SANS Digital Forensics and Incident Response Blog: Tag - https

Deconstructing a Webserver Attack

by Michael Cloppert

I was looking for a good example to highlight two very useful and often overlooked features of Wireshark: the flexibility of tshark and the tool suite's HTTPS/SSL decryption capability. The following example covers both, and goes a bit further to describe one way of investigating an attack to assess the likelihood of compromise. While contrived, make no mistake about it, this is reflective of a real-world attack seen recently, later linked to sophisticated adversaries.

We are in the business of risk management. As such, our response to suspicious activity should be guided by the components that risk is the product of. While terminology may vary, the breakdown I use is:

  • Impact
  • Vulnerability
  • Threat

An understanding of risk components in the context of a computer security incident is often