How SOC Teams Detect Web Attacks | TryHackMe Detecting Web Attacks Walkthrough
Introduction
Introduction
In my analysis of how Security Operations Centers (SOC) detect web attacks, I break down the core techniques used to identify and mitigate threats targeting web applications. I categorize these threats and explain the primary methods for their detection.
Categories of Web Attacks
I divide web attacks into two main categories based on where they occur:
- Client-Side Attacks: These attacks, such as Cross-Site Scripting (XSS) and Cross-Site Request Forgery (CSRF), execute in the user’s browser. They exploit browser vulnerabilities or trick users into performing unsafe actions. From a SOC perspective, these can be difficult to detect because they generate less server-side evidence.
- Server-Side Attacks: These attacks target the backend infrastructure, exploiting vulnerabilities in the web server, application code, or system configurations. Examples include SQL Injection, Command Injection, and Brute-Force attacks. These are generally easier for a SOC to detect because they create significant “noise” in server logs and network traffic
Core Detection Methods
To uncover these attacks, I rely on three primary methods of investigation:
1. Log Analysis
Analyzing access logs is a fundamental technique. These logs record every HTTP request made to the server, providing valuable information such as the source IP address, timestamp, request type (GET/POST), status code, and user agent.
Certain user agents, like SQLmap or gobuster, are immediate red flags for scanning or exploitation attempts. By analyzing a sequence of log entries, I can often reconstruct an entire attack chain, from initial directory discovery and login brute-forcing to the final SQL injection payload. However, a key limitation is that access logs don’t capture the full body of a request, which is where the malicious payload is often hidden.
2. Packet Capture Analysis
To overcome the limitations of log analysis, I turn to packet captures. Analyzing network traffic with tools like Wireshark provides a much deeper level of detail. It allows me to inspect the actual data transferred between the attacker and the server, including the full body of POST requests and the server’s responses.
This method is invaluable for uncovering credentials used in a brute-force attack or for extracting the precise payload used in an SQL injection attempt, details that are invisible in standard server logs.
3. Web Application Firewalls (WAFs)
A Web Application Firewall (WAF) is a critical defensive tool. It inspects all traffic to and from the web application and can block malicious requests based on a set of predefined and custom rules. WAFs are effective at stopping common attack patterns associated with SQL injection, XSS, and other vulnerabilities. They can also block traffic from known malicious IP addresses.
While WAFs are a crucial layer of defense, I emphasize that a deep understanding of log and network packet analysis remains essential for any security analyst to conduct thorough investigations and maintain a comprehensive security posture.
TryHackMe Detecting Web Attacks Room Answers
Room answers can be found here
