Security incident - firewall warning

This case covers the investigation of a potential security incident involving a publicly accessible web application used for handling bookings. The system was well-architected, including a firewall appliance equipped with an intrusion detection system (IDS). The IDS had triggered alerts indicating that a user was issuing suspicious or potentially malicious queries against the site.

The primary objective was to determine whether the probing attempt had succeeded and to assess the full scope of the activity. Fortunately, key logs were available across all major layers of the stack: load balancer logs, Apache web server logs, and database logs. This provided a solid foundation for a comprehensive forensic review.

Using AWS Athena, the load balancer logs were queried efficiently at scale, while CloudWatch Logs Insights was used to search and correlate web server activity. Through this dual-layered log analysis, a clear pattern of access emerged. The attacker had issued a large number of GET requests designed to test for common vulnerabilities - indicating use of automated penetration testing tools readily available online.

Importantly, the wide range of request patterns suggested this was not a targeted attack but rather a generic scan, likely opportunistic, searching for misconfigured endpoints or known vulnerabilities. Typical exploit signatures were observed, such as attempted SQL injection via URL parameters. However, HTTP status codes returned by the application (predominantly 403 Forbidden and 404 Not Found) indicated that the attempted exploits were blocked or aimed at non-existent resources.

To ensure thoroughness, several of the more complex requests were safely replayed in a controlled development environment. This confirmed that they did not succeed in extracting any data or bypassing security mechanisms.

A detailed report was generated, cataloguing all attacker actions and confirming that the web application had effectively withstood the probe attempt. No compromise occurred, and no escalation within the system was detected.

To further harden the system and reduce exposure to future scanning activity, the attacker’s IP address and region were geo-blocked. Since the business operated in only a small number of countries, access from unrelated regions was also proactively restricted. This geo-blocking not only lowered the threat surface but also reduced logging noise and potential future analysis costs.

In summary, the incident was effectively contained, and steps were taken to both reassure stakeholders and reduce future exposure. The combination of well-configured infrastructure and prompt analysis ensured a swift and confident resolution.