Sunday, January 6, 2013

Google as an IDS: Using Google Alerts to Help Detect Compromise

Introduction

Detecting a compromise can be difficult. When it comes to intrusion detection, the more information and sources a sysadmin has at their disposal - the better. Fortunately for us, Google has created a tool called "Google Alerts" that inadvertently gives us the capability to monitor for intrusions in a few ways.

What is Google Alerts?

From the Google Alerts main page:

"Google Alerts are email updates of the latest relevant Google results (web, news, etc.) based on your queries."

Using this functionality, we can craft specific search queries which, when results are returned, will send us an email with the details. In addition to using this to keep tabs on SEO standings for ourselves and competitors, we can use this to check for details post-compromise.

A Couple of Examples

Let's take a quick look at a couple of examples. We can create and manage our Google Alerts here. The first scenario we want to setup a Google Alert for is the case that our company website has been compromised, and the attacker is using it to broadcast SPAM and other malicious content. We can create the following search query to help detect this (keywords found here):

site:your-site.com acne OR botox OR casino OR dating OR debt OR insurance OR mortgage OR paxil OR pharmacy OR phentamine OR pherimones OR poker OR porn OR OR roulette sex OR viagara OR viagra OR xxx

Setting up the alert will look like this:


As you can see, we will receive an email as soon as Google detects these keywords on our site, which will be handy in helping us quickly detect a compromise.

It's becoming common for attackers to use paste sites to release details of their intrusions. For our next scenario, let's setup a Google Alerts that monitors the more common paste sites for occurrences of our company name. We'll use the following search query:

site:4shared.com OR site:mysticpaste.com OR site:tidypaste.com OR site:pastesite.com OR site:slexy.org OR site:privatepaste.com OR site:pastebin.com OR site:gist.github.com OR site:pastie.org "Company Name" OR "companysite.com" OR "keyword"

This search query checks for occurrences of our company name, company site, or any other keywords that would pertain to our company. This kind of alert will help us detect a compromise very soon after an attacker posts details of the intrusion.

Conclusion

Google Alerts are a fantastic resource for the following reasons and more:
  • Only need to set them up once (easy to add or modify, too!)
  • Google is often checking for updates to our sites, making detection of changes very quick
  • Email is sent as soon as a change is detected
While this post provided a couple of example Google Alerts, the possibilities with this tool are endless. Have any other queries or examples that should be added to any sysadmin's Google Alerts? Let me know in the comments below!

- Jordan

1 comment:

  1. the own credit card number is a good query... so you will know when it appears. or a part of your daily passwords...

    ReplyDelete