What to do after you’ve secured your servers and computers

You’ve hardened all you could on your servers or computers, you have a strong password with MFA, you update regularly or automatically everything and are wondering what can be done next?

Like you probably know, you can never be 100% protected and there is always a way criminals can find to access private information. For those who tells me they are 100% secure, here is an example:

You have a secure WordPress website at www.mysite.com which has nice plugins to secure it, you maintain it up to date and you have MFA. You then go in a public cafe to make some changes to your website. You enter your WordPress URL in your browser, get the login window, enter your password + your MFA and get access to your website. You then make some changes and everything works as normal. Then a few days later your site gets defaced, or worse. What happened?

What you missed here is that an attacker in the same cafe as you was able to change the IP returned when you did a DNS query for your domain (either through MITM or by changing the DNS Server in the router config). He then redirected you to a new domain: www.rnysite.com. This new domain is owned by the attacker and directs you to a sever that runs Modlishka. This attacking tool essentially proxies all your traffic to your real website www.mysite.com, even validating your password + MFA and making the changes you ask for, but he also makes a copy of all the traffic, taking your cookies and password. Although he doesn’t have your MFA, he now has your cookies. Oh and if that’s not enough, it’s possible now to brute-force the TOTP seed with Hashcat with only 2 TOTP token. (Here is a definition of Brute-force attack)

So now what?

Well, here comes logging, aggregating, correlating and alerting — also known as a Security Information and Event Management, or SIEM.

But what is a SIEM? As Varonis puts it:

Source: https://www.varonis.com/blog/what-is-siem/

Now that we established what is a SIEM and why it is needed, how to we get started with this?

Well, to get started using a SIEM, you can read my blog posts on the subject! My goal is to make it easy to understand and accessible to anyone with some IT experience.

Next post: SIEM 101 — Introduction



Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store
Tristan Dostaler

Passionate about information security, development and technology in general, I like to share my experience with different technologies. I also love travel!