[Owasp-leaders] Web Threat Intelligence

Andre Gironda andreg at gmail.com
Fri Jun 12 16:33:59 UTC 2015


On Fri, Jun 12, 2015 at 8:10 AM, Timo Goosen <timo.goosen at owasp.org> wrote:

> Interesting question.
> I'm also always interested in finding out new stuff like this. Twitter and
> reddit is pretty good place for this. Sometimes IRC can be a good place for
> this too.
>

Monitor pastebin and twitter for app attack key words and phrases. For
drilling down into more detail, I personally use Topsy, google.com/?tbm=blg,
and sometimes yandex or other appropriate source. See the books, "Open
Source Intelligence Techniques: Resources for Searching and Analyzing
Online Information, Fourth edition", "Hacking Web Intelligence", and
"Introduction to Social Media Investigation" (and perhaps her other book,
"Analyzing the Social Web") for greater depth.

There are forums such as leakforums that discuss some threat-actor
techniques and provide tools, but those who network there (i.e., threats)
tend to move around so you will have to learn how to follow them. Again, I
agree that Reddit, Twitter, PasteBin, and IRC are some of the better
sources.

As far as commercial offerings go, Packet Ninjas is the closest to offering
app-happy intelligence based on conversations and what I've seen of their
SocialNet entity package for Maltego (N.B., they also offer a commercial
transform). I've also received shared IoCs from FS-ISAC that did become
relevant to app attacks after additional analysis.

The primary threat intelligence commercial players, such as iSECPartners,
Crowdstrike, and FireEye (N.B., one could easily add others to this list,
or even argue about the relevancy of these, but I will shy away from naming
too many names) don't quite seem to understand web app attacks (although
FireEye and others do some good work with mobile apps). Especially
difficult for them are Web Services technologies and similar Enterprise
Software and app developer technologies.

For example, almost all of the recent media-busting breaches have had a
webapp compromised as a link, or even several links, of the kill chain. For
the Target data breach, Aorato Labs was able to piece together many facts,
mostly from KrebsOnSecurity, about the technical specifics of that breach
as they relate to webapps and connected elements. However, I haven't seen
many of these other players chip in. Crowdstrike postulated that the Sony
Pictures breach was SQLi-related but it turned out to be AppleID-related
instead.

To compound the threat intelligence problem, there is also a threat hunting
problem with appsec assets. Responders and investigators are not equipped
skill-wise or tool-wise to handle incidents at these layers. I can count on
one hand the number of outspoken industry experts on app-layer incidents,
i.e., Kevvie Fowler, Cory Scott, Romain Gaucher, David Litchfield, and
Micah Hoffman.

For SIEM, too, app-layer events and alerts just haven't been picked up by
vendor radar yet. Ran into two old posts (one I wrote) from 6 years ago --
http://holisticinfosec.blogspot.com/2009/09/using-ossec-to-monitor-modsecurity-and.html
-- 
http://www.tssci-security.com/archives/2009/02/23/web-application-security-incident-handling/
-- and nothing else since then.

To Patrick -- What would you like to see in terms of a better understanding
of app-layer threat intelligence? What are we doing very poorly and what
really needs to be improved?

dre
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.owasp.org/pipermail/owasp-leaders/attachments/20150612/23fe9a60/attachment-0001.html>


More information about the OWASP-Leaders mailing list