[Owasp-leaders] Web Threat Intelligence

Patrick Laverty patrick.laverty at owasp.org
Fri Jun 12 17:38:04 UTC 2015


Thanks Dre, good stuff.

It'll be interesting to see what more people have to say. I guess what I'm
looking for is a good way to share information and intelligence. I work for
a company that gets at least as much web data every day as anyone else, and
many people want the data, but when we talk about sharing, what they have
to offer is malware and phishing. I'm interested in the latest web attacks,
threats and specific actors. I want to hear what the Tunisian Cyber Army is
up to, I want to hear what the Yemen group is doing, I want to know more
about Anon Australia vs. Anon Indonesia, I want to talk more about the
latest #Op and new communication channels other than the wide open IRC
channels. None of that seems to be stuff that many people know about or are
willing to join a group to discuss. That's what I'm looking to find.
Something like FS-ISAC or NCCIC but more focused on web layer attacks,
actors and strategies.

Thanks!

Patrick

On Fri, Jun 12, 2015 at 12:33 PM, Andre Gironda <andreg at gmail.com> wrote:

>
> On Fri, Jun 12, 2015 at 8:10 AM, Timo Goosen <timo.goosen at owasp.org>
> wrote:
>
>> Interesting question.
>> I'm also always interested in finding out new stuff like this. Twitter
>> and reddit is pretty good place for this. Sometimes IRC can be a good place
>> for this too.
>>
>
> Monitor pastebin and twitter for app attack key words and phrases. For
> drilling down into more detail, I personally use Topsy,
> google.com/?tbm=blg, and sometimes yandex or other appropriate source.
> See the books, "Open Source Intelligence Techniques: Resources for
> Searching and Analyzing Online Information, Fourth edition", "Hacking Web
> Intelligence", and "Introduction to Social Media Investigation" (and
> perhaps her other book, "Analyzing the Social Web") for greater depth.
>
> There are forums such as leakforums that discuss some threat-actor
> techniques and provide tools, but those who network there (i.e., threats)
> tend to move around so you will have to learn how to follow them. Again, I
> agree that Reddit, Twitter, PasteBin, and IRC are some of the better
> sources.
>
> As far as commercial offerings go, Packet Ninjas is the closest to
> offering app-happy intelligence based on conversations and what I've seen
> of their SocialNet entity package for Maltego (N.B., they also offer a
> commercial transform). I've also received shared IoCs from FS-ISAC that did
> become relevant to app attacks after additional analysis.
>
> The primary threat intelligence commercial players, such as iSECPartners,
> Crowdstrike, and FireEye (N.B., one could easily add others to this list,
> or even argue about the relevancy of these, but I will shy away from naming
> too many names) don't quite seem to understand web app attacks (although
> FireEye and others do some good work with mobile apps). Especially
> difficult for them are Web Services technologies and similar Enterprise
> Software and app developer technologies.
>
> For example, almost all of the recent media-busting breaches have had a
> webapp compromised as a link, or even several links, of the kill chain. For
> the Target data breach, Aorato Labs was able to piece together many facts,
> mostly from KrebsOnSecurity, about the technical specifics of that breach
> as they relate to webapps and connected elements. However, I haven't seen
> many of these other players chip in. Crowdstrike postulated that the Sony
> Pictures breach was SQLi-related but it turned out to be AppleID-related
> instead.
>
> To compound the threat intelligence problem, there is also a threat
> hunting problem with appsec assets. Responders and investigators are not
> equipped skill-wise or tool-wise to handle incidents at these layers. I can
> count on one hand the number of outspoken industry experts on app-layer
> incidents, i.e., Kevvie Fowler, Cory Scott, Romain Gaucher, David
> Litchfield, and Micah Hoffman.
>
> For SIEM, too, app-layer events and alerts just haven't been picked up by
> vendor radar yet. Ran into two old posts (one I wrote) from 6 years ago --
> http://holisticinfosec.blogspot.com/2009/09/using-ossec-to-monitor-modsecurity-and.html
> --
> http://www.tssci-security.com/archives/2009/02/23/web-application-security-incident-handling/
> -- and nothing else since then.
>
> To Patrick -- What would you like to see in terms of a better
> understanding of app-layer threat intelligence? What are we doing very
> poorly and what really needs to be improved?
>
> dre
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.owasp.org/pipermail/owasp-leaders/attachments/20150612/180df195/attachment-0001.html>


More information about the OWASP-Leaders mailing list