement. It refers to the unauthorized modification to the appearance of the web application. In some cases, the web content is altered. In others, the web application is redirected to (or replaced by) a completely different website.
Changes in web application performance can also be a sign that it has been breached. If the application is displaying unexpected or unintended behavior, that should set off suspicions. Abnormal behavior may include:
- Slow loading
- Network traffic fluctuation
- Modified code or data
- Unexpected pages displaying (such as excessive advertising)
- Application redirects to a different page or site
Monitoring log messages can reveal malicious activity taking place within the application. Some suspicious signs include:
- Multiple errors taking place in a short period within the database logs.
- This may suggest that a threat agent is trying to exploit a SQL injection vulnerability.
- Suspicious inbound and outbound network connections.
- Suspicious admin-level tasks (e.g., user account creation).
New Users or Processes
Monitoring user accounts and processes can also help detect a breach. For example, it can help you detect when:
- Unknown, miscellaneous user accounts have been created.
- Existing account passwords have been changed.
- The server is running an unknown process.
Web Application File Changes
Changes to web application files should be investigated. Files containing time stamps may help identify whether a file has been recently modified or deleted. This can also reveal any unauthorized modifications. Hackers can modify files to run malicious code. Additionally, new files can be created—if unaccounted for, these can be a sign of a compromise.
Google Search Results
Changes to search results can also flag a problem. Google warns users if it scans a website and discovers any problems. It often removes any identified hacked sites from search results. However, in some cases, breached sites may still be listed. These may be flagged with a message reading “This site may be hacked” or “This site may harm your computer.”
Think You’ve Been Hacked? What’s Your Next Move?
The sad truth is that a great deal of web application owners aren’t aware that their applications have been hacked. That’s why it’s critically important to recognize the signs. If you suspect that your application has in fact been hacked, here’s how to act to prevent further damage:
- Take it offline. Temporarily shut the site down for cleaning and resolution of issues. During this period, examine files and code for unauthorized changes or malicious code.
- Backup and restore. Create a backup of the application and server for forensic investigations. Restore a clean, stable copy of the application instead of merely uninstalling or cleaning the affected version.
- Update passwords. Once the restored changes are in place, update all associated passwords. Enable multi-factor authentication whenever possible.
- Harden the application. Never use default passwords and follow the principle of least privilege (only give a user enough, but not all, access).
- Logging and monitoring. Consistently monitor the web application for unusual traffic, behavior, or other suspicious activities. Use a monitoring service that includes version control.
- Utilize scanners. Malware scanners, source code scanners, or remote scanners should be used to detect abnormalities.
While it isn’t a pleasant experience to get hacked, it still happens. Knowing how to identify a hack is the first step to helping you minimize the damage and maintain business continuity.